SAP Enterprise Threat Detection: Semantic Events and Attributes

SAP Enterprise Threat Detection is a product that enables you to detect cyber-threats to your IT landscape.

This blog contains a series of videos that explain how Semantic Events and Attributes are crucial to this functionality.

As an alternative to viewing the videos you can follow the textual links to slides and accompanying text that convey the same information as the videos.

There is also a playlist containing all the videos.

Session One: The purpose of Semantic Events and Attributes

Session One gives answers to two main questions:

1. What are the goals that motivate Semantic Events and Attributes?
2. How do Semantic Events and Attributes meet these goals?

A key idea introduced in Session One is normalization.

Session Two: Semantic Events and Attributes: What problems do they solve?

Session Two introduces some important problems with software logs, problems that are solved by Semantic Events and Attributes.

By the end of the session, I hope that you see software logs in an entirely different light, and are sensitive to their limitations and defects.

Session Two also introduces the idea of the roles that systems play in an event. In this context ‘system’ is a broad concept including SAP systems, machines, and network nodes.

Session Three: System Roles and Attributes

Session Three covers the following topics:

• A review of the three system roles seen so far
• An introduction to attribute naming and attribute groups
• An overview of the attributes used to identify a system and software on it.
• The introduction of two more system roles: intermediary and reporter, for a total of five system roles
• An overview of Semantic Attribute groups
• And, finally, some words on performance and consistency

Session Four: User Attributes

Session Four is about the roles that users can play in events.

But, first a misconception about users and machines needs to be recognized and cleared up.

Then a more accurate conception is adopted based on the concepts:

• User account domain
• User role
• Pseudonym, person and account.

Session Five: Trigger Roles

Session Five focuses on triggers.

• What are they?
• What roles do they have?

Session Six is an upcoming session about Semantic Events in the Knowledge Base and in Log Learning. It will cover how Semantic Events are represented in the Knowledge Base, and how they are used in Log Learning.Log Learning finds the types of log entries in a set of instances, so that you can assign a Semantic Event to each type that is found. Log Learning also helps you map the variables from a type to Semantic Attributes.