Scribd Logo
Upload

Welcome to Scribd!

  • 72 views

    What Is Pattern in SAP ETD

    Uploaded by

    derman regsa
    This document discusses various patterns used in SAP Enterprise Threat Detection to detect suspicious activity. It provides examples of patterns that detect changes to configuration files, deletion of audit logs or security content, assignment of critical authorizations to users, unauthorized debugging, and other potentially malicious activities. The patterns help alert administrators to suspicious events in their SAP systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    What Is Pattern in SAP ETD

    Uploaded by

    derman regsa
    72 views17 pages
    This document discusses various patterns used in SAP Enterprise Threat Detection to detect suspicious activity. It provides examples of patterns that detect changes to configuration files, deletion of audit logs or security content, assignment of critical authorizations to users, unauthorized debugging, and other potentially malicious activities. The patterns help alert administrators to suspicious events in their SAP systems.

    Original Title

    What is Pattern in SAP ETD

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses various patterns used in SAP Enterprise Threat Detection to detect suspicious activity. It provides examples of patterns that detect changes to configuration files, deletion of audit logs or security content, assignment of critical authorizations to users, unauthorized debugging, and other potentially malicious activities. The patterns help alert administrators to suspicious events in their SAP systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    72 views17 pages

    What Is Pattern in SAP ETD

    Uploaded by

    derman regsa
    This document discusses various patterns used in SAP Enterprise Threat Detection to detect suspicious activity. It provides examples of patterns that detect changes to configuration files, deletion of audit logs or security content, assignment of critical authorizations to users, unauthorized debugging, and other potentially malicious activities. The patterns help alert administrators to suspicious events in their SAP systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 17

    What is Pattern in SAP ETD

     SAP ETD Architecture


    It has standard threat detection patterns for different
    scenarios, with SAP regularly adding new threat detection
    patterns.
     SAP ETD provides a more advanced solution than most
    SIEM toolkits by creating patterns based on security
    event analytics
    Attack detection patterns are what powers the ability of SAP
    Enterprise Threat Detection to alert you to suspicious activity
    in your network.
    42Changes to ETD Streaming
    Configuration Files
    • Use case :- Issue an alert if SAP Enterprise
    Threat Detection Streaming configuration files
    are changed.
    • SAP HANA smart data streaming is installed as
    an option within an SAP HANA installation.
    • With smart data streaming, you can analyze
    events as they are streamed, enabling
    immediate response to new information.
    43 Clear Audit Log
    • Use case :- This pattern detects a deletion of
    the audit table content. Activate this pattern if
    the audit trail target is a data base table. Then a
    Clear-Log SQL statement can delete audit trails.
    • The system audit tables can be accessed only
    by a system security officer, who can read the
    tables by executing SQL commands.
    • If the audit trail target is or was a database
    table, you can delete old audit entries.
    44 Client independent queries via
    debugger
    • Use case :- Issue an alert in the event of any
    attempt to read client independently via
    debugger
    • The ABAP debugger is a powerful tool
    helping to examine your ABAP code at
    runtime.
    • When designing and especially when
    debugging model, it is often necessary to
    view and edit table and view data or fill
    tables with some test data
    45 Content Deletion
    • Use case:- Issue an alert if security content
    for SAP Enterprise Threat Detection (such
    as workspaces, patterns or alerts) is
    deleted.
    • A pattern to issue an alert if any of your
    security content is deleted.
    46 Critical authorization assignment and logon

    • Use case:- Issue an alert when a


    user is assigned critical profiles
    (such as SAP_ALL or SAP_NEW)
    and later logged on successfully.
    SAP_NEW
    • is a SAP standard Profile which is usually assigned
    to system users temporarily during an upgrade to
    ensure that the activities and operations of SAP
    users is not hindered, during the Upgrade.
    • It contains all the necessary objects and
    transactions for the users to continue their work
    during the upgrade.
    • It should be withdrawn once all upgrade activities
    is completed, and replaced with the now modified
    Roles as it has extensive authorizations than
    required.
    SAP_ALL
    • is a SAP standard profile, which is used on need basis, to
    resolve particular issues which may arise during the usage of
    SAP. It is used by Administrators/Developers only and is
    applied on a need to use basis, then withdrawn. It contains all
    SAP system objects and Transactions. SAP_ALL is very critical
    and only SAP* contains SAP_ALL attached to it in the
    production system. No other dialog users have SAP_ALL
    attached to them.
    47 Critical authorization assignment

    • Use case:- Issue an alert when a user


    is assigned critical profiles (such as
    SAP_ALL or SAP_NEW).
    48 Critical authorization assignment per
    debugging

    • Use case:- Issue an alert in the event of a


    critical authorization assignment (such as
    SAP_ALL or SAP_NEW) per debugging
    • debugging is one of the important part in
    trouble shooting of an ABAP application,
    we can debug ABAP code by using
    breakpoints.
    49 Critical change to Gateway file

    • Use case :- Issue an alert if one of the Gateway


    configuration files reginfo, secinfo, or prxyinfo has been
    changed.
    • The secinfo security file is used to prevent unauthorized
    launching of external programs.
    • File reginfo controls the registration of external programs
    in the gateway.
    • You can define the file path using profile parameters
    gw/sec_info and gw/reg_info.
    50 Critical Cloud Connector Configuration Change

    • Use case = Issue an alert if one of the


    specified Cloud Connector configuration
    settings was changed.
    51 Critical RFC Callbacks for User Management

    • Use case :- Issue an alert in the event of any


    attempt to execute a critical RFC for user
    management.
    • If an RFC call is initiated on a production system
    that connects to a less protected SAP system
    (outbound call), the called function module can
    be manipulated by an attacker.
    52 CUZ-Generic table access by RFC pattern

    • Use casse:- Issue an alert in the event of


    attempts of CUZ-generic table access via RFC.
    53 Data Download with Suspicious Filename

    • Use case:- Issue an alert in case of access to sensitive


    data.
    • The results show files that were downloaded to the
    user’s machine as a result of websites he visited.
    • If you see the suspicious file associated with the same
    domains across multiple log source types, you can have a
    fair amount of confidence that it’s the file you want
    54 Debugging by users belonging to a
    critical user group
    • Use case Issue an alert if debugging takes place
    by a user belonging to a user group which must
    not debug in a system.
    55 Debugging in critical systems

    • Use case Issue an alert if debugging takes place in a critical


    system ID.
    • Debugging is a critical aspect of the development process, as it
    helps to improve the overall quality and reliability of a
    system. The primary goal of debugging is to ensure that a
    system functions as intended. This involves identifying and
    fixing errors, optimizing performance, and enhancing stability

    You might also like