42Changes to ETD Streaming

Configuration Files:-
Use case :- Issue an alert if SAP Enterprise Threat Detection Streaming configuration files are changed.

SAP HANA smart data streaming is installed as an option within an SAP HANA installation.

With smart data streaming, you can analyze events as they are streamed, enabling immediate
response to new information.

SAP HANA smart data streaming provides the ability to process streams of incoming events in

real-time, as fast as they arrive. You can filter and normalize raw data before capturing the desired
data in the SAP HANA database, as well as apply complex event processing logic to monitor the
incoming data, generating alerts and notifications – or initiating an immediate automatic response –
when specific conditions are detected. Adapters and programming interfaces are available to connect
streaming projects to data sources and destinations.

Both the SAP HANA server and the SAP HANA client are required to use smart data streaming (unless
you

have another system that can already connect to a smart data streaming server, in which case the SAP
HANA client is not required).

SAP HANA and SAP HANA smart data streaming are delivered on separate installation media.

SAP HANA smart data streaming has three installation packages:

● The streaming server package – contains the smart data streaming server and all of the tools to
administer

the server, including adapters and the streaming command line tools. When you install this package,
add a

smart data streaming host for each streaming node.

● The streaming client package – contains the provided adapters for connecting to other data sources,
the

SDK, and the streaming command line tools.

● The streaming studio plugin package – contains the smart data streaming plugin to the SAP HANA
studio

that allows for visual development of streaming projects.

Follow this guide to install the streaming server package. After installing the streaming server
package, add one

smart data streaming host per streaming node. You can then install the streaming client package and

streaming studio package

43 Clear Audit Log

Use case :- This pattern detects a deletion of the audit table content. Activate this pattern if the audit
trail target is a data base table. Then a Clear-Log SQL statement can delete audit trails.

If the audit trail target is or was a database table, you can delete old audit entries, for example to
prevent the audit table from growing indefinitely. You can do this using the Security editor of the SAP
HANA

Deletes old audit data from the SAP HANA database audit table.

Syntax

ALTER SYSTEM CLEAR AUDIT LOG [ FOR AUDIT POLICY <policy_name> ]

<until_specification>

Syntax Elements
<until_specification>

Removes audit data older than the <timestamp>.

<until_specification> ::= { UNTIL <timestamp> | ALL }

<timestamp> ::= <string_literal>

If the ALL keyword is used, then all the audit data is removed.

Description
Use this command to delete old audit data from the SAP HANA database audit table.

Example
Delete audit log data older than December 31st 2012.

ALTER SYSTEM CLEAR AUDIT LOG UNTIL '2012-12-31 23:59:59';

Delete all audit log data for audit policy MY_POLICY.

ALTER SYSTEM CLEAR AUDIT LOG FOR AUDIT POLICY MY_POLICY ALL;
44 Client independent queries via debugger

Use case :- Issue an alert in the event of any attempt to read client independently via debugger.

When designing and especially when debugging model, it is often necessary to view and edit table and
view data or fill tables with some test data. Entity Developer allows viewing and editing data of tables,
views, and model entities, create and execute LINQ to SQL, Entity SQL and HQL queries against the
model, eliminating the need for additional applications and reducing time for accessing these
operations.

45 Content Deletion

Use case:- Issue an alert if security content for SAP Enterprise Threat Detection (such as workspaces,
patterns or alerts) is deleted.

The delivered new workspaces and patterns for this category are designed to help you keep the
operation of SAP Enterprise Threat Detection secure by monitoring accidental or deliberate
modification to productive ETD content.

 A pattern to test if alerting is working or not. A function test on active alerts is run every
15 minutes. For this pattern we recommend to create a custom tile on the SAP Enterprise
Threat Detection launchpad.

 A pattern to issue an alert if any of your security content is deleted.
 Patterns to issue an alert if any malicious activity is detected on the underlying SAP
HANA database (such as access to the user data to prevent depseudonymization and
tampering of the record of action with database tools).
 A pattern to issue an alert if the system detects changes to the whitelist containing the
ETD Technical Database user.

46 Critical authorization assignment and logon

Use case:- Issue an alert when a user is assigned critical profiles (such as SAP_ALL or SAP_NEW) and later
logged on successfully.
Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to
suspicious activity in your network. The patterns were created by our experts to uncover a variety of
anomalous events. You have asked what patterns we deliver with our product. Here is an overview of
the kinds of patterns you get with SAP Enterprise Threat Detection 1.0 SP01

47 Critical authorization assignment

Use case:- Issue an alert when a user is assigned critical profiles (such as SAP_ALL or SAP_NEW).

Critical authorizations are critical in themselves, without the type of access to this authorization needing
to be defined already (technical definition: authorization object without connection to a specific
transaction). One example is debugging in change mode.

48 Critical authorization assignment per debugging

Use case:- Issue an alert in the event of a critical authorization assignment (such as SAP_ALL or
SAP_NEW) per debugging

ebugging is one of the important part in trouble shooting of an ABAP application, we can debug
ABAP code by using breakpoints.

In SAP Programming there are two kinds of breakpoints.

Static Breakpoints:

These can be set by using statement BREAK-POINT in ABAP code, these breakpoints are not
user specific, these will trigger for every user. We need to delete these breakpoints manually.

Dynamic Breakpoints:

These breakpoints are user specific, these will trigger for specific user only. These breakpoints
will be deleted automatically when you log-off from SAP. These can be set in ABAP editor.
Dynamic breakpoints can be set in active (activated) source code only.

49 Critical change to Gateway file

Use case :- Issue an alert if one of the Gateway configuration files reginfo, secinfo, or prxyinfo has been
changed.

The secinfo security file is used to prevent unauthorized launching of external programs.

File reginfo controls the registration of external programs in the gateway.

You can define the file path using profile parameters gw/sec_info and gw/reg_info. The
default value is:

gw/sec_info = $(DIR_DATA)/secinfo

gw/reg_info = $(DIR_DATA)/reginfo

When the gateway is started, it rereads both security files. You can make dynamic changes by
changing, adding, or deleting entries in the reginfo file. Then the file can be immediately
activated by reloading the security files.

50 Critical Cloud Connector Configuration Change

Use case = Issue an alert if one of the specified Cloud Connector configuration settings was changed.

51 Critical RFC Callbacks for User Management

Use case :- Issue an alert in the event of any attempt to execute a critical RFC for user management.

If an RFC call is initiated on a production system that connects to a less protected SAP system (outbound
call), the called function module can be manipulated by an attacker. The attacker can compromise the
target system and enable it to start an RFC call back to the production system. The attacker can use the
predefined RFC destination BACK in order to start the malicious callback. A callback is then executed on
the production system in the user context of the production user who started the original outbound call,
so there is no need for user credentials.

52 CUZ-Generic table access by RFC pattern

Use casse:- Issue an alert in the event of attempts of CUZ-generic table access via RFC.

53 Data Download with Suspicious Filename

Use case:- Issue an alert in case of access to sensitive data.

The results show files that were downloaded to the user’s machine as a result of websites he visited. If
you see the suspicious file associated with the same domains across multiple log source types, you can
have a fair amount of confidence that it’s the file you want

54 Debugging by users belonging to a critical user group

Use case Issue an alert if debugging takes place by a user belonging to a user group which must not
debug in a system.

55 Debugging in critical systems

Use case Issue an alert if debugging takes place in a critical system ID.
Debugging is a critical aspect of the development process, as it helps to improve the overall quality and
reliability of a system. The primary goal of debugging is to ensure that a system functions as intended.
This involves identifying and fixing errors, optimizing performance, and enhancing stability

56 Debugging in systems assigned to critical roles

Use case Issue an alert if debugging takes place in a system as signed to a critical role (suchas
Production).

Debugging is a computer engineering process that identifies, isolates and corrects or determines the best
way to work around a problem in applications

57 Debugging using new ABAP debugger

Use case Issue an alert when a user debugs using the new ABAP debugger in SAP GUI.

The ABAP Debugger (New ABAP Debugger) is a tool of the AS ABAP with which you can stop running
program und then execute them line-by-line or section-by-section. You can display the related source
test and contents of the data objects in detail at the same time. This means any errors in the source text
of the program can be found quickly.

58 Debugging using old ABAP debugger

Use case:- Issue an alert when a user debugs using the old ABAP debugger in SAP GUI.

he ABAP debugger is a powerful tool helping to examine your ABAP code at runtime. Besides the
common and basic features, such as stepping through your code and inspect the values of your
variables, field symbols, and references, it provides helpful features that can simplify and shorten your
debugging sessions

59 Debugging with change of control flow while debugging

Use case:- Issue an alert if a user changes the control flow while debugging.

60 Debugging with change of variable values during debugging

Use case:- Issue an alert if a user changes variable values while debugging.

61 Deletion of ETD Streaming Configuration Files

Use case Issue an alert if SAP Enterprise Threat Detection Streaming configuration files are deleted.

62 Deprecated TLS requests

Use case Issue an alert if the pattern detects access with outdated version of TLS.

63 Denied Access to Critical Resource via Cloud Connector

Use case Issue an alert if Cloud Connector access to the specified resources was denied.

64 Directory Traversal

Use case Issue an alert in the event of an indication of a directory traversal attack.

65 DoS attack via RFC_PING/RFCPING to one destination

Use case Issue an alert when the number of RFC_PING/RFCPINGfunction calls to a single RFC
dest ination and initiated by one terminal ID has exceeded a threshold (default: 1000per 30 minutes).

66 DoS attack against different RFC destinations

Use case Issue an alert when the number of RFC destinations that are used from one terminal
ID has exceeded a threshold (default: 20 different RFCdestinations called within 30minutes).

67 DoS attack against different HTTP URLs

Use case Issue an alert when the number of HTTP URLs called from one terminal ID has ex
ceeded a threshold (default:3000 different HTTP URLscalled per 10 minutes).

68 DoS attack on sap/public/icf_info URL path

Use case Issue an alert when the HTTPURL sap/public/icf_info* has been called. Such URLs could be
used to find out server specific information such as URL prefixes which are handled by the ABAP server.

69 DoS attack from one terminal to different systems

Use case Issue an alert when the number of systems called fromone terminal ID has exceeded
a threshold (default: 10 different systems called per 10 minutes).

70 Download volume exceeds threshold

Use case Issue an alert when a user has downloaded data from an SAP system exceeding a defined
threshold (default:
10.000.000 bytes per download)

71 Dynamic Profile Parameter Change

Use case Issue an alert if a dynamic profile parameter was changed using transaction RZ11.

72 Dynamic program execution

Use case Issue an alert in the event of dynamic program execution

73 Error during Static Profile Parameter Maintenance

Use case Issue an alert if an error occurred during the maintenance of static profile parameters.

74 ESP System Ping Failed Health Check

Use case Check if ESP server is reachable via ping. An alert is raised in case subsequent
ESP server ping attempts are failing.

75 Execution of critical SQL statements with report RSDBA850

Use case Issue an alert in the event of an attempt to execute a critical SQL statement (such as DROP
TABLE) in
the SQL console with report RSDBA850.