Professional Documents
Culture Documents
Configuration Files:-
Use case :- Issue an alert if SAP Enterprise Threat Detection Streaming configuration files are changed.
SAP HANA smart data streaming is installed as an option within an SAP HANA installation.
With smart data streaming, you can analyze events as they are streamed, enabling immediate
response to new information.
SAP HANA smart data streaming provides the ability to process streams of incoming events in
real-time, as fast as they arrive. You can filter and normalize raw data before capturing the desired
data in the SAP HANA database, as well as apply complex event processing logic to monitor the
incoming data, generating alerts and notifications – or initiating an immediate automatic response –
when specific conditions are detected. Adapters and programming interfaces are available to connect
streaming projects to data sources and destinations.
Both the SAP HANA server and the SAP HANA client are required to use smart data streaming (unless
you
have another system that can already connect to a smart data streaming server, in which case the SAP
HANA client is not required).
SAP HANA and SAP HANA smart data streaming are delivered on separate installation media.
● The streaming server package – contains the smart data streaming server and all of the tools to
administer
the server, including adapters and the streaming command line tools. When you install this package,
add a
● The streaming client package – contains the provided adapters for connecting to other data sources,
the
● The streaming studio plugin package – contains the smart data streaming plugin to the SAP HANA
studio
smart data streaming host per streaming node. You can then install the streaming client package and
Use case :- This pattern detects a deletion of the audit table content. Activate this pattern if the audit
trail target is a data base table. Then a Clear-Log SQL statement can delete audit trails.
If the audit trail target is or was a database table, you can delete old audit entries, for example to
prevent the audit table from growing indefinitely. You can do this using the Security editor of the SAP
HANA
Deletes old audit data from the SAP HANA database audit table.
Syntax
Syntax Elements
<until_specification>
If the ALL keyword is used, then all the audit data is removed.
Description
Use this command to delete old audit data from the SAP HANA database audit table.
Example
Delete audit log data older than December 31st 2012.
ALTER SYSTEM CLEAR AUDIT LOG FOR AUDIT POLICY MY_POLICY ALL;
44 Client independent queries via debugger
Use case :- Issue an alert in the event of any attempt to read client independently via debugger.
When designing and especially when debugging model, it is often necessary to view and edit table and
view data or fill tables with some test data. Entity Developer allows viewing and editing data of tables,
views, and model entities, create and execute LINQ to SQL, Entity SQL and HQL queries against the
model, eliminating the need for additional applications and reducing time for accessing these
operations.
45 Content Deletion
Use case:- Issue an alert if security content for SAP Enterprise Threat Detection (such as workspaces,
patterns or alerts) is deleted.
The delivered new workspaces and patterns for this category are designed to help you keep the
operation of SAP Enterprise Threat Detection secure by monitoring accidental or deliberate
modification to productive ETD content.
A pattern to test if alerting is working or not. A function test on active alerts is run every
15 minutes. For this pattern we recommend to create a custom tile on the SAP Enterprise
Threat Detection launchpad.
A pattern to issue an alert if any of your security content is deleted.
Patterns to issue an alert if any malicious activity is detected on the underlying SAP
HANA database (such as access to the user data to prevent depseudonymization and
tampering of the record of action with database tools).
A pattern to issue an alert if the system detects changes to the whitelist containing the
ETD Technical Database user.
Use case:- Issue an alert when a user is assigned critical profiles (such as SAP_ALL or SAP_NEW) and later
logged on successfully.
Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to
suspicious activity in your network. The patterns were created by our experts to uncover a variety of
anomalous events. You have asked what patterns we deliver with our product. Here is an overview of
the kinds of patterns you get with SAP Enterprise Threat Detection 1.0 SP01
Use case:- Issue an alert when a user is assigned critical profiles (such as SAP_ALL or SAP_NEW).
Critical authorizations are critical in themselves, without the type of access to this authorization needing
to be defined already (technical definition: authorization object without connection to a specific
transaction). One example is debugging in change mode.
Use case:- Issue an alert in the event of a critical authorization assignment (such as SAP_ALL or
SAP_NEW) per debugging
ebugging is one of the important part in trouble shooting of an ABAP application, we can debug
ABAP code by using breakpoints.
Static Breakpoints:
These can be set by using statement BREAK-POINT in ABAP code, these breakpoints are not
user specific, these will trigger for every user. We need to delete these breakpoints manually.
Dynamic Breakpoints:
These breakpoints are user specific, these will trigger for specific user only. These breakpoints
will be deleted automatically when you log-off from SAP. These can be set in ABAP editor.
Dynamic breakpoints can be set in active (activated) source code only.
Use case :- Issue an alert if one of the Gateway configuration files reginfo, secinfo, or prxyinfo has been
changed.
The secinfo security file is used to prevent unauthorized launching of external programs.
gw/sec_info = $(DIR_DATA)/secinfo
gw/reg_info = $(DIR_DATA)/reginfo
When the gateway is started, it rereads both security files. You can make dynamic changes by
changing, adding, or deleting entries in the reginfo file. Then the file can be immediately
activated by reloading the security files.
Use case = Issue an alert if one of the specified Cloud Connector configuration settings was changed.
Use case :- Issue an alert in the event of any attempt to execute a critical RFC for user management.
If an RFC call is initiated on a production system that connects to a less protected SAP system (outbound
call), the called function module can be manipulated by an attacker. The attacker can compromise the
target system and enable it to start an RFC call back to the production system. The attacker can use the
predefined RFC destination BACK in order to start the malicious callback. A callback is then executed on
the production system in the user context of the production user who started the original outbound call,
so there is no need for user credentials.
Use casse:- Issue an alert in the event of attempts of CUZ-generic table access via RFC.
The results show files that were downloaded to the user’s machine as a result of websites he visited. If
you see the suspicious file associated with the same domains across multiple log source types, you can
have a fair amount of confidence that it’s the file you want
Use case Issue an alert if debugging takes place by a user belonging to a user group which must not
debug in a system.
Use case Issue an alert if debugging takes place in a critical system ID.
Debugging is a critical aspect of the development process, as it helps to improve the overall quality and
reliability of a system. The primary goal of debugging is to ensure that a system functions as intended.
This involves identifying and fixing errors, optimizing performance, and enhancing stability
Use case Issue an alert if debugging takes place in a system as signed to a critical role (suchas
Production).
Debugging is a computer engineering process that identifies, isolates and corrects or determines the best
way to work around a problem in applications
Use case Issue an alert when a user debugs using the new ABAP debugger in SAP GUI.
The ABAP Debugger (New ABAP Debugger) is a tool of the AS ABAP with which you can stop running
program und then execute them line-by-line or section-by-section. You can display the related source
test and contents of the data objects in detail at the same time. This means any errors in the source text
of the program can be found quickly.
Use case:- Issue an alert when a user debugs using the old ABAP debugger in SAP GUI.
he ABAP debugger is a powerful tool helping to examine your ABAP code at runtime. Besides the
common and basic features, such as stepping through your code and inspect the values of your
variables, field symbols, and references, it provides helpful features that can simplify and shorten your
debugging sessions
Use case:- Issue an alert if a user changes the control flow while debugging.
Use case:- Issue an alert if a user changes variable values while debugging.
Use case Issue an alert if SAP Enterprise Threat Detection Streaming configuration files are deleted.
Use case Issue an alert if the pattern detects access with outdated version of TLS.
64 Directory Traversal
Use case Issue an alert in the event of an indication of a directory traversal attack.
Use case Issue an alert when the number of RFC_PING/RFCPINGfunction calls to a single RFC
dest ination and initiated by one terminal ID has exceeded a threshold (default: 1000per 30 minutes).
Use case Issue an alert when the number of RFC destinations that are used from one terminal
ID has exceeded a threshold (default: 20 different RFCdestinations called within 30minutes).
Use case Issue an alert when the number of HTTP URLs called from one terminal ID has ex
ceeded a threshold (default:3000 different HTTP URLscalled per 10 minutes).
Use case Issue an alert when the HTTPURL sap/public/icf_info* has been called. Such URLs could be
used to find out server specific information such as URL prefixes which are handled by the ABAP server.
Use case Issue an alert when the number of systems called fromone terminal ID has exceeded
a threshold (default: 10 different systems called per 10 minutes).
Use case Issue an alert when a user has downloaded data from an SAP system exceeding a defined
threshold (default:
10.000.000 bytes per download)
Use case Issue an alert if a dynamic profile parameter was changed using transaction RZ11.
Use case Check if ESP server is reachable via ping. An alert is raised in case subsequent
ESP server ping attempts are failing.
Use case Issue an alert in the event of an attempt to execute a critical SQL statement (such as DROP
TABLE) in
the SQL console with report RSDBA850.