than most SIEM toolkits by creating patterns based on security event analytics Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to suspicious activity in your network. 42 Changes to ETD Streaming Configuration Files • Use case :- Issue an alert if SAP Enterprise Threat Detection Streaming configuration files are changed. • SAP HANA smart data streaming is installed as an option within an SAP HANA installation. • With smart data streaming, you can analyze events as they are streamed, enabling immediate response to new information. 43 Clear Audit Log • Use case :- This pattern detects a deletion of the audit table content. • Activate this pattern if the audit trail target is a data base table. • Then a Clear-Log SQL statement can delete audit trails. • The system audit tables can be accessed only by a system security officer, who can read the tables by executing SQL commands. 44 Client independent queries via debugger
• Use case :- Issue an alert in the event of any
attempt to read client independently via debugger • The ABAP debugger is a powerful tool helping to examine your ABAP code at runtime. 45 Content Deletion • Use case:- Issue an alert if security content for SAP Enterprise Threat Detection (such as workspaces, patterns or alerts) is deleted. • A pattern to issue an alert if any of your security content is deleted. 46 Critical authorization assignment and logon
• Use case:- Issue an alert when a user is
assigned critical profiles (such as SAP_ALL or SAP_NEW) and later logged on successfully. SAP_NEW • is a SAP standard Profile which is usually assigned to system users temporarily during an upgrade to ensure that the activities and operations of SAP users is not hindered, during the Upgrade. • It contains all the necessary objects and transactions for the users to continue their work during the upgrade. • SAP_NEW is used in the Production environment during a version upgrade . SAP_ALL • is a SAP standard profile, which is used on need basis, to resolve particular issues which may arise during the usage of SAP. • It is used by Administrators/Developers only and is applied on a need to use basis, then withdrawn. • It contains all SAP system objects and Transactions. 47 Critical authorization assignment
• Use case:- Issue an alert when a user is
assigned critical profiles (such as SAP_ALL or SAP_NEW). 48 Critical authorization assignment per debugging
• Use case:- Issue an alert in the event of a critical
authorization assignment (such as SAP_ALL or SAP_NEW) per debugging • debugging is one of the important part in trouble shooting of an ABAP application, we can debug ABAP code by using breakpoints. 49 Critical change to Gateway file
• Use case :- Issue an alert if one of the Gateway
configuration files reginfo, secinfo, or prxyinfo has been changed. • The secinfo security file is used to prevent unauthorized launching of external programs. • File reginfo controls the registration of external programs in the gateway. 50 Critical Cloud Connector Configuration Change
• Use case = Issue an alert if one of the specified
Cloud Connector configuration settings was changed. 51 Critical RFC Callbacks for User Management
• Use case :- Issue an alert in the event of any attempt to
execute a critical RFC for user management. • If an RFC call is initiated on a production system that connects to a less protected SAP system (outbound call), the called function module can be manipulated by an attacker. 52 CUZ-Generic table access by RFC pattern • Use case:- Issue an alert in the event of attempts of CUZ- generic table access via RFC. • The generic Table Entry Counter data collector provides a possibility to run dynamic database queries to count the number of entries (or the number of distinct values) in any database table of a managed ABAP system. • Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. • RFC calls a function to be executed in a remote system. 53 Data Download with Suspicious Filename
• Use case:- Issue an alert in case of access to sensitive
data. • The results show files that were downloaded to the user’s machine as a result of websites he visited. • If you see the suspicious file associated with the same domains across multiple log source types, you can have a fair amount of confidence that it’s the file you want 54 Debugging by users belonging to a critical user group
• Use case Issue an alert if debugging takes
place by a user belonging to a user group which must not debug in a system. 55 Debugging in critical systems
• Use case Issue an alert if debugging takes place
in a critical system ID. • Debugging is a critical aspect of the development process, as it helps to improve the overall quality and reliability of a system. The primary goal of debugging is to ensure that a system functions as intended. This involves identifying and fixing errors, optimizing performance, and enhancing stability