What is Pattern in SAP ETD

 SAP ETD provides a more advanced solution

than most SIEM toolkits by creating patterns
based on security event analytics
 Attack detection patterns are what powers
the ability of SAP Enterprise Threat Detection
to alert you to suspicious activity in your
network.
42 Changes to ETD Streaming Configuration
Files
• Use case :- Issue an alert if SAP Enterprise Threat Detection
Streaming configuration files are changed.
• SAP HANA smart data streaming is installed as an option
within an SAP HANA installation.
• With smart data streaming, you can analyze events as they
are streamed, enabling immediate response to new
information.
 43 Clear Audit Log
• Use case :- This pattern detects a deletion of the
audit table content.
• Activate this pattern if the audit trail target is a data
base table.
• Then a Clear-Log SQL statement can delete audit
trails.
• The system audit tables can be accessed only by a
system security officer, who can read the tables by
executing SQL commands.
 44 Client independent queries via debugger

• Use case :- Issue an alert in the event of any

attempt to read client independently via debugger
• The ABAP debugger is a powerful tool helping to
examine your ABAP code at runtime.
 45 Content Deletion
• Use case:- Issue an alert if security content for
SAP Enterprise Threat Detection (such as
workspaces, patterns or alerts) is deleted.
• A pattern to issue an alert if any of your
security content is deleted.
 46 Critical authorization assignment and logon

• Use case:- Issue an alert when a user is

assigned critical profiles (such as SAP_ALL
or SAP_NEW) and later logged on
successfully.
 SAP_NEW
• is a SAP standard Profile which is usually assigned to system
users temporarily during an upgrade to ensure that the
activities and operations of SAP users is not hindered,
during the Upgrade.
• It contains all the necessary objects and transactions for
the users to continue their work during the upgrade.
• SAP_NEW is used in the Production environment during a
version upgrade .
 SAP_ALL
• is a SAP standard profile, which is used on need
basis, to resolve particular issues which may arise
during the usage of SAP.
• It is used by Administrators/Developers only and is
applied on a need to use basis, then withdrawn.
• It contains all SAP system objects and Transactions.
 47 Critical authorization assignment

• Use case:- Issue an alert when a user is

assigned critical profiles (such as SAP_ALL or
SAP_NEW).
48 Critical authorization assignment per debugging

• Use case:- Issue an alert in the event of a critical

authorization assignment (such as SAP_ALL or
SAP_NEW) per debugging
• debugging is one of the important part in trouble
shooting of an ABAP application, we can debug
ABAP code by using breakpoints.
 49 Critical change to Gateway file

• Use case :- Issue an alert if one of the Gateway

configuration files reginfo, secinfo, or prxyinfo has
been changed.
• The secinfo security file is used to prevent
unauthorized launching of external programs.
• File reginfo controls the registration of external
programs in the gateway.
 50 Critical Cloud Connector Configuration Change

• Use case = Issue an alert if one of the specified

Cloud Connector configuration settings was
changed.
 51 Critical RFC Callbacks for User Management

• Use case :- Issue an alert in the event of any attempt to

execute a critical RFC for user management.
• If an RFC call is initiated on a production system that
connects to a less protected SAP system (outbound call),
the called function module can be manipulated by an
attacker.
 52 CUZ-Generic table access by RFC pattern
• Use case:- Issue an alert in the event of attempts of CUZ-
generic table access via RFC.
• The generic Table Entry Counter data collector provides a
possibility to run dynamic database queries to count the
number of entries (or the number of distinct values) in
any database table of a managed ABAP system.
• Remote Function Call (RFC) is the standard SAP interface
for communication between SAP systems.
• RFC calls a function to be executed in a remote system.
 53 Data Download with Suspicious Filename

• Use case:- Issue an alert in case of access to sensitive

data.
• The results show files that were downloaded to the user’s
machine as a result of websites he visited.
• If you see the suspicious file associated with the same
domains across multiple log source types, you can have a
fair amount of confidence that it’s the file you want
 54 Debugging by users belonging to a
critical user group

• Use case Issue an alert if debugging takes

place by a user belonging to a user group
which must not debug in a system.
 55 Debugging in critical systems

• Use case Issue an alert if debugging takes place

in a critical system ID.
• Debugging is a critical aspect of the
development process, as it helps to improve
the overall quality and reliability of a system.
The primary goal of debugging is to ensure that
a system functions as intended. This involves
identifying and fixing errors, optimizing
performance, and enhancing stability