In today's complex and ever-evolving cybersecurity landscape, SAP systems face increasing threats that demand robust and adaptive security mechanisms. SAP Enterprise Threat Detection (SAP ETD) is a critical tool designed to help organizations detect, analyze, and respond to suspicious activities in real time within their SAP environments.
While SAP ETD provides a rich set of predefined detection rules to identify common threats, the ability to create custom detection rules empowers organizations to tailor their security posture according to unique operational risks, compliance requirements, and emerging threats.
This article explores the fundamentals of creating custom detection rules in SAP ETD, guiding security professionals on enhancing threat detection capabilities specific to their SAP environments.
SAP ETD is an integrated security solution that continuously monitors SAP system logs and events for indicators of potential threats, including fraud, cyberattacks, and insider abuse. It aggregates data from multiple SAP components—such as ERP, S/4HANA, and SAP NetWeaver—and analyzes this data in near real-time using advanced correlation and pattern matching.
The default rule sets in SAP ETD address a broad range of common threats, but organizations have unique workflows, configurations, and risk profiles. Custom detection rules help by:
Detection rules in SAP ETD are based on queries that analyze event data streams from SAP logs. These rules use a query language resembling SQL, which can filter, correlate, and aggregate events to identify suspicious patterns.
Begin by clearly defining the suspicious behavior or threat you want to detect. For example:
Understanding the business context and risk helps in defining precise detection criteria.
Use SAP ETD’s data collection mechanisms to ensure that the required event sources are monitored. Analyze sample logs to understand event attributes and their typical values.
Leverage SAP ETD’s query language to write rules that capture the defined threat scenario. Common constructs include:
Example: Detect users performing critical transaction /nSU01 outside of working hours:
SELECT USER, TIMESTAMP, TRANSACTION
FROM events
WHERE TRANSACTION = '/nSU01'
AND (HOUR(TIMESTAMP) < 8 OR HOUR(TIMESTAMP) > 18)
Validate the rule against historical data to verify accuracy. Adjust thresholds and filters to minimize false positives while ensuring no critical events are missed.
Activate the rule in the SAP ETD environment. Continuously monitor alerts and rule performance, updating the rule as new insights emerge.
Creating custom detection rules in SAP Enterprise Threat Detection is a powerful way to enhance your organization's ability to uncover sophisticated and tailored threats. By understanding your environment, carefully crafting detection logic, and continuously refining your rules, you can significantly improve the security posture of your SAP systems.
SAP ETD's flexible query-driven approach allows security teams to adapt quickly and stay ahead of emerging risks, making it an indispensable tool for SAP security management.