Sapetd

Operations Guide | INTERNAL – Authorized for SAP Customers and Partners
SAP Enterprise Threat Detection

2023-03-21
Operations Guide for SAP Enterprise Threat

Detection
Release 2.0, Support Package 6
© 2023 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 What Is SAP Enterprise Threat Detection?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Starting SAP Enterprise Threat Detection Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Business Roles in SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Viewing the Record of Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Introduction to Semantic Events and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.1 Roles of Semantic Events with Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Role-Independent Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Semantic Attributes of Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Semantic Events in Log Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
2.5 Semantic Attributes of Events in Log Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.6 Semantic Attributes of Events in Forensic Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3 Monitoring the State of the System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3.1 Best Practices: Monitoring the State of the System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2 Configuring the Monitoring User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
3.3 Changing Charts and Patterns in Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4 Opening Monitoring Charts in the Forensic Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.5 Health Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Types of Health Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Stopping Health Checks for Decommissioned Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4 Monitoring the System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5 Monitoring the Distribution of Security Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

5.1 Implementation Status and Processing Status of SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
6 Viewing Log Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

6.1 Semantic Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
7 Browsing in Forensic Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7.1 Monitoring Configuration Check Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
7.2 The Anatomy of a Forensic Workspace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.3 Versioning of Forensic Workspaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.4 Creating Forensic Workspaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.5 Adding Paths and Subsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Adding Subsets That Use Self-Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Using the Bubble Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Operations Guide for SAP Enterprise Threat Detection

2 INTERNAL – Authorized for SAP Customers and Partners Content
7.6 Visualizing Subsets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Viewing the Log Data of a Subset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Viewing an Alert Graph. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Sharing Snapshots of Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
7.7 Moving Patterns to Other Workspaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8 Defining Namespaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
9 Attack Detection Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9.1 Best Practices: Pattern Development and Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
9.2 Creating Pattern Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Monitoring the Execution of Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Viewing, Editing, and Testing Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Related Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
9.3 Executing Attack Patterns Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
9.4 Pattern Postprocessing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
10 Searching All Logs with Sherlog Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

10.1 Creating an Attack Detection Pattern Based on Sherlog Search Results. . . . . . . . . . . . . . . . . . . . . 103
11 Value Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

11.1 Preparing Value Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
11.2 Exporting Value Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
11.3 Creating Dynamic Value Lists by Filling Value Lists from External Sources. . . . . . . . . . . . . . . . . . . .108
12 Working with a List of Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

12.1 Best Practices: Working with Alerts and Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
12.2 Working with a Single Alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
12.3 Exempting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
12.4 Examining the Threat Situation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
12.5 Settings of SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Workload Management Classes for SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . 118
13 Viewing Alerts in Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

13.1 Working with Snapshot Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
13.2 Working with Case Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
13.3 Working with an Attack Path. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Saving Attack Paths and Generating Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
14 Working with a List of Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

14.1 Best Practices: Working with Alerts and Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
14.2 What are Investigations?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
14.3 Working with a Single Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
14.4 Working with Investigation Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Content INTERNAL – Authorized for SAP Customers and Partners 3
15 Managing Storage of Events and User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
15.1 Retention of User Account Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
16 Detecting and Analyzing Anomalies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

16.1 Anomaly Detection Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
16.2 Statuses Used for Evaluations and Anomaly Detection Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . .136
16.3 Editing and Creating Anomaly Detection Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
16.4 Editing and Creating Evaluations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
16.5 Editing and Creating Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
16.6 Viewing and Analyzing Anomalies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Viewing Anomalies in the Score Overview Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Viewing Anomalies in the Diagram of Score Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Viewing the Details of Anomalies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
17 Pseudonymization of User Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

17.1 Best Practices: Pseudonymization of User Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
17.2 Deactivating Pseudonymization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
17.3 Determining the True Identity of Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
17.4 Identifying Related Accounts for a Pseudonym. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
17.5 Identifying Activities Performed by One Person Using Different User Accounts. . . . . . . . . . . . . . . . 154
17.6 Calculation of Related Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
17.7 Logging Access to User Identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
17.8 Username Masking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
18 Recurring Tasks to Help Ensure Smooth Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
19 Preventing Out of Memory Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
20 Content Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

20.1 Importing New Content Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

4 INTERNAL – Authorized for SAP Customers and Partners Content
1 Getting Started
This document shows you what SAP Enterprise Threat Detection is and how to operate and customize the
software.
To learn how to install and configure the component parts of SAP Enterprise Threat Detection, see the SAP
Enterprise Threat Detection Implementation Guide at https://help.sap.com/sapetd.
 Note
Check for the latest version of this documentation on SAP Help Portal at https://help.sap.com/sapetd.
Follow SAP Enterprise Threat Detection on SAP Community at https://community.sap.com/topics/enterprise-

threat-detection .
For the current release note and other SAP Notes about SAP Enterprise Threat Detection, go to https://
support.sap.com and check the entries for the component BC-SEC-ETD.
Document History
The following table provides an overview of the most important document changes.
 Caution
The latest version of this document is available on SAP Help Portal at http://help.sap.com/sapetd.
Date Change More Information
2023-03-20 Topic added Username Masking [page 157]
Topic changed Pseudonymization of User Data [page

149]

Getting Started INTERNAL – Authorized for SAP Customers and Partners 5
Date Change More Information
2023-02-20 Topics changed: Semantic Events in Log Learning [page

17]
New semantic events added:
• Customer-Specific Event
• Data, File, Access, Failure
• Data, Sign
• Principial Propagation, Deny
• System Admin, Transaction, Lock
• System Admin, Transaction, Un
lock
• User, Logon, Process Step
1.1 What Is SAP Enterprise Threat Detection?
SAP Enterprise Threat Detection enables you to evaluate security threats in your IT landscapes in real time by
leveraging SAP and non-SAP log data.
Firewalls, virus scanners, and security policies are important parts of your arsenal to keep attackers out of
your network, but they are not enough. You must harden every possible avenue of attack, while the attacker
only needs to find a single weakness. SAP applications hold your most important business data. It is vitally
important that you protect your SAP applications from people who want to damage or exploit your information.
SAP Enterprise Threat Detection detects potential attacks on SAP systems at the application level by gathering
and analyzing log data. Whether the threat is internal or external, SAP Enterprise Threat Detection alerts you to
potential attacks in real time. You have the opportunity to investigate and either dismiss the alert or pursue an
actual incident.
SAP Enterprise Threat Detection provides graphical tools to enable you to navigate the log data. With the log
data, you can support forensic analyses or gain new insights into your system landscape. From these new
insights, you can create new attack detection patterns and run them regularly against log data as the log data
comes in. Any matches to the patterns generate alerts.
Although the workspaces delivered for SAP Enterprise Threat Detection provide extensive coverage, it would
be impossible to address the vast range of potential threats using standard content alone. To reliably detect
attacks in your specific systems, make sure to check if you need to adapt the content configuration such as the
value lists, schedules and thresholds of the delivered attack detection patterns.

6 INTERNAL – Authorized for SAP Customers and Partners Getting Started
1.2 Starting SAP Enterprise Threat Detection Launchpad
The launchpad for SAP Enterprise Threat Detection provides you with access to all the functions of the
product. The launchpad also gives you an overview of the current status of alerts and investigations in your
system.
Prerequisites
SAP Enterprise Threat Detection supports the latest version of the following browsers:
• Google Chrome
• Mozilla Firefox
• Microsoft Edge (Chromium)
Procedure
1. Enter the following URL in your browser to display the launchpad: <protocol>://
<host_name>:<port>/sap/secmon/ui. The tiles on the launchpad are grouped in several categories.
Note that you can rearrange the launchpad according to your preferences.
On the launchpad, some tiles display a number, which refers to the category defined by the tile title. Red
numbers indicate that there are investigations or alerts with very high severity and that you should look
into these issues first.
The symbol next to the number indicates the measure.
Symbol Measure
K Thousands
M Millions
B Billions
2. To re-arrange the tiles according to your preferences, choose the pencil icon in the lower right-hand corner
to start the edit mode.
You can now perform actions on tiles and groups. Choose the pencil icon again to end the edit mode.
3. Create your own tiles.
On some of the user interfaces of SAP Enterprise Threat Detection, for example Alerts, Investigations, and
Record of Actions, you can specify filter criteria according to which investigations or alerts are displayed
and then save these lists as tiles on your launchpad. For example, this is helpful if you want to monitor
alerts that result from specific patterns, or investigations that are assigned to specific users. This option is
marked with the  (Save as Tile) icon.
A new tile is saved to your launchpad with the title, subtitle, and additional information you provided.

1.3 Business Roles in SAP Enterprise Threat Detection
Users of SAP Enterprise Threat Detection have different functions within a company and interact with other
people within an organization. The following shows one way that you can separate different functions into
business roles for SAP Enterprise Threat Detection.
The following table provides an example of how you can divide the business roles in SAP Enterprise Threat
Detection. We provide example roles with the technical authorizations required to create these business roles.
For more information, see Creating Users and Assigning Authorizations in the SAP Enterprise Threat Detection
Implementation Guide.
Business Roles of SAP Enterprise Threat Detection

Role Tasks Example Role
Monitoring Agent The monitoring agents view events, sap.secmon.db::EtdUser

alerts, and incidents and manage their
status.
The monitoring agents monitor the sys

tem landscape in a security monitoring
center at all times. When an alert is
shown, the monitoring agent must im
mediately react according to the proc
ess defined in the organization. If they
consider an alert suspicious enough
to require further analysis, they might
have to hand it over to a security expert.
If they find a lot of false positives, they
can also send this information to the
security expert.
Security Expert The security expert is an administra sap.secmon.db::EtdSecExpert
tor who configures attack detection

patterns and maintains any other con
figurations of SAP Enterprise Threat
Detection. They can also perform all op
erator tasks.
A security expert handles possible inci

dents and performs forensic research
in order to find the root cause. They
check the attack detection patterns
and charts in the forensic lab of SAP
Enterprise Threat Detection and possi
bly modifies them or creates new ones
for better alert detection in the future.
If they learn about many false positive
alerts from the monitoring agent, they
will also modify the patterns accord
ingly.

Role Tasks Example Role
Special role for resolving user identity, By default, all user information is re sap.secmon.db::EtdResolveUser
for example from HR department placed by a pseudonym in the user in
terface. This role enables the identity of
the person behind the pseudonym to be
revealed. Who can resolve pseudonyms
is governed by local regulations and by
the data privacy policy of your organiza
tion.
For all users of SAP Enterprise Threat Detection, the starting point for performing the tasks described in the
table above is the SAP Enterprise Threat Detection launchpad. The launchpad provides access to all the tools
required by the roles presented above. It provides access to a monitoring application, enabling all users to
monitor the state of the system landscape.
For more information about the monitoring application, see Monitoring the State of the System Landscape
[page 58].
The following table describes the other roles in the system landscape.
Other Roles in the System Landscape

Role Description
Attacker The attacker tries to misuse or gain data from the system
for which he or she has no authorization. By analyzing the
logs gathered from systems penetrated by the attacker, SAP
Enterprise Threat Detection generates alerts leading to the
discovery of the attack.
Business User Business users doing their normal work generate thousands
of log entries. SAP Enterprise Threat Detection attempts to
separate these normal activities from those of the attacker.
System Administrator During the implementation of SAP Enterprise Threat

Detection, system administrators deploy and configure any
components required by the product. System administrators
also make sure that the required jobs and processes con
tinue to run, including making sure that the relevant users
have the required authorizations.
1.4 Viewing the Record of Actions
The record of actions provides an overview of changes and actions in SAP Enterprise Threat Detection. You can
filter the list and save it as separate tile.
Prerequisites
You have administrator authorizations.

Context
The following actions are recorded:
• Changes to or deletion of alerts, events, case files, snapshots, investigations, forensic workspaces, attack
detection patterns, anomaly detection patterns, evaluations, value lists, and monitoring pages
• Changes to settings in the Settings user interface
• Resolving of user pseudonyms.
• Deletion of partitions.
• Changes to semantic events, runtime rules, log types
Procedure
1. From the launchpad of SAP Enterprise Threat Detection, choose the Record of Actions tile.
2. Use the filters to display the actions you are interested in.
If the filter bar is not displayed at the top of the screen, choose Show Filter Bar. When you have entered
your filter criteria, don't forget to choose Go. Note that you can sort the columns by clicking the header
row.
3. If you want to know more about what has changed, click the relevant row in the table.
Depending on the object type, you see the old and new entity next to each other.
Next Steps
You can save a list of action records as separate tile. To do so, filter the list as needed and choose  (Save as
Tile).

2 Introduction to Semantic Events and
Attributes
A semantic event is a standard way to represent the meaning of an event. Each log entry type with that
meaning is assigned the same semantic event, which enables searches across log sources for that semantic
event.
For SAP logs, this mapping has been done. When providing logs from other systems in the Log Learning
application, you map the log entries to this set of semantic events and attributes once. For more information,
see Log Learning in the SAP Enterprise Threat Detection Implementation Guide on SAP Help Portal.
A semantic event identifies the action of the event and the participants in that action. Participants may be
identified by their role in the action and/or their entity type. The key participant in the event is the actor. This is
the system or host that performs the action of the event. All other roles of an event are usually assigned relative
to the actor role. For example, a system that asks the actor to act is the initiator, and one that the actor asks
to perform some function is the target. In other words, the event is represented from the point of view of the
actor. This is consistent with the fact that most logs are created by the actor from the standpoint of the actor.
For more information about the roles of semantic events, see Roles of Semantic Events with Examples [page
11].
There is a set of semantic attributes that further define the semantic events. For more information, see
Semantic Attributes of Events [page 15].
Related Information
Semantic Events in Log Learning [page 17]

Semantic Attributes of Events in Log Learning [page 31]
2.1 Roles of Semantic Events with Examples
Some semantic attributes include roles of the events. For example, a system ID involved in an event might have
the actor or target role. These roles are differentiated with the help of semantic attributes, which include the
roles System ID, Actor and System ID, Target.
There are three entities involved in events that can have roles: Systems/Hosts, Users, and Triggers. The
following role names are used:

Introduction to Semantic Events and Attributes INTERNAL – Authorized for SAP Customers and Partners 11
System/Host Roles
System/Host Role Description
Actor The system that executes the software to perform the action
that is logged. The software runs under the acting user ac
count.
Initiator The system that asks the actor to perform the action of the
event. For example, an end device that asks an SAP system
to run a transaction plays the initiator role.
Intermediary In some events, the system that mediates between two

other systems, usually between initiator and actor.
Reporter The system that writes events to a log. Often the actor and
reporter are the same system.
Target The system that the actor asks to perform some function.
For example, an actor requests a remote system, the target,
to run a program.
Example of an Event Where Actor and Reporter Are Different Systems

The actor and reporter are not always the same system. For example, Web filter software is installed on a Web
client so that the client blocks or allows requests and then uploads the block event or the allow event to the
Web filter to be logged in the Web filter log. In this case, the actor is the Web client, and the reporter is the
Web filter. To make this clear, events that occur on the Web client have Event Scenario Role of Actor set to
Web_Client. If the Web filter itself performs the block or allow action, Event Scenario Role of Actor is set to
Web_Filter.
User Roles
User Role Description
Actor The user account under which the software on the actor
system runs.
Initiator The user account under which the software on the initiator
system runs.
Target In user administration, the account that is created, modified,

or deleted.
Remote The user account under which the software on the target
system runs.
Why Do We Need Different Roles for Systems and Users?

The method for representing semantic events separates system/host roles from user roles and trigger roles.
One reason for this is that the system and user roles do not always coincide. Logon is a good example. Software
running on an actor, often under a system account (actor), performs authentication of a supplied user account,
the target user.

12 INTERNAL – Authorized for SAP Customers and Partners Introduction to Semantic Events and Attributes
Example of an Event with Three Users: Logon
At the request of an initiator (for example, an SAP HANA client), the actor (for example, an SAP HANA
database) authenticates a user account name target. The initiator tells the actor that their account is user
account name initiator. The authentication software on the actor runs under the user account name actor.
Employee Thomas Smith logs on as D02 using his laptop. Then he logs on to an SAP HANA database using
his database user account TSMITH. SAP HANA performs the logon under the user account SYSTEM. The SAP
HANA database (actor) writes a log entry that has the following semantics: An actor, the SAP HANA database,
authenticates a target user. The log entry has three user accounts with the following roles:
• D02: initiator
• TSMITH: target
• SYSTEM: actor
In this example, two systems are involved: the laptop and the SAP HANA system. The laptop plays the role of
the initiator and the SAP HANA system plays the role of the actor.
 Note
The user roles in forensic lab do not display the actual user account names but only the pseudonyms.For
more information about pseudonymization, see Pseudonymization of User Data in the SAP Enterprise
Threat Detection Operations Guide.
Trigger Roles
Trigger Role Description
Actor A trigger that causes an event to occur and/or to be logged.

An audit policy is an example of a trigger. See example be
low.
Target A trigger that is the target of an action. See example below.
 Example
Example of Trigger Roles
This is a simplified example that focuses only on the trigger roles of an event: In SAP HANA,
audit_policy_1 is changed, and audit_policy_2 states condition: When any audit policy is changed,
write an audit log entry.
The actor SAP HANA writes a log entry that has the following semantics: An actor, SAP HANA, altered an
audit policy named audit_policy_1. The logging of this event was triggered by an audit policy named
audit_policy_2.
The event would have the following attributes for the trigger roles:
• Trigger Type Target: audit policy

• Trigger Name Target: audit_policy_1
• Trigger Type Actor: audit policy
• Trigger Name Actor: audit_policy_2

2.2 Role-Independent Attributes
There are many role-dependent attributes in SAP Enterprise Threat Detection such as "Network, IP Address,
Actor", "Network, IP Address, Initiator", "Network, IP Address, Intermediary" and so on. To make working
with these attributes more comfortable, the system provides role-independent attributes that group the role-
dependent attributes.
Each role-independent attribute comprises the relevant role-dependent attributes as you can see in the
following table
Role-Independent Attributes Role-Dependent Attributes
Network, IP Address <Role-Independent> Network, IP Address, Actor
Network, IP Address, Initiator
Network, IP Address, Intermediary
Network, IP Address, Reporter
Network, IP Address, Target
Network, IP Before NAT, Initiator
Network, IP Before NAT, Target
Network, Hostname <Role-Independent> Network, Hostname, Actor
Network, Hostname, Initiator
Network, Hostname, Intermediary
Network, Hostname Reporter
Network, Hostname, Target
User Account Name Pseudonym, <Role-Independent> User Account Name Pseudonym, Actor
User Account Name Pseudonym, Initiator
User Account Name Pseudonym, Target
User Account Name Pseudonym, Remote
Usage of Role-Independent Attributes in Forensic Lab
You can use the role-independent attributes as filters when you create new subsets in the forensic lab.
Restrictions
You cannot reference role-independent attributes when filtering in forensic lab.
You cannot use role-independent attributes for charts.
You cannot use role-independent attributes for dimensions when you create a pattern or chart (appending
group by field).

Usage of Role-Independent Attributes in Sherlog Search
You can use the role-independent attributes as filters when you navigate to forensic lab from the Sherlog
search.
Steps
1. Select one or more logs in Sherlog.

2. Choose Process.
3. In the Process Logs dialog, choose Process in the Forensic Lab and select the checkbox Add selected value
to Filter.
4. Choose the role-independent attribute from the dropdown list.
5. Choose Process.
Result
The system opens a new forensic workspace in forensic lab with the appropriate time range of logs and the
values filtered according to the role-independent attribute that you have chosen. The system also adjusts the
pie chart in the workspace as required.
2.3 Semantic Attributes of Events
Semantic events are representations of the log entries received by SAP Enterprise Threat Detection that can be
understood by human readers.
SAP Enterprise Threat Detection delivers a set of semantic events and semantic attributes that describe all
the log entries from the different logs in your system landscape. Examples of semantic attributes include the
timestamp of an event, event source type, and event source ID. These attributes are set in the knowledge base
and can later be used to browse events in the forensic lab.
Syntax of the Attributes
The attributes have display names that are easy to understand and contain all the information you need to
describe the events. The semantic attributes basically consist of up to three parts:
• The attribute group.

• The attribute proper.
• The role of the attribute, if it has one.
Groups of Attributes
Group Description
Attack Attack Type and Attack Name of a suspected attack. For

example, the Attack Type could be Malware and the Attack
Name would be the name of the actual malware.

Group Description
Correlation Correlation ID and Correlation Sub ID if multiple events share

the same IDs, these events are related.
Event Attributes that relate to the event as a whole.
Generic Generic attributes to be used across events.
Network Attributes related to the network level, for example Network

Protocol.
Parameter Attributes related to the parameters of an object (for exam

ple, the user). A parameter of the user could be the user
password.
Privilege Attributes needed to describe the administration of user

privileges.
Resource Attributes that describe the passive elements of an IT sys

tem, such as messages, files, or database tables.
Service Attributes that describe the active elements of an IT system,

such as transactions, programs, or Web services.
System Attributes that identify an IT system and how it is used, for

example as a test system or as a productive system.
Time Attributes about the point in time when the event happened
and its duration.
Trigger Attributes to identify a trigger of an event and/or a trigger of

its logging.
User and Username Attributes that identify a user account/user and the domain
of validity of the user account/user.
 Note
From the Log Learning user interface, where you assign events to log entries and map these semantic
attributes to events, there are icons that open a list of all available semantic events or attributes.

2.4 Semantic Events in Log Learning
List of semantic events for log learning.
Semantic Event Description
<Dynamic event assignment> Dummy event for entry types with an event assignment that
is based on extracted values
Some entry types may contain multiple different semantic

events. To extract these distinct semantic events, use the
generic event <Dynamic event assignment> in combina
tion with value mapping.
For more information, see Parsing Log Data with Value Map
ping and Example of Dynamic Event Assignment.
<Ignore> Choose this to ignore events that you do not need to log.
Ignored events will not appear as unrecognized logs in SAP
Enterprise Threat Detection.
<No event> Dummy event for entry types with no semantic event as
signed
You can choose this generic event if no specific semantic

event matches a log entry. We recommend to use a specific
semantic event whenever possible.
<OriginalDataOnly> Select <OriginalDataOnly> if you do not want to normal

ize the data and only need it in its original format.
Note that with special authorization, events marked as origi

nal events can be displayed in the forensic lab. Note that you
can specify a separate retention period for the original data.
Alert, Splunk A Splunk alert has been received.
Application Server, Login An application server logs on a user.
Application Server, Logoff An application server logs off a user.
ApplicationServer, Start A user starts an application server.
ApplicationServer, Stop A user stops an application server.
Attack, Call to Malicious Host, Detect A security system detects that an internal host calls a known
malicious host or domain.
Attack, Call to Malicious Host, Detect and Block A security system detects that an internal host calls a known
malicious host or domain. The security system blocks the
call to a malicious host.

Attack, DNS Lookup Of Malicious Host, Detect A security system actor detects that an internal host looks
up a DNS name of a known malicious host or domain.
Attack, Detect A system detects an attack.
Attack, Detect and Block, By Means of Rules A security system detects an attack by means of rules. The
security system blocks the attack.
Attack, Detect, By Means of Rules A security system detects an attack by means of rules.
Attack, Malware-object, Detect A security system detects a malware-object.
Attack, Malware-object, Detect, Failure A security systems fails during the malware-object detection
process.
Attack, Zero-day Exploit, Detect, by Means of Dynamic Anal A security system detects a zero-day exploit by means of
ysis dynamic analysis. An internal host is the potential victim of
the attack. A malicious host is the origin of the exploit.
Attack, Zero-day Malware-object, Detect, by Means of Dy A security system detects a zero-day malware-object by
namic Analysis means of dynamic analysis. An internal host is the potential
victim of the attack. A malicious host is the origin of the
malware object.
Audit, Alert An automated audit check identified a check-relevant event.
Authentication Provider, Alter A system or a user alters an authentication provider for the
system.
Authentication Provider, Alter, Failure A system or a user attempts to alter an authentication pro
vider for the system but fails.
Authentication Provider, Create A system or a user sets up an authentication provider for the
system.
Authentication Provider, Create, Failure A system or a user attempts to set up an authentication

provider for the system but fails.
Authentication Provider, Drop A system or a user deinstalls an authentication provider for

the system.
Authentication Provider, Drop, Failure A system or a user attempts to deinstall an authentication

Authentication Provider, Validate A system or a user validates an authentication provider for

the system.
Authentication Provider, Validate, Failure A system or a user attempts to validate an authentication


Certificate, Alter A user alters a certificate in the system.
Certificate, Alter, Failure A user attempts to alter a certificate in the system but fails.
Certificate, Create A user sets up a new certificate in the system.
Certificate, Create, Failure A user attempts to set up a new certificate in the system but
fails.
Certificate, Drop A user deinstalls a certificate from the system.
Certificate, Drop, Failure A user attempts to deinstall certificates from the system but
fails.
Certificate, Revocation List, Download, Failure A system or a user tries to download a certificate revocation
list but fails.
Certificate, Validate, Failure A system or a user attempts to validate a certificate for

subject but fails.
ClientSide, Encryption, Alter A system or a user alters client-side encryption on the sys
tem.
ClientSide, Encryption, Alter, Failure A system or a user attempts to alter client-side encryption
on the system but fails.
ClientSide, Encryption, Create A system or a user sets up client-side encryption on the

system.
ClientSide, Encryption, Create, Failure A system or a user attempts to set up client-side encryption
on the system but fails.
ClientSide, Encryption, Drop A system or a user deinstalls client-side encryption on the

system.
ClientSide, Encryption, Drop, Failure A system or a user attempts to deinstall client-side encryp
tion on the system but fails.
Communication, DNS Dynamic Zone Update, Deny A DNS server denies a dynamic zone update request from an
initiator.
Communication, DNS Forward Map, Add A DNS server adds a DNS forward map as requested by an
initiator.
Communication, DNS Forward Map, Add, Failure A DNS server tries to add a DNS forward map as requested
by an initiator, but fails.
Communication, DNS Reverse Map, Add A DNS server adds a DNS reverse map as requested by an
initiator.

Communication, DNS Reverse Map, Add, Failure A DNS server tries to add a DNS reverse map as requested
by an initiator, but fails.
Communication, FTP, Failure FTP communication fails.
Communication, FTP, Insecure Insecure FTP communication.
Communication, FTP, Request FTP connection request for server was successful.
Communication, Failure Communication failure.
Communication, HTTP Request or HTTP Response, Allow A web filter allows an HTTP request or HTTP response be
tween an HTTP client and an HTTP server.
Communication, HTTP Request or HTTP Response, Block A web filter blocks an HTTP request or HTTP response be
tween an HTTP client and an HTTP server.
Communication, HTTP Request, Allow A web filter allows an HTTP request from an HTTP client to
an HTTP server.
Communication, HTTP Request, Block A web filter blocks an HTTP request from an HTTP client to
an HTTP server.
Communication, HTTP Request, React To An HTTP server reacts to an HTTP request.
Communication, HTTP Request, Send A client sends an HTTP request to an HTTP server.
Communication, HTTP Response, Allow A web filter allows an HTTP response from a HTTP server to
an HTTP client.
Communication, HTTP Response, Block A web filter blocks an HTTP response from an HTTP server
to an HTTP client.
Communication, RFC Request, Allow An RFC gateway allows a received RFC request.
Communication, RFC Request, Block An RFC gateway blocks a received RFC request.
Communication, HTTP Request, Untrusted A non-trustworthy system or user sends a HTTP request to
the system.
Communication, Message Block, Activated A system or a user activates a message block between an
initiator and a target.
Communication, Message Block, Deactivated A system or a user deactivates a message block between an
initiator and a target.
Communication, Network Access, Deny A network access controller denies a host access to a net
work.

Communication, Network Access, Deny And Switch A network access controller denies a host access to a net
work and switches the host to another network.
Communication, Network Access, Grant A network access controller grants a host access to a net
work.
Communication, Non-Encrypted Non-encrypted communication
Communication, Packet, Allow A firewall allows a packet or traffic between an initiator and a
target.
Communication, Packet, Block A firewall blocks a packet or traffic between an initiator and a
target.
Communication, Packet, Reject A firewall rejects a packet or traffic between an initiator and a
target.
Communication, RFC Request, Allow An RFC gateway allows a received RFC request.
Communication, RFC Request, Block An RFC gateway blocks a received RFC request.
Customer-Specific Event Customers can create this event in backend and use this
event in forensic lab during pattern development
Data Container, Content, Activate A user activates content in a repository.
Data Container, Content, Activate, Failure A user tries to activate content in a repository, but fails.
Data Container, Content, Export A user exports content from a repository.
Data Container, Content, Export, Failure A user tries to export content from a repository, but fails.
Data Container, Content, Import A user imports content into a repository.
Data Container, Content, Import, Failure A user tries to import content into a repository, but fails.
Data Modification, Audit Log, Created A user triggers a data modification audit log
Data, Access A system or a user attempts to access data on the system.
Data, Access, Failure A system or a user attempts to access data on the system
but fails.
Data, Access, Success A system or a user accesses data on the system.
Data, Download A system or a user downloads data to a file.
Data, File Name, Validate, Failure The system denies a request for data transfer because the
file name is not allowed.

Data, File Name, Validate, Success The system allows data transfer because the the file name
passes validation.
Data, File Name, Validation, Disabled The system allows access to the physical file with deacti
vated checks for logical file name.
Data, File, Access, Block The system blocks access to the physical file due to missing
logical file name.
Data, File, Access, Failure A system or user tried to access a file, but failed.
Data, File, Access, Unvalidated The system allows access to the physical file despite missing
logical file name.
Data, File, Access, Validate The system allows data transfer: File access is checked and
permitted.
Data, File, Access, Validate, Failure This system denies a request for data transfer: File access is
not permitted.
Data, File, Initialized A system has started a data file.
Data, File, Transfer The system accepts a request for data transfer, a file is
transferred.
Data, Monitored Data, Access A user accesses monitored data through the parameters of a
user interface or API.
Data, File, Archive A system has archived a data file.
Data, Payload, Read A system reads the payload of a message.
Data, Sign A system or a user has signed data.
Data, Statistic, Collect Collection of statistic data. This event states that log data
was enriched with statistic data.
Data, Upload A system or a user uploads data.
Data, Upload, Failure A system or a user attempts to upload data but fails.
Database, Alter A user alters a database.
Database, Alter, Failure A user tries to alter a database, but fails.
Database, Artifact, Alter A system or a user alters a database artifact.
Database, Artifact, Create A system or a user creates a database artifact.
Database, Artifact, Drop A system or a user deletes a database artifact.

Database, Backup Catalog Entry, Delete A user deletes a backup catalog entry.
Database, Backup Catalog Entry, Delete, Failure A user tries to delete a backup catalog entry, but fails.
Database, Backup, Create A system or a user creates a database backup.
Database, Backup, Create, Failure A system or a user attempts to create a database backup
but fails.
Database, Backup, Recover A system or a user recovers a database from backup.
Database, Backup, Recover, Failure A system or a user attempts to recover a database from
backup but fails.
Database, Create A user creates a database.
Database, Create, Failure A user tries to create a database, but fails.
Database, Data, Delete A user deletes data from a database table.
Database, Data, Delete, Failure A user tries to delete data from a database table, but fails.
Database, Data, Insert A user inserts data into a database table.
Database, Data, Insert, Failure A user tries to insert data into a database table, but fails.
Database, Data, Select, Generic A user selects data from a database table using generic
functions
Database, Data, Select A user selects data from a database table.
Database, Data, Select, Failure A user tries to select data from a database table, but fails.
Database, Data, Select, Generic A user selects data from a database table using generic
functions
Database, Data, Select, Suspicious Suspicious WHERE clause in generic table access
Database, Data, Update A user updates data in a database table.
Database, Data, Update, Failure A user tries to update data in a database table, but fails.
Database, Drop A user drops a database.
Database, Drop, Failure A user tries to drop a database, but fails.
Database, Failure General database execution failure
Database, Rename A user renames a database.
Database, Rename, Failure A user tries to rename a database, but fails.

Database, Start A user starts a database.
Database, Start, Failure A user tries to start a database, but fails.
Database, Stop A user stops a database.
Database, Stop, Failure A user tries to stop a database, but fails.
Database, Table, Alter A user alters a table in a database.
Database, Table, Alter, Failure A user tries to alter a table in a database, but fails.
Database, Table, Create A user creates a table in a database.
Database, Table, Create, Failure A user tries to create a table in a database, but fails.
Database, Table, Drop A user drops a table from a database.
Database, Table, Drop, Failure A user tries to drop a table from a database, but fails.
Dynamic, Code, Alter The system detects altered code.
Encryption, Alter A system or a user alters log encryption in the system.
Encryption, Alter, Failure A system or a user attempts to alter log encryption on the
system, but fails.
Excluding, List, Activated A system or a user activates an exclusion list.
Excluding, List, Deactivated A system or a user deactivates an exclusion list.
Executable, Database Procedure, Run A user or system runs a database procedure.
Executable, Database Procedure, Run, Failure A user or system tries to run a database procedure, but fails.
Executable, RFC-enabled Function Module, Call A client calls an RFC-enabled function module on a target.
Executable, RFC-enabled Function Module, Call, Failure A client calls an RFC-enabled function module on a target,
but fails.
Executable, RFC-enabled Function Module, Call, Unauthor A client calls an RFC-enabled function module on a target,
ized but does not have authorization for that.
Executable, RFC-enabled Function Module, Refuse To Run, A server refuses to run an RFC-enabled function module as
As Callback callback, that is, in the context of a callback from a remote
function module that the server called.
Executable, RFC-enabled Function Module, Run A server runs an RFC-enabled function module, as requested
by a client.

Executable, RFC-enabled Function Module, Run, As Callback A server runs an RFC-enabled function module as callback,
that is, in the context of a callback from a remote function
module that the server called.
Executable, RFC-enabled Function Module, Run, As Callback, A server runs an RFC-enabled function module as callback,
in Simulation Mode in simulation mode. As callback means in the context of
a callback from a remote function module that the server
called.
Executable, Run A user or system runs an executable.
Executable, Run, Cancel A user or system tries to run an executable and cancels it
Executable, Run, Dynamic Code A user or system runs an executable as dynamic code.
Executable, Run, Failure A user or system tries to run an executable, but fails.
Executable, Run, Remotely A user or system runs an executable remotely on a target.
Executable, Run, Remotely, Failure A user or system tries to run an executable remotely on a
target, but fails.
Executable, Schedule, Failure A user or system tries to schedule an executable, but fails.
Executable, Web Service, Call A client calls a Web service on a target.
Executable, Web Service, Call, Failure A client calls a web service on a target, but fails.
Executable, Web Service, Run A Web server runs a Web service, as requested by a client.
Fire Fighter, Action A system or a user performs actions with the role of a partic
ularly privileged "Firefighter" user.
Fire Fighter, Action, Failure A system or a user attempts to perform actions with the role
of a particularly privileged "Firefighter" user, but fails.
Indicator From Anomaly ETD generates an indicator from a detected anomaly
Indicator From Pattern ETD generates an indicator from a pattern
Network Admin, IP Address, Assign A DHCP server assigns a NetworkIpAddressInitiator to a

NetworkMacAddressInitiator of a DHCP client. The actor and
initiator may communicate via an intermediary.
Network Admin, IP Address, Release A DHCP server releases the NetworkIpAddressInitiator as
signed to a NetworkMacAddressInitiator. The actor and ini
tiator may communicate via an intermediary. A released IP
address returns to the free pool.
Network, Connection, Close A system has closed a network connection.

Network, Connection, Establish A system has established a network connection.
Network, Connection, Failure A system has failed to establish a network connection.
Network, Connection, Information, Send A system has sent network connection information.
Network, Connection, Open A system has opened a network connection.
Network, Connection, Request, Block A system has blocked a network connection request.
Network, Connection, Request, Receive A system has received a network connection request.
OAuth 2.0 , Access Token, Request Oauth 2.0: client requests access token.
OAuth 2.0, Access Token, Request, Failure Oauth 2.0: client requests access token, but fails.
OAuth 2.0, Invalid Access Token, Received OAuth 2.0: invalid access token was received.
OAuth 2.0, Refresh Token, Validate, Failure OAuth 2.0: validation of the refresh token fails.
OAuth 2.0, Token, Declared Invalid OAuth 2.0: token was declared invalid
Operation, Canceled, Due To Security Reason The system cancels the operation for security reasons.
Principial Propagation, Deny A system has denied principal propagation
Security, Audit Log, Created A system or a user performs a security relevant operation
which is logged in the Security Audit log.
Service, Create A system or a user sets up a service.
Service, Delete A system or a user deinstalls a service.
Service, Start A system or a user starts a service.
Service, Stop A system or a user stops a service.
System Admin, Audit Log, Clear A user clears an audit log.
System Admin, Audit Log, Clear, Failure A user tries to clear an audit log, but fails.
System Admin, Audit Policy, Alter A user alters a targeted audit policy.
System Admin, Audit Policy, Alter, Failure A user tries to alter a targeted audit policy, but fails.
System Admin, Audit Policy, Change A system or a user changes the audit policy.
System Admin, Audit Policy, Create A user creates a targeted audit policy.
System Admin, Audit Policy, Create, Failure A user tries to create a targeted audit policy, but fails.

System Admin, Audit Policy, Disable A user disables a targeted audit policy.
System Admin, Audit Policy, Disable, Failure A user tries to disable a targeted audit policy, but fails.
System Admin, Audit Policy, Drop A user drops a targeted audit policy.
System Admin, Audit Policy, Drop, Failure A user tries to drop a targeted audit policy, but fails.
System Admin, Audit Policy, Enable A user enables a targeted audit policy.
System Admin, Audit Policy, Enable, Failure A user tries to enable a targeted audit policy, but fails.
System Admin, Command, Execute A system has executed a system admin command.
System Admin, Configuration, Access A user has accessed a configuration.
System Admin, Configuration, Alter A user alters a configuration.
System Admin, Configuration, Alter, Failure A user tries to alter a configuration, but fails.
System Admin, ICF Recorder, Entry, Execute A system or a user executes an ICF recorder entry.
System Admin, License, Set A user sets a license.
System Admin, License, Set, Failure A user tries to set a license, but fails.
System Admin, License, Unset A user unsets a license.
System Admin, License, Unset, Failure A user tries to unset a license, but fails.
System Admin, Log File, Create and Open A system creates and opens a log file.
System Admin, Profile Parameter, Alter A user alters a profile parameter.
System Admin, Profile Parameter, Alter, Failure A user tries to alter a profile parameter, but fails.
System Admin, Security Configuration Is Malformed A system detects that a security configuration is malformed.
System Admin, Session Activity, Cancel A user cancels the session activity. The session has Generi
cSessionId and belongs to targeted user.
System Admin, Session Activity, Cancel, Failure A user tries to cancel the session activity, but fails. The ses
sion has GenericSessionId and belongs to targeted user.
System Admin, Session, Disconnect A user disconnects a session with GenericSessionId, belong
ing to a targeted user.
System Admin, Session, Disconnect, Failure A user tries to disconnect a session with GenericSessionId,
belonging to a targeted user, but fails.
System Admin, System Function, Activate A user activates a system function.

System Admin, System Function, Deactivate A user deactivates a system function.
System Admin, Transaction, Lock A system or user has locked a transaction in the system.
System Admin, Transaction, Unlock A system or user has unlocked a transaction in the system.
System, Access, Rule, Validate The system grants access to another system or user on the
basis of a passed access rule.
System, Access, Rule, Validate, Failure The system does not grant access to another system or user
on the basis of a failed access rule.
System, Configuration, Read A system has loaded a system configuration.
Test Event Test event
User Admin, Authorization Profile, Activate A user activates the Authorization Profile
User Admin, Authorization Profile, Alter A user alters the Authorization Profile
User Admin, Authorization Profile, Create A user creates the Authorization Profile
User Admin, Authorization Profile, Delete A user deletes the Authorization Profile
User Admin, Group, Alter A user alters a group.
User Admin, Group, Create A user creates a group.
User Admin, Group, Drop A user drops a group.
User Admin, Privilege With Wildcard, Grant A user grants a privilege with wildcard to a role. A wildcard
privilege has a wildcard character, such as a *, in an authori
zation value. This may grant unnecessary privileges.
User Admin, Privilege, Grant A user grants a privilege to a grantee.
User Admin, Privilege, Grant to Role A user grants a privilege to a role.
User Admin, Privilege, Grant, Failure A user tries to grant a privilege to a grantee, but fails.
User Admin, Privilege, Requested User’s authorizations for the specified authorization object
were requested.
User Admin, Privilege, Revoke A user revokes a privilege from a grantee.
User Admin, Privilege, Revoke and Grant A user revokes and grants a privilege to a grantee. This
happens when privileges are given by changing the value of
a user parameter like reference user. Privileges associated
with the prior value are revoked, and privileges associated
with the current value are granted.

User Admin, Privilege, Revoke and Grant, Reference User A user revokes and grants a reference user to a targeted
user.
User Admin, Privilege, Revoke, Failure A user tries to revoke a privilege from a grantee, but fails.
User Admin, Role With Wildcard, Create A user creates a role with wildcard. A wildcard privilege has
a wildcard character, such as a *, in an authorization value.
This may grant unnecessary privileges.
User Admin, Role With Wildcard, Drop A user drops a role with wildcard. A wildcard privilege has a
wildcard character, such as a *, in an authorization value.
User Admin, Role, Alter A user alters a role.
User Admin, Role, Create A user creates a role.
User Admin, Role, Create, Failure A user tries to create a role, but fails.
User Admin, Role, Drop A user drops a role.
User Admin, Role, Drop, Failure A user tries to drop a role, but fails.
User Admin, Security Policy, Alter A user alters a security policy.
User Admin, Security Policy, Create A user creates a security policy.
User Admin, Security Policy, Drop A user drops a security policy.
User Admin, Security Policy, Violated Security policy for service was violated.
User Admin, Structured Privilege, Alter A user alters a structured privilege.
User Admin, Structured Privilege, Alter, Failure A user tries to alter a structured privilege, but fails.
User Admin, Structured Privilege, Create A user creates a structured privilege.
User Admin, Structured Privilege, Create, Failure A user tries to create a structured privilege, but fails.
User Admin, Structured Privilege, Drop A user drops a structured privilege.
User Admin, Structured Privilege, Drop, Failure A user tries to drop a structured privilege, but fails.
User Admin, User Attribute, Alter A user alters a user attribute of a targeted user.
User Admin, User Lock Entry, Deleted The user administrator deletes a lock entry for a user.
User Admin, User, Alter, Failure A user tries to alter a targeted user, but fails.
User Admin, User, Check User has been checked.
User Admin, User, Create A user creates a targeted user.

User Admin, User, Create, Failure A user tries to create a targeted user, but fails.
User Admin, User, Drop A user drops a targeted user.
User Admin, User, Drop, Failure A user tries to drop a targeted user, but fails.
User Admin, User, Lock A user locks a targeted user.
User Admin, User, Lock, Failure A user tries to lock a targeted user, but fails.
User Admin, User, Password, Change A user changes the password of targeted user.
User Admin, User, Unlock A user unlocks a targeted user.
User Admin, User, Unlock, Failure A user tries to unlock a targeted user, but fails.
User, Authorization, Check, Fail The system denies a user the requested rights due to failing
authorization checks.
User, Authorization, Check, Success The system grants a user the requested rights due to suc
cessful authorization.
User, Debug A user debugs an executable.
User, Debug, and Control Flow, Alter A user debugs an executable and alters the control flow of
the executable.
User, Debug, and Variable, Alter A user debugs an executable and alters a variable of the
executable.
User, Lock A system locks a targeted user.
User, Logoff A system logs off a targeted user.
User, Logon A system logs on a targeted user. Usually the system au
thenticates the user and creates a session with GenericSes
sionId.
User, Logon, CSRF Attack A system detects a CSRF attack while trying to logon a tar
geted user.
User, Logon, Failure A system tries to log on a targeted user, but fails. Usually the
system authenticates the user and creates a session with
GenericSessionId.
User, Logon, Password Is Incorrect A system tries to log on a targeted user, but the password is
incorrect.

User, Logon, Process Step A system or user has performed an intermediate step to
wards targeted user logon. Usually, it is a client or identity
provider authentication step.
User, Logon, SPNego Attack A system detects an SPNego replay attack while trying to
logon a targeted user.
User, SAML2, Logoff A system logs off a targeted user using SAML2.
User, SAML2, Logon A system logs on targeted user using SAML2.
User, SAML2, Logon, Failure A system tries to log on a targeted user using SAML2, but
fails.
User, Sap GUI Data, Validate, Failure Invalid SAP GUI data.
Web Service, Delayed Logon A user accesses a web service using

delayed logon (assuming this is delayed
logon: https://answers.sap.com/questions/5888701/b2b-
delayed-logon---susrinternetuserswitch.html )
Web Service, Delayed Logon, Failure A user attempts to access a web service using delayed
logon, but fails.
Web Service, Signature, Failure A system or a user attempts to access a web service but fails
on signature check.
Web Service, Timestamp, Invalid A system or a user attempts to access a web service but fails
on timestamp check.
2.5 Semantic Attributes of Events in Log Learning
This is a list of the semantic attributes that you can use for the learning of new logs.
For more information, see the relevant chapters:
• For information about semantic attributes, see Semantic Attributes of Events [page 15].
• For more information about roles of semantic events and their relationship to semantic attributes, see
Roles of Semantic Events with Examples [page 11].
Semantic Attribute Description
Attack Name The attack name: for example, a malware name.

Attack Type The attack type: for example, malware, spoof, or denial of
service.
Correlation ID Used to correlate log instances at the top level: for example,
the root context ID of an SAP passport.
Correlation Sub ID Used to correlate log instances at a lower level of a hierarchy

of related instances: for example, the connection ID of an
SAP passport.
Event Code Event name or event code. Either a code that identifies the
log entry type, or a text that describes the event.
Event, Log Type The type of log that the event comes from. This is set in the
log learning process.
Event Source ID The ID of the source of the event: for example, a host name
of a syslog server.
Event Source Type The type of the source of the event: for example, a syslog
server.
Event, Message The text of the event instance, often called the event mes
sage.
Event, Scenario Role Of Actor The scenario role of the actor: for example, client, server, or
proxy. An example of a scenario is a client-server scenario
where one system plays the role of the client and the other
the role of the server.
Event, Scenario Role Of Initiator The scenario role of the initiator: for example, client, server,
or proxy. An example of a scenario is a client-server scenario
where one system plays the role of the client and the other
the role of the server.
Event, Severity Code The severity of the event.
Generic, Action The action name or action code, usually the verb of the
event, such as create.
Generic, Category A general category for various purposes: for example, the
category of a Web site, such as sports or news.
Generic, Device Type The type of a device, usually an end user device: for example,
an Android phone.
Generic, Explanation An explanation of an action or attack, and so on. Use Generic

Outcome Reason for the reason for an outcome. This is for
more general explanatory text.

Generic, Geolocation Code, Initiator A code for the geographic location of the initiator of the
event. This code is found in some logs at network level.
Generic, Geolocation Code, Target A code for the geographic location of the target of the event.
This code is found in some logs at network level.
Generic, Order The order of something. This can be used for the numbered
step of a workflow, for example.
Generic, Outcome The outcome of actions or processes. Use Service Outcome

for codes returned by services like HTTP servers.
Generic, Outcome, Reason The reason for the outcome of an action, a service call, or
other occurrence.
Generic, Path A path: for example, a path of a URL or other hierarchical

structure. Use Resource Name for a file name. Include the
directory path, if any, in Resource Name, rather than in this
attribute.
Generic, Path, Prior The prior path is used where there are two paths in an event.
If there are two, one is the prior, and the other is simply the
path.
Generic, Purpose The purpose of the log instance. For example, an SAP read
access log instance might specify a purpose such as verifica-
tion of conformity with a particular regulatory requirement.
Generic, Risk Level The level of risk associated with an action or resource, and
so on
Generic, Score A number representing importance (for example, of an

event). The larger the score, the more greater the impor
tance. Usually the score ranges from zero to one hundred.
Generic, Session ID The ID of a session, usually a user session. This is an applica

tion level session ID. Use Network Session ID for a network-
level connection ID.
Generic, URI Uniform Resource Identifier (URI), also referred to as a URL.
Network, Host Domain, Actor The domain part of the host name of the actor of the event.
Network, Host Domain, Initiator The domain part of the host name of the initiator of the
event.
Network, Host Domain, Intermediary The domain part of the host name of the intermediary of the
event.

Network, Host Domain, Reporter The domain part of the host name of the reporter of the
event.
Network, Host Domain, Target The domain part of the host name of the target of the event.
Network, Hostname, Actor The local part of the host name of the actor of the event.
Network, Hostname, Initiator The local part of the host name of the initiator of the event.
Network, Hostname, Intermediary The local part of the host name of the intermediary of the
event.
Network, Hostname, Reporter The local part of the host name of the reporter of the event.
Network, Hostname, Target The local part of the host name of the target of the event.
Network, IP Address, Actor The IP address of the actor of the event.
Network, IP Address, Initiator The IP address of the initiator of the event.
Network, IP Address, Intermediary The IP address of the intermediary of the event.
Network, IP Address, Reporter The IP address of the reporter of the event.
Network, IP Address, Target The IP address of the target of the event.
Network, IP Before NAT, Initiator The IP address of the initiator of the event before network
address translation (NAT). The IP Address after NAT is in
Network IP Address.
Network, IP Before NAT, Target The IP address of the target of the event before network
address translation (NAT). The IP Address after NAT is in
Network IP Address.
Network, Interface, Initiator The name of a network interface that connects to the initia
tor. The network interface is part of the actor.
Network, Interface, Target The name of a network interface that connects to the target.
The network interface is part of the actor.
Network, MAC Address, Actor The MAC address of the actor of the event.
Network, MAC Address, Initiator The MAC address of the initiator of the event.
Network, MAC Address, Intermediary The MAC address of the intermediary of the event.
Network, MAC Address, Reporter The MAC address of the reporter of the event.
Network, MAC Address, Target The MAC address of the target of the event.

Network, Network Prefix, Initiator The subnetwork for the initiator: for example, an IP prefix,
reported in network level logs. It is represented as an IP ad
dress and number, where number is the length of the prefix
in bits: for example, 24.
Network, Network Prefix, Target The subnetwork for the target: for example, an IP prefix,
reported in network level logs. It is represented as an IP ad
dress and number, where number is the length of the prefix
in bits: for example, 24.
Network, Port Before NAT, Initiator The initiator port number before Network Address Transla
tion (NAT). The port number after NAT is in network, port.
Network, Port Before NAT, Target The target port number before Network Address Translation
(NAT). The port number after NAT is in network, port.
Network, Port, Actor The port number of the actor of the event: for example, a
UDP or TCP port number.
Network, Port, Initiator The port number of the initiator of the event: for example, a
Network, Port, Intermediary The port number of the intermediary of the event: for exam
ple, a UDP or TCP port number.
Network, Port, Reporter The port number of the reporter of the event: for example, a
Network, Port, Target The port number of the target of the event: for example, a
Network, Protocol The protocol of the message or packet: for example, HTTP,
ICMP, TCP, or UDP. This is a code or name from IANA, or a
vendor-specific protocol name.
Network, Session ID Session or connection ID at network level. Use Generic

session ID for an application level session ID.
Network, Zone, Initiator A name for an area of a network: for example, the user zone,
the server zone, or the Internet zone. The named area is the
area of the initiator of the event. Zones may occur in network
level logs.
Network, Zone, Target A name for an area of a network: for example, the user zone,
the server zone, or the Internet zone. The named area is the
area of the target of the event. Zones may occur in network
level logs.

Parameter Data Type The data type of the parameter: for example, numeric, string
or timestamp.
Parameter Data Type, Context The data type of a context parameter: for example, string or
numeric.
Parameter Direction The direction of the parameter: input, output, or input and
output.
Parameter Name The name of a parameter. For Read Access Logging, this is
the log domain.
Parameter Name, Context The name of a parameter that gives the context for other
parameters: for example, an employee ID field in a Dynpro
application could be the context for other fields containing
data about this employee.
Parameter Type The type of a parameter. Types of parameters include attrib

utes, features, states, and configuration settings. For Read
Access Logging, this is the log domain name, a name which
provides some semantics for technical names.
Parameter Type, Context The type of the context parameter. For Read Access Logging,
this is the log domain.
Parameter Value, Double The value of a floating point numeric parameter.
Parameter Value, Double, Prior Value The value of a floating point numeric parameter prior to a
modification.
Parameter Value, Number The value of a numeric parameter.
Parameter Value, Number, Context The value of a numeric context parameter.
Parameter Value, Number, Prior Value The value of a numeric parameter prior to a modification.
Parameter Value, String The value of a string parameter.
Parameter Value, String, Context The value of a string context parameter.
Parameter Value, String, Prior Value The value of a string parameter prior to a modification.
Parameter Value, Timestamp The value of a timestamp parameter.
Parameter Value, Timestamp, Prior Value The value of a timestamp parameter prior to a modification.

Parameter, Direction, Context The direction of a parameter that gives the context for other
parameters: for example, an employee ID field in a Dynpro
application could be the context for other fields containing
data about this employee. The direction can be input, out
put, or input and output.
Privilege Is Grantable Indicates if the granted privileges can be granted to others

by the grantee, the receiver of the privileges.
Privilege Name The name of a privilege.
Privilege Type The type of a privilege.
Privilege, Grantee Name The name of a grantee, a receiver of privileges.
Privilege, Grantee Type The type of a grantee, a receiver of privileges. If the type is
user, then username, targeted and privilege, grantee name
should both contain the user name of the grantee.
Resource Container Name The name of a resource container.
Resource Container Type The type of a resource container: for example, a database
schema or a data repository.
Resource Content Or Hash Either a hash of the content of a resource or simply the
content of the resource. A hash is often used to check the
integrity of the content. A mismatch between the computed
hash and the given hash indicates that the content has been
modified.
Resource Content Type The type of content of a resource: for example, a MIME type.
Resource Count The number of countable resources. Use resource type for
the type of the resource counted.
Resource Name The name of a resource: for example, a file name, a database
table name. Not all resources are named. For example, a
message has a type, but not usually a name. Use this attrib
ute for a file name and include the directory path, if any.
Resource Name, Prior The name of a prior resource. For example, if the event
reports the execution of a command like copy /sys/x.exe
to /com/y.exe, this is the name of the from file,/sys/x.exe.
The name of the to filename, /com/y.exe goes in resource
name.
Resource Request Size The size of a request message: for example, an HTTP re
quest. The units of measure for the size (for example, byte)
are in resource, units of measure.

Resource Response Size The size of a response message: for example, an HTTP re
sponse. The units of measure for the size (for example, byte)
are in resource, units of measure.
Resource Size The length or size of the resource, usually in bytes. Use
resource type for the type.
Resource Type The type of a resource involved in an event. Examples of

resources include files, messages, database tables, and con
figurations.
Resource, Sum Criteria A phrase specifying what is summed over time: for example,
matches of packets to denied list. This sum is a count of how
many packets matched a list of source IP addresses that
are denied access to the network. In this case, resource type
would be packet.
Resource, Sum Over Time The sum over time of something related to a resource,
resource, sum criteria specifies what is summed.
Resource, Units Of Measure The units of measurement for a size or sum of a resource.
Service, Access Name A name that can be used to access a service, used for RFC
destination, for example.
Service, Application Name The syslog application name or other application name. An
application is, in general, at a higher level of hierarchy than a
program.
Service, Executable Name The name of an executable whose type is identified by

executable type. Only use these two fields if there is a special
kind of executable that does not match an existing attribute
such as transaction name or program name.
Service, Executable Type The type of an executable whose name is identified by

executable name. Only use these two fields if there is a
special kind of executable that does not match an existing
attribute such as transaction name or program name.
Service, Function Name The name of a function module, a procedure, an HTTP

method, a Web service operation, or similar type of relatively
low level executable.
Service, Instance Name The name of the service instance. For SAP NetWeaver Ap
plication Server ABAP, the instance name identifies server,
system, and instance number.
Service, Outcome The outcome of a service: for example, the code returned by
an HTTP server.

Service, Part ID An identifier for a part of some service: for example, a partic
ular library that is used across services.
Service, Process ID The identifier of a process, also called PID.
Service, Program Name The name of a program or report.
Service, Referrer The HTTP referrer or other type of referrer.
Service, Request Line The request line for HTTP or the command line for a pro
gram, for example.
Service, Transaction Name The name of a middle level of a hierarchy of execution. The
hierarchy goes from workflow, to transaction, to program, to
function.
Service, Type The type of the service running on an actor: for example,
HTTP Client or FTP Server. This is often related to the net
work protocol, which would be HTTP.
Service, User Agent The HTTP user agent field or other field that gives informa
tion about the client's agent program.
Service, Version The version of the type of service: for example, 1.1 for HTTP.
Service, Workflow Name The name of a workflow, the highest level of a four-level hier
archy of execution: workflow, transaction, program, function.
Note that a report is a type of program.
System ID, Actor The ID of the actor system of the event: for example, SID/
client ID for an ABAP system.
System ID, Initiator The ID of the initiator system of the event: for example, SID/
System ID, Intermediary The ID of the intermediary system of the event: for example,
SID/client ID for an ABAP system.
System ID, Reporter The ID of the reporter system of the event: for example, SID/
System ID, Target The ID of the target system of the event: for example, SID/
System Type, Actor The type of the actor system: for example, ABAP.
System Type, Initiator The type of the initiator system: for example, ABAP.
System Type, Intermediary The type of the intermediary system: for example, ABAP.

System Type, Reporter The type of the reporter system: for example, ABAP.
System Type, Target The type of the target system: for example, ABAP.
Technical, Group ID Used to group events from the same log instance.
Time Duration An extent of time, often of an action, or of time to perform

all actions leading up to the event report. For example, time
to process the HTTP request, including the processing of the
response.
Timestamp The time at which the event was observed or reported.
Timestamp Of End The time at which something ends: for example, an action.
Timestamp Of Start The time at which something starts: for example, an action.
Trigger Name, Actor The name of the entity that triggered the event and/or
caused it to be logged (examples include timers, audit pol
icies, security configurations, and attack signatures).
Trigger Name, Target The name of the trigger that is the target of some action: for
example, creation, modification, enablement, disablement,
or deletion.
Trigger Type, Actor The type of entity that triggered the event, and/or caused it
to be logged (examples include timers, audit policies, secur
ity configurations, and attack signatures).
Trigger Type, Target The type of a trigger that is the target of some action: for
example, creation, modification, enablement, disablement,
or deletion.
User Account Name, Actor A user account is identified by a triple: User Account Name,
Username Domain Type, and Username Domain Name. A
real user often has accounts in different domains (systems).
For example, one real user may have two accounts: Smith/
ABAP/CRM/00 and Smith2/ABAP/SCM/00. All accounts
for the same real user are assigned the same pseudonym,
because a pseudonym is intended to represent one real user.
This attribute is for the actor user's user account name.

User Account Name, Initiator A user account is identified by a triple: User Account Name,
This attribute is for the initiator user's user account name.
User Account Name, Target A user account is identified by a triple: User Account Name,
This attribute is for the target user's user account name.
User Account Name, Remote A user account is identified by a triple: User Account Name,
real user often has accounts in different domains (systems)
This attribute is for the remote user's user account name.
User Logon Method The method of the logon, that is how the user is authenti
cated.
Username, Domain Name, Actor A user account is identified by a triple: User Account Name,
Username Domain Type, and Username Domain Name. The
domain is the domain of validity of the user account name. It
identifies the system that can resolve the user account name
to a real user. The domain name is the same as the system
ID for an ABAP system, because the domain of validity of
an ABAP user account is an ABAP system. An ABAP system
ID is the SAP ID plus the SAP client number: for example,
CRM/00. This attribute is for the actor user's username
domain name.

Username, Domain Name, Initiator A user account is identified by a triple: User Account Name,
CRM/00. This attribute is for the initiator user's username
domain name.
Username, Domain Name, Target A user account is identified by a triple: User Account Name,
CRM/00. This attribute is for the target user's username
domain name.
Username, Domain Name, Remote A user account is identified by a triple: User Account Name,
CRM/00. This attribute is for the remote user's username
domain name.
Username, Domain Type, Actor A user account is identified by a triple: User Account Name,
to a real user. It is the same as a system type for an ABAP
system, that is, ABAP is the system type. This attribute is for
the actor user's username domain type.

Username, Domain Type, Initiator A user account is identified by a triple: User Account Name,
the initiator user's username domain type.
Username, Domain Type, Target A user account is identified by a triple: User Account Name,
the target user's username domain type.
Username, Domain Type, Remote A user account is identified by a triple: User Account Name,
the remote user's username domain type.
2.6 Semantic Attributes of Events in Forensic Lab
This is a list of semantic attributes that you can select to create subnets when browsing events in forensic lab.
For more information, see the relevant chapters:
• For information about semantic attributes, see Semantic Attributes of Events [page 15].
• For more information about roles of semantic events and their relationship to semantic attributes, see
Roles of Semantic Events with Examples [page 11].
Attack Name The attack name: for example, a malware name
Attack Type The attack type: for example, malware, spoof, or denial of service
Correlation ID Used to correlate log instances at the top level, for example, the root context ID of an SAP
passport.

Correlation Sub ID Used to correlate log instances at a lower level of a hierarchy of related instances, for
example, the connection ID of an SAP passport.
Event (semantic) Choose this attribute if you want to select semantic events.
Event Code Event name or event code: either a code that identifies the log entry type, or a text that
describes the event.
Event Source ID The ID of the source of the event (for example, a hostname of a syslog server)
Event Source Type The type of the source of the event (for example, a syslog server)
Event, Log Type The type of log that the event comes from. This is set in the log learning process.
Event, Message The text of the event instance, often called the event message.
Event, Original Message Original log data
Event, Scenario Role Of Actor The scenario role of the actor, for example, client, server, or proxy. An example of a
scenario is a client-server scenario where one system plays the role of the client and the
other the role of the server.
Event, Scenario Role Of Initiator The scenario role of the initiator, for example, client, server, or proxy. An example of a
scenario is a client-server scenario where one system plays the role of the client and the
other the role of the server.
Event, Severity Code The severity of the event.
Generic, Action The action name or action code, usually the verb of the event, such as create.
Generic, Category A general category for various purposes: for example, the category of a web site, such as
sports or news.
Generic, Device Type The type of a device, usually an end user device: for example, an Android phone.
Generic, Explanation An explanation of an action, attack, and so on. Use Generic Outcome Reason for the
reason for an outcome. This is for more general explanatory text.
Generic, Geolocation Code, Ini A code for the geographic location of the initiator of the event. This code is found in some
tiator logs at network level.
Generic, Geolocation Code, Tar A code for the geographic location of the target of the event. This code is found in some
get logs at network level.
Generic, Order The position of an item in a sequence. This can be used for the numbered step of a
workflow, for example.
Generic, Outcome The outcome of actions or processes. Use Service Outcome for codes returned by serv
ices like HTTP servers.

Generic, Outcome, Reason The reason for the outcome of an action, a service call, or other occurrence.
Generic, Path A path (for example, a path of a URL or other hierarchical structure). Use Resource Name
for a file name. Include the directory path, if any, in Resource Name, rather than in this
attribute.
Generic, Path, Prior The prior path is used in case there are two paths in an event. If there are two, one is the
prior, and the other is just the path.
Generic, Purpose The purpose of the log instance. For example, an SAP Read Access Log instance might
specify a purpose such as verification of compliance with a particular regulatory require
ment.
Generic, Risk Level The level of risk associated with an action, resource, and so on.
Generic, Score A number representing the importance of an event or other thing that can be assigned an
importance. The larger the score, the more important the thing. Usually the score ranges
from zero to one hundred.
Generic, Session Id The ID of a session, usually a user session. This is an application level session ID. Use
Network Session ID for a network-level connection ID.
Generic, URI Uniform Resource Identifier (URI), also referred to as a URL.
ID Used to identify concrete log entry
Line of Business, Actor The Line of Business of the actor system as defined in the System application
Line of Business, Initiator The Line of Business of the initiator system as defined in the System application
Line of Business, Intermediary The Line of Business of the intermediary system as defined in the System application
Line of Business, Reporter The Line of Business of the reporter system as defined in the System application
Line of Business, Target The Line of Business of the target system as defined in the System application
Network, Host Domain, Actor The domain part of the hostname of the actor of the event
Network, Host Domain, Initiator The domain part of the hostname of the initiator of the event
Network, Host Domain, Inter The domain part of the hostname of the intermediary of the event
mediary
Network, Host Domain, Re The domain part of the hostname of the reporter of the event
porter
Network, Host Domain, Target The domain part of the hostname of the target of the event
Network, Hostname, Actor The local part of the hostname of the actor of the event

Network, Hostname, Initiator The local part of the hostname of the initiator of the event
Network, Hostname, Intermedi The local part of the hostname of the intermediary of the event
ary
Network, Hostname, Reporter The local part of the hostname of the reporter of the event.
Network, Hostname, Target The local part of the hostname of the target of the event
Network, IP Address, Actor The IP address of the actor of the event.
Network, IP Address, Initiator The IP address of the initiator of the event.
Network, IP Address, Intermedi The IP address of the intermediary of the event.

ary
Network, IP Address, Reporter The IP address of the reporter of the event.
Network, IP Address, Target The IP address of the target of the event.
Network, IP Before NAT, Initia The IP address of the initiator of the event before network address translation (NAT). The
tor IP Address after NAT is in Network IP Address.
Network, IP Before NAT, Target The IP address of the target of the event before network address translation (NAT). The IP
Address after NAT is in Network IP Address.
Network, Interface, Initiator The name of a network interface that connects to the initiator. The network interface is
part of the actor.
Network, Interface, Target The name of a network interface that connects to the target. The network interface is part
of the actor.
Network, MAC Address, Actor The MAC address of the actor of the event
Network, MAC Address, Initia The MAC address of the initiator of the event
tor
Network, MAC Address, Inter The MAC address of the intermediary of the event
mediary
Network, MAC Address, Re The MAC address of the reporter of the event
porter
Network, MAC Address, Target The MAC address of the target of the event
Network, Network Prefix, Initia The subnetwork for the initiator, for example, an IP prefix, reported in network level logs.
tor It is represented as an IP address and number, where number is the length of the prefix in
bits, for example, 24.

Network, Network Prefix, Target The subnetwork for the target, for example, an IP prefix, reported in network level logs. It
is represented as an IP address and number, where number is the length of the prefix in
bits, for example, 24.
Network, Port Before NAT, Ini The initiator port number before Network Address Translation (NAT). The port number
tiator after NAT is in network, port.
Network, Port Before NAT, Tar The target port number before Network Address Translation (NAT). The port number
get after NAT is in network, port.
Network, Port, Actor The port number of the actor of the event, for example, a UDP or TCP port number.
Network, Port, Initiator The port number of the initiator of the event, for example, a UDP or TCP port number.
Network, Port, Intermediary The port number of the intermediary of the event, for example, a UDP or TCP port
number.
Network, Port, Reporter The port number of the reporter of the event, for example, a UDP or TCP port number.
Network, Port, Target The port number of the target of the event, for example, a UDP or TCP port number.
Network, Protocol The protocol of the message or packet, for example, HTTP, ICMP, TCP, or UDP. This is a
code or name from IANA, or a vendor-specific protocol name.
Network, Session ID Session or connection ID at network level. Use Generic session ID for an application-level
session ID.
Network, Subnet, Address, Ac A network address that identifies the subnetwork that includes the actor of the event.
tor Subnetworks are managed by administrators.
Network, Subnet, Address, Ini A network address that identifies the subnetwork that includes the initiator of the event.
tiator Subnetworks are managed by administrators.
Network, Subnet, Address, In A network address that identifies the subnetwork that includes the intermediary of the
termediary event. Subnetworks are managed by administrators.
Network, Subnet, Address, Re A network address that identifies the subnetwork that includes the reporter of the event.
porter Subnetworks are managed by administrators.
Network, Subnet, Address, Tar A network address that identifies the subnetwork that includes the target of the event.
get Subnetworks are managed by administrators.
Network, Subnet, Category, Ac The category of the subnetwork that includes the actor of the event. Subnetworks are
tor managed by administrators.
Network, Subnet, Category, Ini The category of the subnetwork that includes the initiator of the event. Subnetworks are
tiator managed by administrators.
Network, Subnet, Category, In The category of the subnetwork that includes the intermediary of the event. Subnetworks
termediary are managed by administrators.

Network, Subnet, Category, Re The category of the subnetwork that includes the reporter of the event. Subnetworks are
porter managed by administrators.
Network, Subnet, Category, The category of the subnetwork that includes the target of the event. Subnetworks are
Target managed by administrators.
Network, Subnet, Location, Ac The location of the subnetwork that includes the actor of the event, for example, the
tor name of a city. Subnetworks are managed by administrators.
Network, Subnet, Location, Ini The location of the subnetwork that includes the initiator of the event, for example, the
tiator name of a city. Subnetworks are managed by administrators.
Network, Subnet, Location, In The location of the subnetwork that includes the intermediary of the event, for example,
termediary the name of a city. Subnetworks are managed by administrators.
Network, Subnet, Location, Re The location of the subnetwork that includes the reporter of the event, for example, the
porter name of a city. Subnetworks are managed by administrators.
Network, Subnet, Location, Tar The location of the subnetwork that includes the target of the event, for example, the
get name of a city. Subnetworks are managed by administrators.
Network, Subnet, Description, The name of the subnetwork that includes the actor of the event. Subnetworks are
Actor managed by administrators.
Network, Subnet, Description, The name of the subnetwork that includes the initiator of the event. Subnetworks are
Initiator managed by administrators.
Network, Subnet, Description, The name of the subnetwork that includes the intermediary of the event. Subnetworks
Intermediary are managed by administrators.
Network, Subnet, Description, The name of the subnetwork that includes the reporter of the event. Subnetworks are
Reporter managed by administrators.
Network, Subnet, Description, The name of the subnetwork that includes the target of the event. Subnetworks are
Target managed by administrators.
Network, Zone, Initiator A name for an area of a network, for example, the user zone, the server zone, or the
Internet zone. The named area is the area of the initiator of the event. Zones may occur in
network level logs.
Network, Zone, Target A name for an area of a network, for example, the user zone, the server zone, or the
Internet zone. The named area is the area of the target of the event. Zones may occur in
network-level logs.
Parameter Data Type The data type of the parameter, for example, numeric, string or timestamp.
Parameter Data Type, Context The data type of a context parameter, for example, string or numeric.
Parameter Direction The direction of the parameter: input, output, or input and output.

Parameter Name The type of the context parameter. For Read Access Logging, this is the log domain.
Parameter Name, Context The name of a parameter that gives the context for other parameters (for example, an
employee ID field in a Dynpro application could be the context for other fields containing
data about this employee)
Parameter Type The type of a parameter. Types of parameters include attributes, features, states, config-
uration settings, and so on. For Read Access Logging, this is the log domain name, which
provides some semantics for technical names.
Parameter Type, Context The type of the context parameter. For Read Access Logging, this is the log domain.
Parameter Value, Double The value of a floating point numeric parameter.
Parameter Value, Double, Prior The value of a floating point numeric parameter prior to a modification.
Value
Parameter Value, Number The value of a numeric parameter.
Parameter Value, Number, Con The value of a numeric context parameter.

text
Parameter Value, Number, Prior The value of a numeric parameter prior to a modification.
Value
Parameter Value, String The value of a string parameter.
Parameter Value, String, Con The value of a string context parameter.

text
Parameter Value, String, Prior The value of a string parameter prior to a modification.
Value
Parameter Value, Timestamp The value of a timestamp parameter.
Parameter Value, Timestamp, The value of a timestamp parameter prior to a modification

Prior Value
Parameter, Direction, Context The direction of a parameter that gives the context for other parameters (for example, an
employee ID field in a dynpro application could be the context for other fields containing
data about this employee). The direction can be input, output, or input and output.
Privilege Is Grantable Indicates whether the granted privileges can be granted to others by the grantee, the
receiver of the privileges.
Privilege Name The name of a privilege.
Privilege Type The type of a privilege.
Privilege, Grantee Name The name of a grantee, a receiver of privileges.

Privilege, Grantee Type The type of a grantee, a receiver of privileges. If the type is user, then username, target
and privilege, grantee name should both contain the user name of the grantee.
Resource Container Name The name of a resource container.
Resource Container Type The type of a resource container, for example, a database schema or a data repository.
Resource Content Or Hash Either a hash of the content of a resource or simply the content of the resource. A hash is
often used to check the integrity of the content. A mismatch between the computed hash
and the given hash indicates that the content has been modified.
Resource Content Type The type of content of a resource, for example, a MIME type
Resource Count The number of countable resources. Use resource type for the type of the resource
counted.
Resource Name The name of a resource, for example, a file name, a database table name, and so on. Not
all resources are named (for example, a message has a type, but not usually a name). Use
this attribute for a file name and include the directory path, if any.
Resource Name, Prior The name of a prior resource (for example, if the event reports the execution of a com
mand such as copy /sys/x.exe to /com/y.exe, this is the name of the from file,/sys/x.exe.
The name of the to filename, /com/y.exe goes in resource name.)
Resource Request Size The size of a request message (for example, an HTTP request). The units of measure for
the size (for example byte) are in resource, units of measure.
Resource Response Size The size of a response message (for example, an HTTP response). The units of measure
for the size (for example, byte) are in resource, units of measure.
Resource Size The length or size of the resource, usually in bytes. Use resource type for the type.
Resource Type The type of a resource involved in an event. Examples of resources include files, mes
sages, database tables, and configurations.
Resource, Sum Criteria A phrase specifying what is summed over time (for example, matches of packets to
denied list). This sum is a count of how many packets matched a list of source IP
addresses that are denied access to the network. In this case, the resource type would be
packet.
Resource, Sum Over Time The sum over time of something related to a resource; resource, sum criteria specifies
what is summed.
Resource, Units Of Measure The units of measurement for a size or sum of a resource.
Service, Access Name A name that can be used to access a service, used for RFC destination, for example.

Service, Application Compo A software building block within an application that enables a set of department-specific
nent business processes or cross-functional business processes. Application components can
offer services to support these business processes. Application components are not
implemented in a stand-alone manner. The application component and the software
component come from the object directory as part of ETD master data extraction.
Service, Application Name The syslog application name or other application name. An application is, generally, at a
higher hierarchy level than a program.
Service, Executable Name The name of an executable whose type is identified by executable type. Only use these
two fields if there is a special kind of executable that does not match an existing attribute
Service, Executable Type The type of an executable whose name is identified by executable name. Only use these
two fields if there is a special kind of executable that does not match an existing attribute
Service, Function Name The name of a function module, a procedure, an HTTP method, a web service operation,
or similar type of relatively low-level executable.
Service, Instance Name The name of the service instance. For SAP NetWeaver Application Server for ABAP, the
instance name identifies server, system, and instance number.
Service, Outcome The outcome of a service (for example, the code returned by an HTTP server)
Service, Part ID An identifier for a part of some service (for example, a particular library that is used
across services)
Service, Process ID The identifier of a process, also called PID
Service, Program Name The name of a program or report
Service, Referrer The HTTP referrer or other type of referrer
Service, Request Line The request line for HTTP or the command line for a program, and so on.
Service, Software Component A set of SAP software objects that are grouped in development classes and can only
be delivered together (for example, SAP CRM powered by SAP HANA). The application
component and the software component come from the object directory as part of SAP
Enterprise Threat Detection master data extraction.
Service, Transaction Name The name of a middle level of a hierarchy of execution. The hierarchy goes from workflow,
to transaction, to program, to function.
Service, Type The type of the service running on an actor, for example, HTTP Client, FTP Server, and so
on. This is often related to the network protocol, which would be HTTP.
Service, User Agent The HTTP user agent field or other field that gives information about the client's agent
program

Service, Version The version of the type of service, for example, 1.1 for HTTP
Service, Workflow Name The name of a workflow, the highest level of a four-level hierarchy of execution: workflow,
transaction, program, function. Note that a report is a type of program.
System Group ID, Actor The ID of the system group that the actor system belongs to. All systems that belong to
the same system group have the same system group ID and type.
System Group ID, Initiator The ID of the system group that the initiator system belongs to. All systems that belong to
System Group ID, Intermediary The ID of the system group that the intermediary system belongs to. All systems that
belong to the same system group have the same system group ID and type.
System Group ID, Reporter The ID of the system group that the reporter system belongs to. All systems that belong
to the same system group have the same system group ID and type.
System Group ID, Target The ID of the system group that the target system belongs to. All systems that belong to
System Group, Role, Actor The role of the system group that the actor system belongs to. All systems that belong
to the same system group have the same system group ID and type. Examples of roles
include test, production, and customizing.
System Group, Role, Initiator The role of the system group that the initiator system belongs to. All systems that belong
System Group, Role, Intermedi The role of the system group that the intermediary system belongs to. All systems that
ary belong to the same system group have the same system group ID and type. Examples of
roles include test, production, and customizing.
System Group, Role, Reporter The role of the system group that the reporter system belongs to. All systems that belong
System Group, Role, Target The role of the system group that the target system belongs to. All systems that belong
System Group, Type, Actor The type of the system group that the actor system belongs to. All systems that belong to
System Group, Type, Initiator The type of the system group that the initiator system belongs to. All systems that belong
System Group, Type, Intermedi The type of the system group that the intermediary system belongs to. All systems that
ary belong to the same system group have the same system group ID and type.

System Group, Type, Reporter The type of the system group that the reporter system belongs to. All systems that
belong to the same system group have the same system group ID and type.
System Group, Type, Target The type of the system group that the target system belongs to. All systems that belong
Technical, Group ID Used to group events from the same log instance
System ID, Actor The ID of the actor system of the event, for example, SID/client ID for an ABAP system
System ID, Initiator The ID of the initiator system of the event, for example, SID/client ID for an ABAP system
System ID, Intermediary The ID of the intermediary system of the event, for example, SID/client ID for an ABAP
system
System ID, Reporter The ID of the reporter system of the event, for example, SID/client ID for an ABAP system
System ID, Target The ID of the target system of the event, for example, SID/client ID for an ABAP system
System Location, Actor The location of the actor system as defined in the Locations application
System Location, Initiator The location of the initiator system as defined in the Locations application
System Location, Intermediary The location of the intermediary system as defined in the Locations application
System Location, Reporter The location of the reporter system as defined in the Locations application
System Location, Target The location of the target system as defined in the Locations application
System Role, Actor Role of the actor system (for example, test, production, or customizing
System Role, Initiator Role of the initiator system (for example, test, production, or customizing.
System Role, Intermediary Role of the intermediary system (for example, test, production, customizing.
System Role, Reporter Role of the reporter system, (for example, test, production, or customizing.
System Role, Target Role of the target system, (for example, test, production, or customizing.
System Type, Actor The type of the actor system (for example ABAP)
System Type, Initiator The type of the initiator system (for example ABAP)
System Type, Intermediary The type of the intermediary system (for example ABAP)
System Type, Reporter The type of the reporter system (for example ABAP)
System Type, Target The type of the target system (for example ABAP)
Technical Timestamp The time at which the event was observed or reported as Unix time

Technical, Log Collector, Name The name of the streaming server that received the log instance
Technical, Log Collector, IP Ad The IP address of the streaming server that received the log instance
dress
Technical, Log Collector, Port The port on the streaming server that received the log instance
Technical, Log Entry Type The type of the log instance
Time Duration The time taken to perform an action, or to perform all actions leading up to the event
report. For example, time to process the HTTP request, including the processing of the
response.
Technical, Number A number used to check the consistency of the data in the system.
Technical, Number Range A number range used to check the consistency of the data in the system.
Technical, Time Stamp of Inser The time at which the event was inserted in the database.
tion
Timestamp The time at which the event was observed or reported.
Timestamp Of End The time at which something ends, for example, an action.
Timestamp Of Start The time at which something starts, for example, an action.
Trigger Name, Actor The name of the thing that triggered the event, and/or caused it to be logged, for exam
ple, things like timers, audit policies, security configurations, or attack signatures.
Trigger Name, Target The name of the trigger that is the target of some action, for example, creation, modifica-
tion, enablement, disablement, deletion, and so on
Trigger Type, Actor The type of thing that triggered the event, and/or caused it to be logged (for example
timers, audit policies, security configurations, or attack signatures)
Trigger Type, Target The type of a trigger that is the target of some action, for example, creation, modification,
enablement, disablement, deletion, and so on.
User Account Name, Actor A user account is identified by a triple: 'User Account Name', 'Username Domain Type',
and 'Username Domain Name'. A real user often has accounts in different domains
(systems), for example, one real user may have two accounts: Smith/ABAP/CRM/00
and Smith2/ABAP/SCM/00. All accounts for the same real user are assigned the same
pseudonym, because a pseudonym is intended to represent one real user. This attribute
is for the actor user's user account name.

User Account Name, Initiator A user account is identified by a triple: 'User Account Name', 'Username Domain Type',
is for the initiator user's user account name.
User Account Name, Target A user account is identified by a triple: 'User Account Name', 'Username Domain Type',
and 'Username Domain Name'. The domain is the domain of validity of the user account
name. It identifies the system that can resolve the user account name to a real user. The
domain name is the same as the system ID for an ABAP system, because the domain of
validity of an ABAP user account is an ABAP system. An ABAP system ID is the SAP ID
plus the SAP client number: for example, CRM/00. This attribute is for the target user's
username domain name.
User Account Name, Remote A user account is identified by a triple: 'User Account Name', 'Username Domain Type',
is for the remote user's user account name.
User Group, Actor For an ABAP system, this is the user group in user master maintenance. The actor user
belongs to this group.
User Group, Target For an ABAP system, this is the user group in user master maintenance. The target user
belongs to this group.
User ID, Actor The ID of the actor user involved in the event.
User ID, Initiator The ID of the initiator user involved in the event.
User ID, Target The ID of the target user involved in the event.
User ID, Remote The ID of the remote user involved in the event.
User Logon Method The method of the logon, in other words how the user is authenticated.
User Account Name Pseudo The pseudonym of the actor user involved in the event. In many events an actor user
nym, Actor and/or actor system performs an action on a target user. A target user may be the target
of actions such as create, alter, delete, log on, log off, etc.
User Account Name Pseudo The pseudonym of the initiator user involved in the event. In many events an actor user
nym, Initiator and/or actor system performs an action on a target user. A target user may be the target
User Account Name Pseudo The pseudonym of the target user involved in the event. In many events an actor user
nym, Target and/or actor system performs an action on a target user. A target user may be the target

User Account Name Pseudo The pseudonym of the remote user involved in the event. In many events an actor user
nym, Remote and/or actor system performs an action on a target user. A target user may be the target
User, Department, Actor The department of the actor user in a company as part of the company address. It is the
department name used at the customer for a customer contact person. It is usually the
same as the department name used on business cards.
User, Floor, Actor Floor of the building as more exact specification of the address of the actor user.
User, Function, Actor Function of the actor user (for example as contact person in a company). This is often
part of the formatted address.
User, Room Number, Actor Room number in the actor user's address.
Username, Actor The name of the actor user involved in the event.
Username, Domain Name, Ac A user account is identified by a triple: User Account Name, Username Domain Type, and
tor Username Domain Name. The domain is the domain of validity of the user account name.
It identifies the system that can resolve the user account name to a real user. The domain
name is the same as the system ID for an ABAP system, because the domain of validity
of an ABAP user account is an ABAP system. An ABAP system ID is the SAP ID plus the
SAP client number (for example CRM/00). This attribute is for the actor user's username
domain name.
Username, Domain Name, Ini A user account is identified by a triple: User Account Name, Username Domain Type, and
tiator Username Domain Name. The domain is the domain of validity of the user account name.
name is the same as the system ID for an ABAP system, because the domain of validity of
an ABAP user account is an ABAP system. An ABAP system ID is the SAP ID plus the SAP
client number (for example, CRM/00). This attribute is for the initiator user's username
domain name.
Username, Domain Name, Tar A user account is identified by a triple: User Account Name, Username Domain Type, and
get Username Domain Name. The domain is the domain of validity of the user account name.
name is the same as the system ID for an ABAP system, because the domain of validity
of an ABAP user account is an ABAP system. An ABAP system ID is the SAP ID plus the
SAP client number, for example, CRM/00. This attribute is for the target user's username
domain name.
Username, Domain Name, Re A user account is identified by a triple: User Account Name, Username Domain Type, and
mote Username Domain Name. The domain is the domain of validity of the user account name.
name is the same as the system ID for an ABAP system, because the domain of validity of
an ABAP user account is an ABAP system. An ABAP system ID is the SAP ID plus the SAP
client number, for example, CRM/00. This attribute is for the remote user's username
domain name.

Username, Domain Type, Actor A user account is identified by a triple: User Account Name, Username Domain Type,
and Username Domain Name. The domain is the domain of validity of the user account
name. It identifies the system that can resolve the user account name to a real user. It
is the same as a system type for an ABAP system, where ABAP is the system type. This
attribute is for the actor user's username domain type.
Username, Domain Type, Initia A user account is identified by a triple: User Account Name, Username Domain Type,
tor and Username Domain Name. The domain is the domain of validity of the user account
attribute is for the initiator user's username domain type.
Username, Domain Type, Target A user account is identified by a triple: User Account Name, Username Domain Type,
and Username Domain Name. The domain is the domain of validity of the user account
attribute is for the target user's username domain type.
Username, Domain Type, Re A user account is identified by a triple: User Account Name, Username Domain Type,
mote and Username Domain Name. The domain is the domain of validity of the user account
attribute is for the remote user's username domain type.
Username, Initiator The name of the initiator user involved in the event.
Username, Target The name of the target user involved in the event.
Username, Remote The name of the remote user involved in the event.
User Type, Actor For an ABAP system, this is the user type in user master maintenance. The actor user is
of this type. This type can take one of five values: dialog, system, communication, service,
or reference. They are represented by the letters A, B, C, S, and L, respectively.
User Type, Initiator For an ABAP system, this is the user type in user master maintenance. The initiator user
is of this type. This type can take one of five values: dialog, system, communication,
service, or reference. They are represented by the letters A, B, C, S, and L, respectively.
User Type, Target For an ABAP system, this is the user type in user master maintenance. The target user is
User Type, Remote For an ABAP system, this is the user type in user master maintenance. The remote user is
User, Building Code, Actor Number or ID for the building in the actor user's address

3 Monitoring the State of the System
Landscape
Monitoring provides an overview of the events, alerts, and investigations in the system. Through health checks,
monitoring also indicates when a problem occurs with the monitoring capability of SAP Enterprise Threat
Detection itself.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Monitoring.

2. View the charts displayed.
The monitoring screen shows a grid of charts and attack detection patterns. Each chart or pattern comes
from a forensic workspace. A workspace can have multiple charts and patterns, collectively known as
forensic objects. The number of objects displayed is configurable, but by default the grid is three columns
by two rows. For each square in the grid, you can configure a forensic workspace and select which forensic
object to display. You can also open the workspace for that object.
The user interface displays the number of open alerts, investigations, and health checks. To investigate the
cause of the open alerts, investigations, and health checks, choose the relevant numbers on the monitoring
user interface to open the relevant application.
For more information, see the sections on browsing in the forensic workspaces and on tracking
investigations.
3.1 Best Practices: Monitoring the State of the System

Landscape
We have some recommendations for you related to the monitoring of the system landscape state.
Using One Monitoring Page for Several Monitoring Agents to Save Resources
The monitoring page is updated frequently and fetches results for many charts. This may cause a high load on
the HANA database, depending on the time ranges defined for the monitoring page charts. If you have several
monitoring agents monitoring SAP Enterprise Threat Detection using the monitoring page, we recommend
defining one monitoring page for all monitoring agents or one monitoring page for each group of monitoring
agents depending on the area of analysis. This saves resources because when the frontend requests are sent
from the same monitoring page configuration, the backend stores the fetched data in the cache and returns
the same results to the frontend.

58 INTERNAL – Authorized for SAP Customers and Partners Monitoring the State of the System Landscape
1. Start the Monitoring application.
The Monitoring application opens with the default configuration.
2. In the upper right corner of the application, next to your user name, choose (Configure the layout and
behavior of the UI).
3. To choose one configuration and set it as default for all users, either select an existing configuration or
create a new one and set it as default.
4. If you want to use more than one configuration, create the required configurations and ask the monitoring
agents to use the provided configuration that meets the requirements of their monitoring agent group.
For more information, see Configuring the Monitoring User Interface [page 59].
3.2 Configuring the Monitoring User Interface
All users of SAP Enterprise Threat Detection use the same monitoring user interface. You can adjust the refresh
rate, the number of charts and patterns displayed, and the time span monitored by the indicators of the
Monitoring application.
Procedure
For more information, see Monitoring the State of the System Landscape [page 58].
The Monitoring application opens with the default configuration.
3. Determine whether you want to select an existing configuration or create your own.
• To select an existing configuration, choose a configuration from the Configuration field.

• To create your own configuration, enter the data as described in the following table and choose Save
As….
Configurations for Monitoring
Configuration Description
Refresh Rate (in sec) Determines how often the application checks for alerts,
investigations, and health checks, and sets the relevant
status indicator. The setting also determines how often
the entire display is refreshed.
Number of Columns Determines the number of columns of charts and pat

terns displayed.
Number of Rows Determines the number of rows of charts and patterns

displayed.

Monitoring the State of the System Landscape INTERNAL – Authorized for SAP Customers and Partners 59
Configuration Description
Time Range for Indicators Determines the time range of the data sample used to
check for alerts, investigations, and health checks.
Is Default This checkbox makes the current configuration the

default configuration for all users. To make the SAP
Default configuration the default configuration again,
either delete the current default configuration or clear
this checkbox in the current default configuration and
save your changes.
3.3 Changing Charts and Patterns in Monitoring
Each chart or pattern on the monitoring grid represents an object of a forensic workspace. You can change the
type of chart displayed and the object of the workspace, or select an object from another workspace.
Procedure

2. Determine the type of change you want to make.
Option Description
Select a chart or pattern from In the upper right corner of a chart, choose (Select a forensic chart to be
another forensic workspace displayed here), and select a chart or pattern from the list.
Select another chart or pattern The dropdown list to the right of the currently displayed chart or pattern shows the
from the same forensic work available charts or patterns of the selected workspace. Select another one from the
space. list.
Change the chart type of the Above each chart or pattern, there is a row of icons indicating different chart types.
displayed chart or pattern. Choose an icon to change the display.
Charts and patterns support different chart types, so different icons appear for
charts and patterns.
4. Save your changes to the monitoring configuration and choose Close to hide the configuration window.
For more information, see Configuring the Monitoring User Interface [page 59].

3.4 Opening Monitoring Charts in the Forensic Lab
If you find a chart or pattern in the Monitoring application needs customization, jump directly from Monitoring
to the forensic lab to modify the chart or the underlying forensic workspace.
Procedure

2. In the upper right corner of a chart, choose (Open forensic chart).

3. Make the required changes.
For more information, see the chapter on Browsing Events, Alerts, and Health Checks in the Forensic
Workspaces.
3.5 Health Checks
Health checks monitor the availability of log provider systems and the continued functioning of the
infrastructure of SAP Enterprise Threat Detection.
The sap.secmon.services.healthcheck::healthcheck background job runs on SAP HANA. This job

triggers the health checks. Different health checks monitor different parts of the system. When health checks
run, they generate OK or failed (not OK) health checks in SAP Enterprise Threat Detection. Monitor health
checks in the Monitoring application on the SAP Health Checks monitoring page. Use the Forensic Lab
application to examine the health checks in the system.
For more information about background jobs on SAP HANA, see the SAP Enterprise Threat Detection
Implementation Guide.
3.5.1 Types of Health Checks
The different types of health checks in SAP Enterprise Threat Detection indicate where potential problems have
occurred in the system infrastructure.
Overview of Health Checks

Health Check Failed Check Meaning of Failure Suggested Action
SAP HANA partitioning CheckPartitio The health check has not found daily partitions Check that the back
nNotOK for storing event data on SAP HANA for the up ground job for partition
coming seven days. ing is running on SAP
HANA.

Health Check Failed Check Meaning of Failure Suggested Action
Pseudonym generation PseudonymsGen The health check has found user IDs for which Check that the back
erationNotOK there is no pseudonym in the last 20 minutes. Or ground job for pseudo
it has found pseudonyms for user IDs that have nymization is running
expired in the last 20 minutes. on SAP HANA.
System log SystemLogNotO The health check has not found a log update If the system ping for
K from the relevant system for the relevant log for
the relevant system is
the last two minutes.
OK, there may have
been no activity for the
relevant log to send.
Check the log in the log
provider for entries dur
ing that time period.
Make sure the log is still

enabled for the log pro
vider.
If the system ping is not

OK, see the suggested
actions for system ping.
System ping SystemPingNot The health check has not found a system ping Check for system avail
OK from the relevant system for the last 10 minutes.
ability or network prob
Systems send pings once per minute.
lems.
If you have decommis

sioned a system, you
continue to receive
health checks for that
system until you remove
its entry from tables in
SAP HANA.
For more information,

see Stopping Health
Checks for Decommis
sioned Systems [page
63].
The health check just shows the median time span between the time of the original event in the original system
and the time when the event is created in SAP Enterprise Threat Detection. Depending on this delay, it may be
impossible for an attack detection pattern to raise an alert. If for example, a pattern looks for suspicious events
from the last ten minutes and the delay is an hour, it will never find any events that match the pattern.

3.5.2 Stopping Health Checks for Decommissioned Systems
If you decommission a log provider system, SAP Enterprise Threat Detection continues to generate failed
health checks for those systems until you remove the relevant systems.
Prerequisites
• You have determined the system ID you want to delete from the health checks.
• You have a user with the EtdAdmin role for SAP Enterprise Threat Detection.
Procedure
1. From SAP Enterprise Threat Detection launchpad, open the System Administration app.
2. Delete the system in question.

4 Monitoring the System Landscape
The System Monitoring user interface gives you an overview of how the systems in your system landscape are
affected by threats found by SAP Enterprise Threat Detection. This tool makes it very easy to identify critical
parts of your landscape. You can drill down to the potentially problematic systems to see which vulnerabilities
have been exploited.
Context
The roles overview displays all the systems connected to SAP Enterprise Threat Detection, grouped according
to their role into Production, Test, Customizing, SAP Reference and Others. Note that you can specify or change
the role of a system in the Systems user interface available from the launchpad.
For all systems, system groups, and system roles of SAP Enterprise Threat Detection, the Business Risk Score
(BRS), the Business Attack Score (BAS), and the Patch Risk Score (PRS) are displayed:
• The Business Risk Score (BRS) of a system indicates how critical the system is. The BRS is based on
the system's business significance in terms of confidentiality, integrity of system, integrity of data, and its
availability. The BRS of a role is an aggregation of the BRSs of the individual systems.
• The Business Attack Score (BAS) of a system is based on open alerts in a system and the business
significance of the patterns that created these alerts. The BAS of a role is an aggregation of the business
attack scores of the individual systems.
• The Patch Risk Score (PRS) of a system is based on CVSS base score values of missing security notes. The
PRS of a role is an aggregation of the patch risk scores of the individual systems.
Depending on the calculated percentage value, the bar chart for the scores is displayed with a green, yellow, or
red bar. A green bar indicates low risk and is used for values between 0 and 40 percent. A yellow bar indicates
medium risk and is used for values between 40 and 60 percent. A red bar indicates high risk and is used for
values between 60 and 100 percent.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose System Monitoring.
The application displays the roles overview with the Business Risk Score (BRS), Business Attack Score
(BAS), and Patch Risk Score (PRS) broken down by system role.
2. In the roles overview, click a row to display the scores for the individual system groups of this specific
system role.
The system shows the system group view with the BRS, BAS, and PRS for the system groups.
3. In the system group overview, click a row to display the scores for the individual systems of a specific
system group.

64 INTERNAL – Authorized for SAP Customers and Partners Monitoring the System Landscape
The system shows the system view with the BRS, BAS, and PRS for the systems. The main system is
marked with a black frame.
4. In the system overview, click a row to display the details for this specific system.
The system shows the details including the number of open alerts, the top 20 alerts by business attack
score, the top 20 security indicators, the top 20 missing security notes by CVSS and the application
servers.
5. In the system details view, you have the following options to display more information:
• In the Top 20 Alerts by Business Attack Score tab, click the alert ID in one of the rows to show the alert
details. You can also open the pattern details by clicking on the pattern name.
• Display the top 20 security indicators by business risk score by clicking on the corresponding tab.
• Display the application servers by clicking on the corresponding tab.

Monitoring the System Landscape INTERNAL – Authorized for SAP Customers and Partners 65
5 Monitoring the Distribution of Security
Notes
The Security Notes user interface provides an overview of the implementation status of the notes relevant for
the security of the systems in your system landscape.
Prerequisites
• You have installed SAP Note 2372375 to see Java security notes.
• You have configured the SECM_MASTER_DATA_2_ESP report on your AS ABAP log providers to send
information about the implemented ABAP notes.
• You have configured the job sap.secmon.ssm.cache::NoteCache on HANA side to process the status
of Security Notes.
Context
The table displays the security notes that are relevant for the systems connected to SAP Enterprise Threat
Detection, together with additional information in the columns presented below:
Implementation Status of Security Notes
Column Meaning and Possible Values
Note Number Displays a link to the security note.
System ID The system connected to SAP Enterprise Threat Detection.
Note Title The title of the security note.
Note Version The current note version as of SAP Enterprise Threat

Detection SP 07.
CVSS Base Score The Common Vulnerability Scoring System (CVSS) is a value
between 1.0 and 10.0. SAP provides this CVSS Base Score
as an estimate of the risk posed by the issue reported in
this note. This estimate does not reflect your system con
figuration or operational environment. It is not intended to
replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this security
note. For more information, see the FAQ section at https://
support.sap.com/securitynotes .

66 INTERNAL – Authorized for SAP Customers and Partners Monitoring the Distribution of Security Notes
Column Meaning and Possible Values
Release On The release date of the displayed note version.
Implementation Automatic Describes whether there is manual configuration effort

needed for the specific release version of the connected sys
tem. Possible values are true, false or unknown.
• True: The note does not require any manual steps apart
from implementing the correction or patch provided
with the note.
• False: The note requires manual configuration steps in
addition to implementing the correction or patch pro
vided with the note.
• Unknown: The note may or may not require manual
steps depending on your system landscape.
Processing Status, Implementation Status, SP Implementa This is the information as provided by ABAP transaction
tion Status: SNOTE.
 Note
Please note that in case Implementation Automatic is
false or unknown, this status provided in here does not
reflect the processing of manual steps the security note
may require.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Security Notes.

2. You can sort the different columns, for example, to have a look at the security notes with the highest CVSS
Base Score.
5.1 Implementation Status and Processing Status of SAP

Notes
The Security Notes app displays the implementation statuses and processing statuses of the SAP Notes as set
in the Note Assistant (transaction SNOTE) in the SAP NetWeaver AS for ABAP system.
The implementation status of an SAP Note is determined by the system according to existing information. The
processing status is specified by the user in the Note Assistant.

Monitoring the Distribution of Security Notes INTERNAL – Authorized for SAP Customers and Partners 67
Processing Status
The following processing statuses are used in the Note Assistant and also in the Security Notes app of SAP
Enterprise Threat Detection:
Status Description
New You have loaded the SAP Note into your system, but have
not yet processed it.
In Processing A user is processing the SAP Note.
Completed You have followed the instructions in the SAP Note and im
plemented any corrections in your system. The processing
of the SAP Note has now been completed.
Not relevant You have read the SAP Note and decided that it is not rele
vant, for example because it refers to a function that you do
not use.
Implementation Status
If an SAP Note contains correction instructions, the implementation status indicates whether all the relevant
correction instructions in the note have been implemented in the system.
The system sets the implementation status automatically. The following implementation statuses are used in
the Note Assistant and also in the Security Notes app of SAP Enterprise Threat Detection:
Status Description
Incompletely implemented Not all the relevant correction instructions have been imple
mented or some have been implemented only in part. The
objects that need to be corrected are inconsistent. You must
therefore implement this SAP Note in your system again.
Obsolete version implemented SAP has corrected an SAP Note that contained errors. Im
plement this note in your system again.
Can be implemented The SAP Note contains correction instructions that you may
need to implement in your system.
Completely implemented The corrections in the SAP Note have been implemented
completely in your system. No action is required.
Cannot be implemented The SAP Note does not contain any correction instructions
that you can implement in your system. No action is re
quired.
Obsolete After you implemented the corrections in the Note, you im
ported a Support Package that also contains these correc
tions. The errors have now been removed.
For more information, see Implementation Status and Processing Status of SAP Notes in the SAP NetWeaver
documentation on the SAP Help Portal.

68 INTERNAL – Authorized for SAP Customers and Partners Monitoring the Distribution of Security Notes
6 Viewing Log Events
This viewer displays the semantic events of the last 15 minutes with detailed information, including a textual
description. It offers various filter options.
Procedure
1. On the SAP Enterprise Threat Detection launchpad, choose Log Events to display semantic events.
You can also use the Alert user interface and choose the link to the related events to show the semantic
events filtered for the systems and users involved in the event.
2. Adjust the filters according to your needs and choose Go. Note that the search in the filters is case-
insensitive.
The events are displayed in a table. You can adjust which columns are displayed in the table using the
(Settings) icon. You can use the buttons next to the settings icon to collapse and hide columns that show
attributes of the user, system, or service. You can use the plus icon to display separate columns for the
user roles, for example.
The filter bar allows you to set generic filters for systems, users, and services, irrespective of their roles.
For example, in the System Id field, searching for “ABC” will find all systems in the system group “ABC”,
irrespective of their roles.
3. Choose a semantic event to display detailed information.
Under Information, a textual description of this log entry is displayed as well as all details.
4. Flag the checkbox for a semantic event and click the Process in Case File button to jump to the Case Files
view.
Next Steps
You can save a list of log events as separate tile. To do so, filter the list as needed and choose  (Save as Tile).
Related Information
Semantic Events [page 70]

Semantic Attributes of Events [page 15]
Roles of Semantic Events with Examples [page 11]

Viewing Log Events INTERNAL – Authorized for SAP Customers and Partners 69
6.1 Semantic Events
A semantic event is a standard way of representing the meaning of an event. Each log entry type with the same
meaning is assigned the same semantic event, enabling searches across log sources for that semantic event.
For SAP logs, this mapping has already been done. For logs from other systems, you use the Log Learning
application to map the log entries to this set of semantic events and attributes. For more information, see Log
Learning in the implementation guide for SAP Enterprise Threat Detection at https://help.sap.com/sapetd .
A semantic event identifies the action of the event and the participants in that action. Participants may be
identified by their role in the action and/or their entity type. The key participant in the event is the actor. This is
the system or host that performs the action of the event. All other roles of an event are usually assigned relative
to the actor role. For example, a system that asks the actor to act is the initiator, and one that the actor asks
to perform some function is the target. In other words, the event is represented from the point of view of the
actor. This is consistent with the fact that most logs are created by the actor from the standpoint of the actor.
For more information about the roles of semantic events, see Roles of Semantic Events with Examples [page
11].
There is a set of semantic attributes that define the semantic events. For more information, see Semantic
Attributes of Events [page 15].
On the Log Learning user interface, where you assign events to log entries and map these semantic attributes
to events, there are (Help) icons that open a list of all available semantic events or attributes.
In the Forensic Workspace, the Subset Selection dialog, which appears when you add new subsets of events,
also includes a (Help) icon that opens a list of the available semantic attributes with their descriptions.
Related Information
Log Learning

70 INTERNAL – Authorized for SAP Customers and Partners Viewing Log Events
7 Browsing in Forensic Lab
To gain insights into what is currently going on in your system landscape, use forensic lab to examine events,
alerts, system health checks, and configuration checks to identify and analyze possible vulnerabilities or
attacks.
Context
SAP Enterprise Threat Detection saves log entries of monitored systems as events and creates indicators or
alerts that match the configurations of any patterns for detecting attacks. Health checks monitor the systems
and the infrastructure of SAP Enterprise Threat Detection and indicate if and where problems have occurred.
Configuration checks are carried out in the connected AS ABAP systems and you can see their results here.
Forensic lab enables you to examine events, alerts, health checks, and configuration check results in the
forensic lab. You can filter and visualize the data as charts or raw data. You can also create attack detection
patterns based on filters you define. And in the attack detection patterns, you can specify whether they should
produce indicators or alerts.
Indicators are a special type of event that you can use as a kind of preliminary stage to alerts. They draw
attention to noticeable activities in your system landscape but usually do not require individual analysis.
However, it might make sense to create an additional pattern based on indicators. In forensic lab, indicators are
a log entry type that you can view or add to a new path.
 Note
To create pattern configurations, you must have administrator authorizations.
Procedure
1. From the launchpad, choose Forensic Lab.

2. From the table below, choose the action you want to perform and follow the procedure:
Option Description
Create forensic work See Creating Forensic Workspaces [page 74]

spaces
Add paths and sub See Adding Paths and Subsets [page 75]
sets
Visualize subsets See Visualizing Subsets [page 80]
Create pattern config See Creating Pattern Configurations [page 92]

urations

Browsing in Forensic Lab INTERNAL – Authorized for SAP Customers and Partners 71
Option Description
Download normalized Buttons enable you to download normalized data as JSON, CSV, or ZIP files, with only se
or original data lected columns or all columns. You can download original data in ZIP format only.
Create a version his A versioning feature enables you to create and view the history of a workspace. When you
tory create a new workspace, add subsets to the path, save it, and give it a name, the initial
version (v.1) appears next to the workspace URL in the overview. Click on the version number
to display the version details. Subsequently changing the workspace and saving it creates
additional versions in the history.
Rename a workspace You can rename a workspace by clicking Rename in the overview and saving your changes.
Note: Renaming a workspace replaces the original name with the new name and creates a
subsequent version number under that new name.
Add workspace attrib Click on the workspace attributes icon to add useful information about your workspace. Once
utes you have confirmed and saved your changes, select your workspace from the list to view
these additional details.
Export a workspace To export a workspace, click Manage Workspaces to display the list of available workspaces.
Then select the workspace to be exported and choose Export.
Delete a workspace To delete a workspace, click Manage Workspaces to display the list of available workspaces.
Then select the workspace to be deleted and choose Delete.
7.1 Monitoring Configuration Check Results
View the results of the configuration checks that SAP Enterprise Threat Detection carries out on the AS ABAP
log providers.
Context
There are checks of about 50 profile parameters, and two checks of ABAP standard users (whether they still
use the initial password and whether they are locked).
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Forensic Lab.

2. As browsing context, select Configuration Checks from the dropdown list.

72 INTERNAL – Authorized for SAP Customers and Partners Browsing in Forensic Lab
7.2 The Anatomy of a Forensic Workspace
A forensic workspace is a view of the events, alerts, and health checks in the system. Forensic workspaces can
be displayed and changed by all users.
In the forensic workspace, you create subsets of the data by defining filter criteria to apply. You create chains
of successive subsets called paths. A forensic workspace can have multiple paths. You can reference a subset
from one path as part of the filter condition in another path.
The following figure depicts two paths within a forensic workspace. Path1 has three subsets. Subset1 is a filter
condition on all the data. Subset2 is a filter condition on Subset1. Likewise, Subset3 is a filter condition on
Subset2. Path2 has two subsets. Subset1 is a filter condition on all the data. Subset2 uses the subset result
from Path1.Subset2 as a filtering condition on Subset1. The use of a subset from one path in another path is
known as a reference.
Paths of Subsets Within a Forensic Workspace
7.3 Versioning of Forensic Workspaces
SAP Enterprise Threat Detection systems use local numbers to store workspace versions. In each system, a
new version of a workspace is generated each time when the workspace is saved using the Save button or
imported using the "Start Import" function in Content Replication.
Even if no changes have been made to the workspace, the system increments the version number each time
the workspace is saved or imported using the "Save" or "Start Import" function.
 Example
Example for the creation of version numbers:
If you have developed a new workspace in a development system and exported a version with the number 9
to a production system, the workspace version in the production system will be 1. If you next export version
12 to the production system, the local version of this workspace in the production system will be numbered
2.

New or corrected workspaces are always delivered with version number 1.
7.4 Creating Forensic Workspaces
In forensic workspaces, you can filter, analyze, and visualize data so that you can gain insight into your system
landscape.
Context
A forensic workspace is a view of events, alerts, or health checks in your system landscape. In the forensic
workspace, you define filters to create subsets of the data. You arrange the subsets in paths. Each subset is
dependent on the previous subset(s) or, as in a reference, on subset(s) from another path within the same
forensic workspace.
Procedure

By default, a new forensic workspace opens.
If you are working in a forensic workspace and want to create a new one, click Create and choose Create
from the dropdown menu.
2. Define the browsing context for the path by choosing Events, Alerts, Health Checks, or Configuration
Checks.
Results
Now you can create paths and add subsets to them.
For more information, see Adding Paths and Subsets [page 75].
 Caution
A new forensic workspace starts with a default time period (last hour). That means, the data for the paths
in the new forensic workspace is already filtered for the defined time period. To change the time period,
choose (Last x minute) and choose relative or absolute time range.
When setting a time stamp for a subset in a path, make sure that this time range is included in the time
period for the forensic workspace. If the time stamp for a subset is larger than that defined for a forensic
workspace, you get the data only for the time period set for a forensic workspace. If in a subset you use the
absolute time range that does not overlap with the time period of the workspace, no data is found.

To save a new forensic workspace, choose Save As, choose a namespace from a dropdown list of the available
namespaces and type a name for the forensic workspace, then choose OK.
 Caution
Do not use the SAP namespace: http://sap.com/<any_subdomains>. We reserve the right to overwrite
any content in the SAP domain.
To view forensic workspaces, choose Manage Workspaces in your forensic lab.
Choose a list of workspaces:
List of Workspaces Description
My Workspaces (ON) The list contains your forensic workspaces.
My Workspaces (OFF) The list contains all forensic workspaces.
To open a forensic workspace, choose its name or select a workspace and choose Open.
To save a forensic workspace to your forensic workspace, first open the workspace and then choose Save As.
To download a forensic workspace, select it in a list of workspaces and choose Download. To add a downloaded
workspace to the list of your workspaces, click Create and choose New from the dropdown menu. Then
navigate to your downloads and choose the workspace to upload.
7.5 Adding Paths and Subsets
Paths are sets of filter criteria defined in subsets that enable you to sort and analyze the data of the system
landscape.
Procedure

2. Open an existing forensic workspace or create a new one.
For more information, see Creating Forensic Workspaces [page 74].
3. To create a new path, choose Add Path.

4. Define events, alerts, or health checks as a browsing context.
5. In the path, choose Add new subset.
The Subset Selection dialog appears.
You can also add subsets to the paths using visualized charts on the right side. To do so, choose a sector of
the chart that you want to apply as a filter and choose Add to Path (adding the sectors from the timestamp
chart is not supported). To save time, you can also hold down CTRL and then simply click the section of

the chart that you want to apply as filter and add to the path. A new subset is created in the path with the
operator IN for values of the chosen field. No further steps are necessary.
6. By default, the subsets are connected by an AND relationship. You can change this to an OR relationship by
clicking the black arrow between the subsets. The arrow icon then changes to a chain icon.
7. Choose an attribute to create a filter on.
The dialog presents all the available attributes of events, alerts, health checks, and configuration checks.
Hover over the field name to display a tool tip, which provides information about the type of information in
the field.
Once you have chosen an attribute, the lower half of the dialog adjusts to the type of information the field
contains.
8. Enter the filter criteria for the attribute.
The Time Stamp attribute enables you to enter a time range.
 Caution
The data for the path is already filtered by the time period of the workspace. When setting a time stamp
for a subset in the path, make sure that this time range is included in the time period for the forensic
workspace. If the time stamp for a subset is larger than that defined for the forensic workspace, you get
the data only for the time period set for the forensic workspace. If in a subset you use an absolute time
range that does not overlap with the time period of the workspace, no data is found.
Most attributes offer you Operator and Value fields.
Operators for Defining the Values in Subsets

Operator Description
= Allows a single value.
LIKE Accepts wildcards:

• Underscore (_) for a single character string
• Asterisk (*) or percent (%) for character strings
 Note
The entry is case-sensitive.
IN Hold down CTRL to enable selection of more than one value from the displayed list of
values.
LIKE_REGEXPR Enter regular expressions to filter the data. For more information, see the documen
tation on SQL functions in SAP HANA on SAP Help Portal under LIKE_REGEXPR
Function (String).
IN VALUE LIST Hold down CTRL to enable selection of more than one value list from the displayed
list of value lists.
IS_NULL You can filter for null values with this operator. If you mark the Excluded checkbox, you
can filter for all values that are not null (that is, only for events where an attribute is
filled).

Specify whether the values should be read from the incoming logs or from the logs available in the
knowledge base. This option is only available if you have selected the field Event (Semantic) or Event, Log
Types.
You can also select the Reference option to filter the current subset on the results of a subset in another
path. If the subset is based on the timestamp field, you can use all the operators <, <=, >, and >=. In this
case, you can choose between the following two options to filter for events that correspond to a specific
time sequence:
• If all comparisons are true: You can for example use this option if you want to filter for those events that
came after the last alert of some pattern. In this case, only events that are later than this last alert are
taken into account.
• If at least one comparison is true: You can for example use this option if you want to make sure that at
least one event in the referenced subset has an earlier timestamp than the ones you want to filter for.
This way you can for example filter for events where a user has started transaction PA30, has entered
debug mode and then has chosen Save afterwards.
If you want to compare fields within one log, you can choose the Self-Reference option. For more
information, see Adding Subsets That Use Self-Reference [page 78].
To eliminate entries that match the filter, set the Excluded checkbox.
9. Save your entries.
Results
The subset shows the number of results found after applying the filter you just defined. If you do not like the
results, choose (Subset-related actions) and choose Edit to change the filter criteria.
To reorder a subset in a path, choose (Subset-related actions) and choose Move Up or Move
Down.
From the results, you can also create a visualization.
For more information, see Visualizing Subsets [page 80].
 Note
In paths for events, you can also create an attack detection pattern for generating alerts.
For more information, see Creating Pattern Configurations [page 92].
Example
Imagine you want to know if anyone has changed a variable during a debugging session in a system in the last
hour.
1. In a new path, add a filter on the field Time Stamp and a time range of the last hour.
2. Add a filter on the semantic attribute Event (semantic) with operator IN and select User, Debug, and
Variable, Alter.

Next Steps
From the results, you can create a case file. To do so, choose Open Case File from the dropdown menu for the
events or subset.
 Note
You can only create a case file if the subset contains less than 100 events.
7.5.1 Adding Subsets That Use Self-Reference
There might be use cases where you want the system to compare different fields within one log and filter the
data based on this comparison.
Context
You might for example need a pattern that issues an alert once a user who is not an administrator changes
another user's password using a self-service. To identify that the acting user is the same as the targeted user in
the same log, the pattern needs to be able to compare different fields within the same log. To achieve this, you
can use the Self-Reference option in the subset selection.
Procedure

3. To create a new path, choose Add Path.
4. In the path, choose Add new subset.
The Subset Selection dialog appears.

5. Under Field, choose the attribute to create a filter on.
6. Select the Self-Reference radio button.
7. Optional: Choose a different operator to define the relation between the fields.
8. Specify the referenced field.
9. Click OK.
Results
The system adds the subset to the path.

Example
For the mentioned use case where the pattern issues an alert once a user who is not an administrator changes
another user's password, you would enter the following:
Field: Account Name Pseudonym, Initiating
Self-Reference radio button is selected
Operator: =
Referenced Field: Account Name Pseudonym, Targeted
With these entries, the system would compare the attributes that you have specified under Field and
Referenced Field and filter for logs where the targeted user is the same as the acting user.
7.5.2 Using the Bubble Diagram
In forensic lab, a bubble diagram displays the attributes of events, alerts, and health checks in the subset with a
focus on their diversity. It is a helpful tool for creating charts and attack detection patterns.
Context
The bubble diagram shows the diversity of the events, alerts, and health checks with bubbles, where each
bubble is an attribute. A bubble's size indicates its relevance with respect to filtering of the data. A large bubble
means that the variety of the values within the attribute is rather small. The bigger the variety of values within
one attribute, the smaller the bubble. For example, if the attribute is an ID, the variety of values is big and the
bubble small. You will probably not want to filter according to such an attribute.
All colored bubbles can be used to filter. If the bubble is gray, it means that the attribute has only one value, and
it does not make sense to add it as a filter. When you click a bubble, it moves directly to the subset on the left.
Procedure

3. Choose the (Open Bubble Diagram) icon.

4. Choose a bubble.
If you click a bubble, it moves to the middle of the diagram. You can then see the individual values of the
attribute in the outer circle of the bubble.
5. Choose one attribute value to add it to the path as a filter.
You can invert the values of the attribute by clicking the middle of the attribute bubble.

The new subset is displayed. You can now add further filters.
7.6 Visualizing Subsets
Subsets only provide the number of entries to which the filter applies. Visualizing subsets enables you to gain
insights and draw conclusions from the data filtered by the subset.
Context
A forensic workspace consists of two panes. On the left side, you can filter the data; on the right side, you see a
visual representation of the filtered data.
When you open a workspace in forensic lab, the system loads the counts, charts and patterns for the first
subset of path 1. For performance reasons, the counts and data for additional subsets and paths are not loaded
right away.
To load the counts and data for all paths and subsets of the workspace, choose  Refresh .
To load the counts and data for a specific subset and all subsets above the selected subset, choose (Display
the distribution) for the subset.
To load the counts and data for a specific path, choose  (Refresh current path data) next to the path name.
The date under the path name indicates the last update. If you update a path that contains reference subsets,
the system also loads the counts in the parent path of the reference subset.
Fields of the charts are predefined depending on the browsing context you have chosen. You can also change a
field of a chart. By default, the data in a chart legend is sorted in descending order. If the legend contains a lot
of data, some of it cannot be visible in the chart. By choosing Invert in the middle of the chart, the legend will be
rearranged in ascending order. As a result, the data with small values appears at the top of the legend list and
becomes visible in the chart. To switch to the initial chart representation, choose Revert.
Procedure

2. Open an existing forensic workspace.

3. Select a chart and choose the dropdown menu to the right of the number for relevant subset.
 Note
If charts are available in the workspace, and they have the same browsing context as the path you are
working in, you can add the filtered data of the subset to these charts.

Choose the dropdown menu to the right of the number for the subset, then choose Add to Chart and
select a chart from the list of available charts.
4. Choose Create Chart.

The chart appears in the visualization pane.
5. Configure Y-axis of the chart.
Choose Edit measurement definition and choose from the various fields available in the database.
To ensure that the field used to count the measure is used only to count each unique occurrence within
that field, set the Distinct checkbox.
Save your entries.
You can also compare the data in the chart with the historical data. To do so, choose Add reference
measurement and define the time for the data you want to use for the comparison.
6. Configure X-axis of the chart.
Choose Append group by field and choose from the various fields available in the database. You can add
more than one field.
Results
The created chart is added to your forensic workspace. You can publish or delete your chart, rename it, add a
description to it, or display it in different chart types.
Example
For the events that occurred in the last hour, you want to visualize the events with users and in which system
they occur. Set Y-axis to <User Pseudonym> and X-axis to <System ID, Role>. The resulting visualization
appears in the figure below.

Visualization of User Pseudonyms by System ID
To see how many individual users had events in those systems, rather than the number of events, set the
Distinct checkbox. In this case, a user with multiple events in the system will be counted once. The resulting
visualization appears in the figure below.
Visualization of Distinct User Pseudonyms by System ID
Now you want to see how the situation during the last hour differs from the situation during the same hour
yesterday. For the X-axis, choose the Starting Time of Comparison of one day. For each system, there are now
two bars: one with the number of users in the system for the current hour and the other with the data for the
same hour yesterday. The following figure shows the result.

Visualization of Comparison of Today's Data with Historical Data
7.6.1 Viewing the Log Data of a Subset
You can view the log data to get detailed information on data filtered in a subset and save it for further
investigations.
Prerequisites
It is also possible to view the original log data of a subset and search the data. As the
original data contains user information that is not pseudonymized, you need a user with the role
sap.secmon.db::EtdResolveUser to view the original log data. If you have sufficient authorization, proceed
as described below. In the context menu of the subset, the option Original Data is offered. You can then choose
Filter and search the data.
 Note
The original log data is not stored for indicators.
Procedure


3. Select a chart and choose the dropdown menu to the right of the number for the relevant subset.
4. Choose Original Data.
Results
The log data appears in the visualization pane. To personalize the table of entries, choose (Personalize).
You can download the data as ZIP file.
7.6.2 Viewing an Alert Graph
In the alert graph, you can see how filtered alerts are distributed among systems, terminals, patterns, and
users.
Procedure

 Note
This option is only available for subsets in the paths with the alerts as a selected browsing context. For
more information, see Adding Paths and Subsets [page 75].
3. Select a chart and choose Subset-related actions.

4. Choose Alert Graph.
For more information about the alert graph, see Examining the Threat Situation [page 115]
7.6.3 Sharing Snapshots of Charts
If you find a chart that might be worth investigating closer, you can create a snapshot, add comments, and
share it with colleagues.
Prerequisites
The chart has been shared.

Context
When browsing log data in forensic lab, you might find suspicious activities in your system landscape that you
want to discuss with someone else. Or you might have to create a report about potential threats for a manager
and would like to attach some charts. Instead of making a screenshot, you can create snapshots of charts and
add them to a snapshot page. This snapshot page then serves as an interactive platform for discussing the
charts.
A snapshot page is a collection of snapshots that belong together, with a title and detailed descriptions or
comments. Every page has a unique URL. A snapshot contains a single chart and comments. For example, you
can include snapshots of charts from a snapshot page that document a potential threat or attack. Then you
can add multiple charts representing similar time ranges with different starting time stamps for comparison.
The snapshots in a snapshot page can be used to judge how serious a situation is. You can add the snapshot
page to an existing investigation or create a new investigation using this snapshot. You can then save the
snapshot pages for further investigations or use them as evidence later.
Procedure
1. Make sure the chart that you want to share as a snapshot is shared.
If it is not shared, select the Shared checkbox in the forensic workspace and choose Save or Save as.
2. Choose at the top of the chart.

3. To create a new snapshot page, choose the plus icon.
4. Add the snapshot to a snapshot page.
Either type in the name of your snapshot page to search for it or select a snapshot list from the list.
5. Save your entries and either open the snapshot page or go back.
7.7 Moving Patterns to Other Workspaces
You can restructure your set of workspaces in forensic lab by reassigning charts and patterns to existing or new
workspaces. This way you can combine patterns and charts in the same workspace or divide workspaces into a
larger number of smaller workspaces.
Procedure
1. Open the Forensic Lab app from the SAP Enterprise Threat Detection launchpad.
2. Open the workspace that contains the pattern you want to move.
3. Select the pattern that you want to move.

4. Choose (Move pattern).
5. In the selection dialog, perform one of the following steps to select the target workspace for the pattern:
• Select one of the listed existing workspaces as target workspace and choose OK.
• Create a new workspace and select it as target workspace. To do so, choose (Create new
workspace) in the upper left corner of the selection dialog. Enter a name and choose a namespace
for the new workspace, then choose OK.
Results
The system deletes the pattern from the source workspace and moves it to the selected target workspace. The
system displays the target workspace with the added pattern.

8 Defining Namespaces
We use namespaces to keep software objects created by SAP separate from software objects created by our
customers. This enables you to share objects between systems without the danger of them overwriting each
other.
Prerequisites
You have decided on a namespace for your configurations and developments. All namespaces must begin with
http://.
 Recommendation
We recommend using your company domain as the namespace and creating any subdomains as required;
for example, http://company_domain/subdomain.
Context
The namespace for SAP Enterprise Threat Detection is http://sap.com/secmon. Other SAP products
can deliver content for SAP Enterprise Threat Detection under the SAP namespace http://sap.com/
<product_namespace>. Anything under this namespace is reserved for SAP and can be overwritten in future
upgrades or releases.
Procedure
1. From the SAP Enterprise Threat Detection launchpad, choose Namespaces.

2. Choose Add Namespace.
3. Enter the required data.
Results
The namespaces saved here are considered native to this system. You can change objects in these
namespaces as you require. If you export objects from these namespaces and import them into another
system, they cannot be changed unless the namespace under which they were created is also added to the
system.

Defining Namespaces INTERNAL – Authorized for SAP Customers and Partners 87
Objects protected by namespaces include the following:
• Value lists
• Values within value lists
• Knowledge base entries
• Patterns
 Note
Patterns have runtime attributes that you can configure without changing the underlying pattern.

88 INTERNAL – Authorized for SAP Customers and Partners Defining Namespaces
9 Attack Detection Patterns
Attack detection patterns are configurable specifications of how to analyze events to detect a possible attack.
When the conditions in the pattern are met, such as the combination or frequency of specific events that occur,
SAP Enterprise Threat Detection generates an alert.
SAP Enterprise Threat Detection provides predefined standard patterns that you can configure in line with your
requirements.
9.1 Best Practices: Pattern Development and Configuration

We have some recommendations for you to save SAP HANA resources and improve performance when
developing and configuring patterns.
Best Practices for Pattern Development
General Hints for Pattern Development
• Try to keep the amount of paths per workspace as low as possible.

• Always fill the workspace and pattern attributes.
• If the log selection for a particular pattern can be achieved by different filter criteria, choose the filter
criteria that reduce the amount of data the most and for which the filter operations are the simplest. for
example use IN instead of LIKE, and so on.
• If you want to consider a longer time distance between two events that you want to correlate, you can add
an additional subset to the top of the path that reduces the time range for each single event. The standard
workspaces Standard Users and Authorization Critical Assignment are examples of this practice.
Find a Suitable Time Range for Your Pattern
When you develop a new pattern, make sure it does not consume too many resources. To achieve this, avoid
using wide time ranges for your patterns, especially when using references between two paths with context
Events. What time range is reasonable depends very much on your log amount per second, the system sizing,
the log retention and the system load due to other patterns and activities. We recommend the following
procedure:
1. Start with a very small time range, such as 5 minutes.

2. Add the needed subsets to your pattern and complete the pattern design.
3. Extend the time range to the desired target value.
4. Refresh the workspace and check how long it takes to display the pattern results.
5. If the refresh takes longer than 10 seconds or the pattern results are not displayed at all, redesign your
pattern.
Avoid Expensive Operators When Possible

Attack Detection Patterns INTERNAL – Authorized for SAP Customers and Partners 89
As the operators LIKE and LIKE_REGEXP can be resource-intensive, we recommend using the operator IN or
value lists with fix values where possible.
Avoid Usage of References When Possible
Also the usage of references can be very resource-consuming as the underlying queries use joins which can be
very expensive when dealing with large data volumes Therefore, if your designed pattern shows count numbers
over 10.000 (or a different number depending on the hardware and complexity of the query), think about either
removing references from your pattern design or reducing the considered relative time range.
Recommendations for the Use of References
If you cannot avoid using references, the following recommendations can help you optimize your patterns:
• Add additional filters above the subset that uses the reference and thereby reduce the event count of the
subset as much as possible. Use for example an additional filter with the attribute Event, Log Type if the
expected events are only of a certain log type. This usually reduces the number of events significantly. You
can take a look at the normalized data of the referenced subset and check which values are provided in this
event and then add according filters to your path. This way you can describe your scenario as precisely as
possible and thus limit the event count as much as possible.
• If you want to combine the results of two patterns for your target scenario, you can save HANA resources
by starting with the pattern that filters for the less frequent event.
 Example
Your target scenario deals with the superposition of two events: the assignment of a specific role
to a user (event User Admin, Privilege, Grant) and the user logon (event User, Logon). In this case,
you should start with the creation of a pattern for the role assignment as this pattern will usually
produce significantly fewer alerts than the one for the user logon. This scenario is also reflected in the
SAP standard patterns: The pattern Critical authorization assignment handles the less frequent event
User Admin, Privilege, Grant and uses the execution output Alert. The pattern Critical authorization
assignment and logon contains a reference from the path that filters for the event User, Logon to the
resulting alerts of the pattern Critical authorization assignment. As the number of alerts is typically
significantly smaller than the number of events, the pattern Critical authorization assignment and logon
consumes fewer HANA resources than a pattern using two paths based on the context Events.
To ensure that the second pattern is executed only once right after the first pattern, make sure to use the
execution type Triggered instead of Scheduled and select the first pattern as the triggering pattern. If you
set the execution type to Scheduled, this would cause unnecessary repetitions of the execution and waste
HANA resources.
In a scenario where events follow one another immediately and automatically you can also use execution
type Triggered and build a chain of patterns that are executed one after the other. In such a scenario
where events happen almost simultaneously, we recommend to start with the pattern handling the most
unlikely event to ensure that the execution of subsequent patterns is as rare as possible. Note that this
does not work if one of the subsequent events is caused by manual user interaction because the manually
caused event may not have occurred at the moment of the pattern execution that was triggered by another
pattern.
If you don't want a pattern to result in an alert, you can also choose Indicator as execution output. This
can be a solution for splitting a pattern scenario into two patterns if there is a need for a reference to
an attribute such as Correlation ID which is not available in an alert context. The standard pattern Calls
between a non-productive and a productive system is an example for this scenario.
Further Hints for the Use of References

90 INTERNAL – Authorized for SAP Customers and Partners Attack Detection Patterns
• References cannot be used with “exclude” operator.
• When using references, keep in mind that references sort out NULL values, so that only non-NULL values
will be counted. See figure below:
• Pay attention to case sensitivity since the value needs to be exact (Value != value != VALUE).
• When you are designing patterns in forensic lab, add the attributes of interest in the Group By list to help
the monitoring agent display all useful information directly in the Alerts UI.
• For LIKE the star (*) counts the same as percent (%).
Creating and Correlating Simple Patterns to Cover Complex Scenarios
If you have a complicated scenario that requires several paths it might be a good idea to break it down into
simpler patterns, each with only two paths, and then correlate these patterns. If your scenario involves more
than two different events, consider creating and correlating two or more patterns instead of creating just one
pattern with three or more paths and correlations between those paths. Start with a pattern that correlates two
paths and then use the results of this pattern in a second pattern to correlate them with a third path and so
on. You can also use the results of two patterns in a third pattern. An example for this is the pattern Critical
authorization assignment per debugging where a pattern is built using the results of the patterns Debugging
with change of variable values during debugging and Critical authorization assignment.
Best Practices for Pattern Configuration
Choose a Reasonable Ratio between Pattern Execution Frequency and Relative Time Range
Pay attention to the relation between pattern execution frequency and relative time range. We recommend that
you choose the execution frequency in such a way that the number covers a maximum of half of the associated
time frame, for example so that for a period of 20 minutes a pattern is executed at most every 10 minutes and
not more often.
Use the Pattern Execution Mode "Triggered" Only for Very Rare Events
For very rare events use the mode Triggered for pattern execution instead of Scheduled. Thus, such a pattern
will only be executed if a suitable event is persisted in SAP HANA. Do not use the mode Triggered if many
events triggering this pattern occur every hour.
If the UI response time in an SAP Enterprise Threat Detection system suddenly slows down, open the Pattern
Execution app and check which patterns have a high execution runtime and have the status Error. Patterns with

status Error may have allocated memory larger than available memory or run in timeout. To improve response
time, we recommend to focus on improving timed-out patterns and patterns with a high execution runtime.
9.2 Creating Pattern Configurations
For attack detection patterns, you create the configurations that you want SAP Enterprise Threat Detection to
use to scan for events that match a particular pattern.
Prerequisites
You have a user with the EtdSecExpert role for SAP Enterprise Threat Detection.
Context
Attack detection patterns can have two different types of output: Indicators or Alerts. Indicators are specially
marked events that do not need to be handled individually. However, they can be used as input for further
patterns, which might help you reduce the number of false positive alerts. If you select Indicator as execution
output, the system only creates an indicator but if you select Alert as execution output, the system creates
both an alert and an indicator. That means that in case an alert is created, the results of the pattern execution
can be found in both contexts, Alerts and Events.
An attack detection pattern configuration enables you to control when and how patterns are run. Some
systems are more important than others. For important systems, you might want to run patterns more often or
give the resulting alerts a higher severity.
SAP Enterprise Threat Detection provides you with a number of predefined patterns that detect potential
attacks. You can adjust the delivered patterns or create new ones that meet your needs. To save your changes
for delivered patterns, save a forensic workspace. There are two possibilities:
• Save
The forensic workspace is overwritten. Your changes will be kept in future updates of the pattern content.
This option is only available if the namespace of the forensic workspace exists in the current system.
You can only change the following parameters:
• Status
• Threshold
• Type of execution, and its frequency or trigger
• Default alert severity
• Criteria for credibility of attack
• Criteria for success of attack
• Save As
In this case, you create a copy of the delivered pattern in your own namespace. Future updates have no
influence on your changes.

 Note
None of the charts and patterns in a saved forensic workspace is shared. To share them, set charts and
patterns as shared and choose Save.
To display an overview of the available patterns, choose Patterns from SAP Enterprise Threat Detection
launchpad. From the list of patterns, you can switch to the details of a pattern or view the alerts produced
by it.
Procedure

2. Open a forensic workspace.
 Note
You can create patterns from subsets in the paths for events as defined in the browsing context.
3. Click the small arrow to the right of the number of events to open the context menu and select Create
Pattern.
In the right pane, the visualization of the pattern configuration appears. You can rename the pattern and
add a description. The description is helpful for other users to understand the behavior of the pattern.
The displayed pattern and the subset it is created from are highlighted in blue.
4. Specify the execution output.
Choose Alert if you consider these events suspicious enough to require further analysis. Choose Indicator if
you just want to use them as input for further patterns.
5. Determine whether you want the pattern to be active or not.
 Tip
We recommend that you initially set the pattern to inactive. After saving, you can test the pattern
configuration and see whether it produces the results you expect. If the configuration performs as
expected, activate the pattern.
6. Configure Y-axis of the chart.
Choose in Base Measurement On and first choose from the various fields available in the database.
Then select the measurement definition (for example, count).
To ensure that the field used to count the measure is used only to count each unique occurrence within
that field, set the Distinct checkbox.
Save your entries.

7. Set the threshold. Note that there are several operators to choose from.

 Note
When you change the time frame for the forensic workspace or time stamps within the paths, you
might have to reset the threshold. For example, extending the time period increases the number of
events in it. To avoid a huge number of generated alerts, we recommend setting the threshold higher.
8. Configure X-axis of the chart.
Choose Append group by field and choose from the various fields available in the database.
9. Choose how the pattern is to be executed.
• Choose Scheduled to set up the frequency of the execution.
Enter the information about how often in minutes the pattern should run with this configuration.
Make sure that the time intervals are included in the time periods for the forensic workspace and for
the subset from which the pattern is created.
• Choose Triggered to define which event or pattern should start the execution of the pattern.
Choose between Event or Pattern to define the kind of trigger. From the second dropdown list, choose
an item that leads to the execution of the pattern. You can add more than one event or pattern by
choosing Add Trigger.
10. (Optional) Enter the default severity of the alerts resulting from the pattern.
An alert severity results from an alert score composed of the following attributes:
• Business significance of the affected system
• The level of the credibility of attack on different aspects of protection
• The level of the success of attack on different aspects of protection
If these attributes are not defined, an alert has the default severity set for the pattern. If you have chosen
Indicator as pattern output, this setting is only for documentation purposes.
11. (Optional) Enter the information about the credibility and success of attack on aspects of protection such
as confidentiality, system integrity, data integrity, and availability.
If you have chosen Indicator as pattern output, this setting is only for documentation purposes.
12. To save your pattern, save your forensic workspace.
Enter the namespace and the name of the workspace.
Results
The created pattern is added to your forensic workspace. You can now share, edit, or delete your pattern.
 Note
By default, new patterns are inactive and not shared.
 Caution
If the pattern is not shared, it is not available in the list of patterns and cannot be executed even if it is set as
active.

9.2.1 Monitoring the Execution of Patterns
To see what patterns are run in your system and whether the patterns are all running correctly, you can view
the results to investigate causes of problems and errors during the execution process.
Prerequisites
Context
 Recommendation
To keep your system free of unnecessary data, SAP Enterprise Threat Detection provides
a background job on SAP HANA, which deletes all execution results that are more
than seven days old. We recommend that you configure SAP HANA to run the
sap.secmon.framework.pattern.jobs::patternExecutionResultJob job.
For more information, see the SAP Enterprise Threat Detection Implementation Guide.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Pattern Executions or Pattern Execution Errors
Last 24 Hours.
Note that the Pattern Execution Errors Last 24 Hours view is a filtered view of all pattern executions. You
can change the filter settings or sort the list according to your needs. For example, if you are interested in
pattern executions with unusually long execution times, sort the list by Runtime.
2. To display the alerts generated by a pattern execution, click the relevant row in the list of the pattern
execution results.
This opens the details of the results of a pattern execution. From this screen, you can do the following:
• Edit alerts.
• Open the pattern configuration user interface.
• Start new investigations or add alerts to existing investigations.
Results
Based on what you find, adjust the pattern configuration to generate the results you want.

Next Steps
You can save a list of pattern executions as separate tile. To do so, filter the list as needed and choose  (Save
as Tile).
9.2.2 Viewing, Editing, and Testing Patterns
You can run patterns in test mode to reduce the number of alerts.
Prerequisites
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Patterns.

2. Select the pattern you want to test or edit.
There are many ways to access the Pattern user interface. For example, you can also navigate here from
the Pattern Executions interface or from an investigation.
Please note that you cannot execute anomaly patterns manually from the Patterns table of the launchpad.
This is because statistical data has to be collected via the anomaly pattern job before patterns can be
executed.
Please also note that only shared patterns are displayed here.
3. Choose Edit.
4. You can edit the following:
• Default alert severity
• Status
• Threshold
• Test mode
• Add the pattern to a scenario: You can either select one from the list or type in a new name of a
scenario and press Enter . The scenarios group patterns. You can find an overview of scenarios in the
Anomaly Detection Lab. Anomaly patterns are also grouped in scenarios.
• You can upload attachments to a pattern.
5. Choose Save.

Results
Patterns in test mode produce alerts with status No reaction required (Test Result). These alerts are only visible
in the Alerts list. Because no further analysis is required, they are not included on the Monitoring user interface
or in forensic lab.
Next Steps
You can save a list of patterns separate tile. To do so, filter the list as needed and choose  (Save as Tile).
Related Information
Related Indicators [page 97]
9.2.3 Related Indicators
Related indicators for an alert are all the indicators belonging to the same pattern scenario within the alert time
frame.
The Alert Details view includes a Related Indicators entry with a link to the related indicators table. This link is
displayed as a counter showing the number of related indicators.
The related indicators table shows all the related indicators for an alert – in other words, all the indicators
within the alert time frame (+/- indicator time frame) and in the same pattern scenario.
The pattern scenario is the scenario to which the pattern of the alert belongs . You can specify this scenario in
the Pattern Details view. If the pattern is not assigned to a pattern scenario, the related indicators table shows
the indicators of the same pattern.
Let's assume, for example, that the alert time frame is 12/17/18 12:00:00 PM - 12/17/18 13:00:00 PM UTC and
the indicator time frame is one hour. In this case, the related indicators table shows indicators in the following
time frame: 12/17/18 11:00:00 PM - 12/17/18 14:00:00 PM UTC.
Pattern Details View
You can specify the indicator time frame in the Pattern Details view. If no indicator time frame is specified, no
link to the related indicators table is displayed in the Alert Details view. Instead, a message is shown, prompting
you to configure an indicator time frame.
In the Pattern Details view, you can specify the indicator time frame in the Edit view. You can enter a time frame
of between 1 and 24 hours. You can also use the slider to specify the time frame.
You can update the indicator time frame by pressing the Save button.

Related Indicators Table
In the related indicators table, the indicators are filtered for the patterns belonging to the same pattern
scenario within the defined time frame (alert time frame +/- indicator time frame).
Indicator Details View
When you click on one of the indicators in the list, a details view opens, showing further information on the
indicator.
9.3 Executing Attack Patterns Manually
Context
You can control when and how attack detection patterns are executed by defining an attack detection pattern
configuration. However, you can also execute attack detection patterns manually.
Procedure
1. On the SAP Enterprise Threat Detection launchpad, click the Patterns tile.
2. Select a pattern by setting the checkbox to the left of the relevant pattern name.
3. Click the Execute button at the bottom of the screen.
After the attack detection pattern has been executed, a screen appears showing details of the execution.
In the table in the lower half of this screen, you can select the pattern and start an investigation, add the
pattern to an existing investigation, and edit or analyze the pattern.
4. In the table, click the number in the ID column to display the Alert Details screen, where you can call up
information on related events and related indicators.

9.4 Pattern Postprocessing
If a system is unavailable, and its log events cannot be analyzed immediately, pattern postprocessing enables
the missing logs to be processed at a later time.
Prerequisites
Missing log events must be available.
Pattern postprocessing can be performed only using attack detection patterns that:
• Have the execution output Alert

• Are active
• Do not already have a scheduled postprocessing job.
Please note that pattern postprocessing cannot be performed using anomaly detection patterns.
The Schedule button in the Patterns view is enabled for patterns that satisfy these criteria.
Context
Pattern postprocessing allows you to execute patterns for defined periods in the past. This enables you to
cover periods during which log events were unavailable – for example, because of a temporary server outage.
Procedure
1. On the SAP Enterprise Threat Detection launchpad, launch the Patterns app (for example, by clicking the
Patterns tile).
2. Select the desired pattern by setting the checkbox to the left of the pattern name.
3. Next, click the Schedule button at the bottom of the screen.
The Schedule Pattern Postprocessing dialog is displayed.

4. Specify the period during which the log event outage occurred by entering the relevant dates and times
in the From and To fields. You must enter the date (mandatory entry); the time is optional. If you do not
specify a time, the system automatically enters midnight.
5. Click Submit to schedule pattern postprocessing.
After submit, the system adds the scheduled postprocessing timerange to the pattern information.

Results
Any alerts triggered by pattern postprocessing are displayed in the Alerts application in the usual way. You can
also view new alerts by opening the Patterns app, clicking on the name of a pattern, and clicking the number of
Open Alerts on the screen that is then displayed.
If an alert is triggered within a time range for which a pattern has already been executed, a new alert is not
generated because the alert is already available. This avoids duplicate alerts.
Patterns executed by a postprocessing job can also be viewed in the Pattern Executions app, where they
have the entry Postprocessing Job in the Execution column. In the pattern execution information under
Postprocessing Timerange, you can see the period for which postprocessing was already executed.

10 Searching All Logs with Sherlog Search
In addition to the normalized logs, SAP Enterprise Threat Detection saves the original logs to a database.
Incoming logs that cannot be normalized because they have not been processed in the Log Learning
application are saved as unrecognized logs. Sherlog Search allows you to perform free text searches across
original (recognized) and unrecognized logs.
Prerequisites
To view recognized logs in Sherlog, you need the privilege sap.secmon::OriginalLogRead. To

view unrecognized logs, you need the privilege sap.secmon::UnrecognizedLogRead. To process
unrecognized logs (in other words, to start a new log learning run), you need the privilege
sap.secmon::LogLearningWrite.
Context
 Note
Because Sherlog searches all the logs available, the search may take a considerable time. Any logs that
match the search keys are displayed as soon as they are found while the search continues in background.
We therefore recommend that you use Sherlog for asynchronous search tasks.
Sherlog is intended for free searches where you know neither the mapping of log parts to semantic
attributes nor the time frame within which the information you are searching for is likely to lie. If you can
confine your search to a particular time range in the past, then it is faster to search original (recognized) or
normalized logs in the forensic lab.
SAP Enterprise Threat Detection normalizes logs by assigning semantic events and attributes to the individual
log entries. This enables logs from different sources to be easily correlated. In the forensic lab, you can filter
and search these normalized logs using semantic attributes and create attack detection patterns based on the
filter criteria you have applied so that alerts are created when these criteria are met.
SAP Enterprise Threat Detection keeps a reference from each normalized log entry to the corresponding
original entry in the form of the semantic attribute Event, Original Message. This attribute contains
the original log entry. If you want to create a pattern based on specific information that you know is in the
original data, but you are unsure of the associated semantic attributes, you may be tempted to use the Event,
Original Message attribute. However, executing a pattern of this kind takes a long time and consumes a lot
of resources, so we do not recommend this. Instead, you should use Sherlog Search. For a detailed procedure,
see Creating an Attack Detection Pattern Based on Sherlog Search Results [page 103].

Searching All Logs with Sherlog Search INTERNAL – Authorized for SAP Customers and Partners 101
Procedure
1. Choose the Sherlog Search tile on the launchpad of SAP Enterprise Threat Detection.
2. (Optional) Choose the Settings button to specify the following:
• Make the search case sensitive.
• Display the results sorted by ascending or descending timestamps.
• Change the timeout setting for the search request.
3. (Optional) Include additional filters using the various filter boxes:
• Log Type: All Logs, Recognized (Original) Logs, or Unrecognized Logs.
• Storage Type: Search only in the warm storage or in both hot and warm storage.
Note: If you select Hot and Warm Storage, the search is executed in the hot storage, the warm storage,
or in both. This depends on the search period and on the retention periods for the hot storage. You can
look up the retention periods for recognized and unrecognized logs in the settings dialog.
Be aware that if you select Warm Storage, your search period cannot be longer than one day. If you
select the storage type Warm Storage together with a search period longer than one day, an error
message will be displayed when you choose the Go button.
• Log Collector IP-Address
• Log Collector Name
• Log Collector Port
• Source Id
• Event Log Type (only for all logs or recognized logs)
• Source Type (only for all logs or recognized logs)
• Reason (only for all logs or unrecognized logs)
4. Enter one or more search terms and choose Go.
If you want to show SQL statements, you have to activate debug mode by adding the parameter sap-etd-
debug=true to the URL of the Sherlog app.
The search results are displayed. The number of logs is displayed in the table header. The padlock symbol
in the table differentiates the two types, with a closed padlock denoting recognized (original) logs and an
open pad lock indicating unrecognized logs.
5. (Optional) If an error occurs during the search, a message box appears. If a timeout error occurs, decrease
the duration of the search period or increase the request timeout in the settings dialog.
6. (Optional) Choose the  download button. This will download the complete result set as a CSV file.
Note: Only the columns that are visible in the search result table are downloaded. If you have not yet
scrolled all the way down the screen, the table may not contain all the logs in the result set.
7. (Optional) Choose the personalization button to open the personalization dialog. Here you can show or
hide columns by selecting or deselecting the relevant checkbox.
8. Select one or more log entries from the results and choose Process. Note that you can select only one type
of log entry, either from original or from unrecognized logs.
If you have selected entries from unrecognized logs, a dialog opens to create a new run for log learning
using the selected log entries. For more information, see the section about log learning, especially Loading
Sample Logs.

102 INTERNAL – Authorized for SAP Customers and Partners Searching All Logs with Sherlog Search
If you have selected original logs, the Process Logs dialog box opens up. You can choose Process in Case
File to jump to the Case Files view or Process in the Forensic Lab to open up the forensic lab with a new
workspace that filters the normalized logs for Event and Log Ids in accordance with your search
results in Sherlog. The time range is copied from the log entries you have selected.
 Note
If you want to use a role-independent attribute as filter for the new workspace in forensic lab, select the
checkbox and choose a value from the list.
Related Information
Loading Sample Logs

Log Learning
10.1 Creating an Attack Detection Pattern Based on Sherlog

Search Results
Search the original log files for specific key words and then look at these results in the forensic lab. This enables
you to correlate logs without deeper knowledge of the semantic events and attributes in SAP Enterprise Threat
Detection.
Context
Sherlog displays your selected search results in the forensic lab application, enabling analysis of this log data in
its normalized form.
Let's say you want to search for logs that log a fail write file action, but you do not know the corresponding
semantic attributes that you would have to look for in the forensic lab. The following procedure shows how you
can leverage Sherlog Search to filter logs and transfer these filters to forensic lab for further analysis and to
create an attack detection pattern.
Procedure
1. Access Sherlog Search through the tile on the launchpad of SAP Enterprise Threat Detection.
2. Limit your search to Original Logs by choosing the  (Settings) icon and setting the filter to recognized
logs.
3. Type in fail write and start the search, just as you would do in an Internet search engine.

4. Refine the search results by adding the term file.
To highlight the search terms in the results, make use of the text search function of your browser (usually
available via the shortcut CTRL + F ). Highlighting the terms makes it easy for you to scan the individual
log entries and decide whether they are relevant for you or not.
5. Now go through the list of search results, select the ones that seem most suitable and choose Process.
The Forensic Lab application is opened with the same filter criteria and for the time range spanning the
selected log entries.
6. In the Forensic Lab, choose the (Open bubble diagram) icon.
As you see in the image, each keyword is added as a separate filter on the original log data that is saved as
the Event, Original Message attribute corresponding to the normalized data that you usually use for search
and building patterns in the Forensic Lab. To the right of the path, you see the distribution of semantic
attributes in the bubble diagram.
The gray bubbles represent semantic attributes that have the same value for each log entry. This means
that we can add these attributes as filters without affecting the result.
7. Select the gray bubble with the Event Code attribute. When you hover over the bubble, you see that all log
entries have the distinct value R4F. Add it as a filter.
8. Look at other gray bubbles to find a suitable one. For example, take Event, Severity Code. The value that all
log entries share in this semantic attribute is ERROR. Add this as a filter as well.
As expected, the result has not changed. The path now has two filters on normalized logs and three filters
on raw log data. These filters are redundant.
9. Delete the filters on raw log data.
The result should stay the same. If the result was different, you would have to add additional gray bubbles
(semantic attributes with unique values across log entries) to the path.

104 INTERNAL – Authorized for SAP Customers and Partners Searching All Logs with Sherlog Search
This procedure semantically translates filter criteria based on original log data into semantic filters
on normalized log data. Without a good understanding of the semantic events and attributes of SAP
Enterprise Threat Detection, it would be difficult to find out that the relevant semantic attributes Event
Code and Event, Severity Code with their values R4F and ERROR filter log entries that log fail write file
actions. Now that we have set these filters, however, we can create an attack detection pattern.
10. Adjust the time range to a dynamic one, such as Last 10 Minutes and create a pattern that raises an alert
for such fail write file actions.

11 Value Lists
You can use value lists to create long lists of data to use in subset configurations. For example, you might want
to create a list of production systems to use in an attack detection pattern.
Value lists are a useful option to filter data in the workspaces of forensic lab and they play an important role in
many pattern configurations.
In the Value Lists app, you can find the available value lists that are part of the attack detection patterns
delivered by SAP. For many of the delivered patterns, you have to fill the value lists with your specific values
before the patterns can generate alerts. In the Value Lists app, you can also define new value lists and use them
for subset configuration when browsing events and alerts or creating new patterns.
To prepare new value lists or enhance existing ones, you can add single values, enter values from past
events, or upload values from a text file. Using the export feature, you can also share value lists between
SAP Enterprise Threat Detection systems or download a value list for offline editing. Besides filling list values
manually, you can use the automated update function to fill values automatically from external sources.
11.1 Preparing Value Lists
A value list makes it easier to configure subsets when browsing events and alerts and creating patterns.
Prerequisites
• You have a user with the EtdSecExpert role for SAP Enterprise Threat Detection.
• To upload a list of values, you have created a comma-separated value (CSV) file with entries separated by
line breaks or exported a value list from another SAP Enterprise Threat Detection system.
For more information, see Exporting Value Lists [page 108].
Context
Use a value list to create long lists of data to use in subset configurations. For example, create a list of
production systems to use in a debugging detection pattern.

106 INTERNAL – Authorized for SAP Customers and Partners Value Lists
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Value Lists.

2. Choose New.
3. Enter the namespace, name, and description.
 Caution
Do not use the SAP namespace: http://sap.com/<any_subdomains>. We reserve the right to

overwrite any content in the SAP domain.
4. Enter single values, enter values from past events, or upload values from a text file.
Option Description
Single values Choose Add and enter a value.
The EQUALS operator allows a single value.
The LIKE operator accepts the following wildcards:
• Underscore (_) for a single character string
• Percent (%) for character strings
The LIKE_REGEXPR operator allows you to enter a regular expression to filter the data.
Values from Choose Fill from Events. From the dialog box, choose a field and a time range. Choose Load and SAP
past events Enterprise Threat Detection enters values found in this field in the given time range.
Upload from Choose (Add Values from File). From the dialog box, choose a CSV file containing entries
file separated by line breaks.
To continue with the previous example, choose Fill from Events and choose the System field over the last
month. SAP Enterprise Threat Detection enters a list of systems in the value list. You are making a list of
production systems, so remove any non-production systems from the list.
Results
You can use the value list in the configuration of attack detection patterns.

Value Lists INTERNAL – Authorized for SAP Customers and Partners 107
11.2 Exporting Value Lists
Exporting value lists enables you to share such lists between SAP Enterprise Threat Detection systems or
download them for offline editing.
Prerequisites
• You have configured a value list.
For more information, see Preparing Value Lists [page 106].
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Pattern Configuration: Value Lists.
2. Select a value list.
3. Choose (Download Values to CSV file).

4. Save the file.
Results
SAP Enterprise Threat Detection saves the entries of the value list to a comma-separated value (CSV) file with
entries separated by line breaks. Edit this file as required and import the results into a value list.
11.3 Creating Dynamic Value Lists by Filling Value Lists from

External Sources
A value list in automated update mode can be filled from external sources automatically.
Context
Besides filling list values manually, you can use the automated update function to fill values automatically from
external sources, such as JSON data.

108 INTERNAL – Authorized for SAP Customers and Partners Value Lists
Procedure
1. From the launchpad, choose the Value Lists tile.

2. Select a value list from the list.
3. Under Update Mode, choose Automated.
4. Copy the update channel URL specified by the system.
5. In your REST client, use this URL to send a PUT request in the following format:
 Code Syntax
{
"version": "1.000",
"namespace": "http://Demo",
"data": [{
"operation": "EQUALS",
"value": "192.168.176.1",
"comment": "Local connection"
},
{
"operation": "LIKE",
"value": "127.%",
"comment": "Local connection"
}]
}
• Note that the version field must be 1.000.

• The namespace must be original in this system. If you use a foreign namespace, you must update the
value list manually in the Value List user interface.
• The following operators are allowed as "operation": EQUALS, LIKE, LIKE_REGEXPR.

Value Lists INTERNAL – Authorized for SAP Customers and Partners 109
12 Working with a List of Alerts
There are various filters and sorting options for viewing alerts. You can edit alerts, share the alert list with
others, and save the list as separate tile. Also, you can start an investigation for alerts or add alerts to an
existing investigation.
To view alerts, you can choose the Alerts tile on the launchpad, which displays a complete list of alerts.
Alternatively, you can choose the Open Alerts tile to directly access the open alerts from the previous 24 hours
with a very high degree of severity, all of the open alerts from the previous 24 hours, or all open alerts without a
time restriction.
Finding Alerts
You can sort the alert columns by clicking the relevant column header.
The alerts of the previous 24 hours are listed by default.
If you want to filter the results, show the filter bar, select the filter criteria, and click Go. You can customize
the filter bar by clicking the Filters button, selecting/deselecting the relevant checkboxes, entering the required
values, and clicking Go. When you remove filter criteria, you also need to click Go to implement your changes.
(Note that you can also apply the filter directly from here.)
At the top of the list, you see the selected filter criteria for your reference.
By entering an alert ID into the search field, you can go quickly to a particular alert.
Editing Alerts
Select one or more alerts and choose Edit.
If you edit multiple investigations, you can change their severity and status.
If you are editing an alert and someone else edits and saves it, when you try to save the alert, the system
displays a message telling you that another user has edited it.
You can refresh the list of alerts by choosing the refresh icon next to the total alerts button.
For more information about editing a single alert, see Working with a Single Alert [page 112].
Alerts and Investigations
Select one or more alerts and choose Start Investigation or Add to Investigation.
You can start a new investigation free-style, or you can choose from a list of investigation templates.
Investigation templates are predefined templates with prefilled values that make it easier for you to start

110 INTERNAL – Authorized for SAP Customers and Partners Working with a List of Alerts
an investigation. If an investigation template has a specified pattern, it will only be offered for alerts that match
this pattern. Alternatively, you can add alerts to an existing investigation.
If you select a single alert, you can also analyze it in the monitoring app.
For more information about investigations, see Working with a Single Investigation [page 127].
Sharing Alerts
To share the list of alerts with others in an e-mail, choose the envelope at the bottom of the list. The system
creates an e-mail with a link that leads to the filtered list of alerts in the Alerts UI. To prevent sensitive
information from being disclosed, the e-mail does not include the alert messages themselves. If the mail
recipients need to log in to the user interface to see the alerts, this ensures that they have the required
authorization to do so.
Creating Custom Tiles for Filtered Alert Lists
You can specify filter criteria according to which alerts are displayed and then save the resulting list as a new
tile on your launchpad. To create such a custom tile in the home group of your launchpad, filter the list and
choose  (Save as Tile).
12.1 Best Practices: Working with Alerts and Investigations
We recommend using investigations and benefit from the various features related to investigations.
As monitoring agent, you typically use the alerts app as your main application. Using the Alerts tile, you can
show all current alerts sorted by creation time and apply filters as required. We recommend that you observe
the open alerts using the Open Alerts tile. In the list of open alerts, you select related alerts and create a new
investigation for them. If there is already an investigation that relates to an alert, we recommend to add the
alert to the existing investigation. Once the open alerts are assigned to investigations, their status changes and
they disappear from the open alerts list.
By using investigations, you can benefit from the following investigation features:
• You can protocol the investigation progress using comments, related events, snapshots, case files or any
other document that can be attached to the investigation.
• You can use the investigation statuses Open, In Process, Completed, Canceled, and On Hold to use the
investigation as a workflow object. This is not possible for alerts which only have one status Open and four
different final statuses that are automatically set by the system when the alert is forwarded, exempted,
assigned to investigation or created from a pattern created for test purposes.
• You can print out an investigation report to hand over the investigation to IT forensics authorities.
• You can send an e-mail with a link to a filtered list of investigations.

Working with a List of Alerts INTERNAL – Authorized for SAP Customers and Partners 111
Related Information
What are Investigations? [page 126]

Working with a List of Investigations [page 125]
Working with a Single Investigation [page 127]
12.2 Working with a Single Alert

An alert is a notification that SAP Enterprise Threat Detection has detected a potential attack.
Context
An alert includes references to the events and the attack detection pattern or the anomaly detection pattern
that led to its creation. After you have analyzed an alert, you can mark it as an attack or a suspected attack and
add it to one or more investigations. If you realize that the alert is not relevant at the moment, you can define an
exemption for a specific period of time.
You access the single Alerts user interface by clicking the ID of an alert in the list of investigations. This list is
called by clicking the appropriate tile on the launchpad of SAP Enterprise Threat Detection.
Apart from editing an investigation, you have the following options:
• Add to investigation or start an investigation.

For more information, see Working with a Single Investigation [page 127].
• Create an exemption.
For more information, see Exempting Alerts [page 114].
• Analyze
This opens the Monitoring user interface. For more information, see Monitoring the State of the System
Landscape [page 58].
Procedure
1. To edit an alert, choose Edit on the Alerts user interface.

The screen displays basic data about the alert, the pattern it was created by, its status, and information
about the investigations it is assigned to.
The alert score is a number from 0 to 100. The alert severity depends on the alert score results: the higher
the score, the higher the severity. The alert score is based on different attributes, such as the business
significance of the affected system and the levels of the credibility and success of attack with regard to
some aspects of protection. If these parameters are not defined, the alert score takes a default value set in
the pattern configuration that led to its creation.
If an alert was created from an anomaly, the Alert user interface shows the evaluations and the methods
that were used (either Standard Normal Distribution or New Occurrence), the number of observations,

the result, and link to the triggering event. The result is a representation of how much the anomaly has
deviated from the expected behavior.
To learn more about the alert, choose the tab Affected Systems, Measurement Distribution, or Timeline
& Comments. To view detailed information about the system that the alert was created for on the tab
Affected Systems, choose the system ID in the list.
Get a deeper insight into the data by choosing Pattern Workspace to open the forensic workspace, where
you can see the pattern that led to the creation of the alert, for example.
2. You can navigate directly to the triggering and related events as well as the related indicators for the alerts.
If you choose Triggering Events, you get a list of all triggering events. For each event that you select, details
are displayed on the right side of the screen.
If you choose Related Events, the Semantic Events view is opened, filtered for information from the alert,
such as systems, the involved users, and in the same time range.
If you choose Related Indicators, a list of all indicators within the alert time frame and in the same pattern
scenario is displayed. When you select an incident from this list, details are displayed on the right of the
screen. For more information, see the sections on Viewing Semantic Events and Related Indicators in the
SAP Enterprise Threat Detection Operations Guide
3. Determine whether you want to edit the alert.
To edit an alert, choose the Edit button.
For an alert, you can make the following changes:
• Set the severity.

• Assign a processor.
• Set a status.
Depending on the status of the alert, you can define whether the alert is an attack or not, whether it is
suspected to be one, or whether it is still unknown. You can also change this status when you work with
investigations. It helps you to quickly identify attacks.
 Note
Do not use the status No Reaction Required (Test Result) in the productive system for the following
reason: If you set the status No Reaction Required (Test Result), it's not possible to set the attack
radio button to a different option than No.
• Add a comment. (In the Alerts application, this option is not available if you select more than one
alert.)
After you have made your changes, save your entries.

4. Determine whether the alert is critical enough to be investigated.
• To start an investigation for an alert, choose the Start Investigation button. You can then decide
whether you want to create a new investigation or use an investigation template. For more information
about investigation templates, see Working with Investigation Templates [page 128].
• To add an alert to the existing investigation, choose Add to Investigation.
Deciding whether an alert needs investigation is a very individual process. We provide a set of attack
detection patterns that generate alerts we consider worth investigating. However, you must come to your
own decision based on criteria such as the following.
• Are users supposed to be debugging in the system involved?

• Is the number of failed logons unusual?
• Is it strange that someone is making user authorization assignments on a holiday weekend?
If you find you are getting a lot of false positives, adjust the configuration of the attack detection patterns.
For example, it might make sense to specify Indicator as the output type.
Starting an investigation changes the status of the alert to Investigation triggered.

5. Choose Analyze to open the monitoring page with the predefined charts that give you an overview of how
events are distributed over users, systems, and terminals.
 Note
In the Alerts application, this option is not available if you select more than one alert.
6. In the Alerts application, choose Send Email to create an e-mail with the link to this list of alerts. Note that
the filter settings are kept for the export. For example, if you want to send a link to the current selection
of alerts, make sure that you use an absolute time range so that the recipient will be able to see the same
alerts as you do, even if they open the list at a later point in time.
7. View the threat situation.
In the Alerts application, choose at the top of the list to view the threat situation.
Related Information
Working with Investigation Templates [page 128]

12.3 Exempting Alerts
Alerts can be exempted for a specific time range. For example, you can allow a specific user to perform
debugging in a specific system for a specific time range, even though such behavior usually produces alerts.
Prerequisites
Exempting alerts is only possible for patterns that are not in test mode.
Context
An exemption is defined based on the semantic attributes used to group the attack detection pattern. You can
define exemptions in the following two ways:

• Starting from the Alert user interface.
• Starting from the Pattern user interface.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose an Alerts or a Pattern tile.
2. From the Alerts user interface or the Pattern user interface, choose Create Exemption.
You cannot mark an alert as an exemption, but you can specify criteria for exempting future alerts.
3. Specify a time range for which the alerts will be exempted.
4. Specify a reason for the exemption.
This reason for the exemption is like a name. You will find it in the Exemptions user interface that you
access through a separate tile on the launchpad.
5. For the semantic attributes of the pattern, specify values.
If these values are detected by the attack detection pattern, the alerts will be assigned the status
Exempted. If you create the exemption starting from an individual alert, the values of the alert are prefilled
for the exemption. You can edit them here by specifying a new value, or you can delete the attribute
from the exemption. If you do not want a specific attribute to be an exemption criterion, make sure that
you delete the attribute from the exemption. Otherwise, if you only delete the value, the attack detection
pattern looks for the value <empty>.
Next Steps
To view, edit or delete exemptions, choose Exemptions from SAP Enterprise Threat Detection launchpad. You
can also save a list of exemptions as a separate tile.
12.4 Examining the Threat Situation
The threat situation provides an overview of how alerts are distributed among systems, terminals, patterns,
and users and how these entities correlate in your system landscape.
Procedure
1. You have the following options for viewing the threat situation:
• From SAP Enterprise Threat Detection launchpad, choose Threat Situation Last Hour. The tile displays
the number of alerts of the last hour.

• From SAP Enterprise Threat Detection launchpad, choose Alerts and then (View Threat Situation) in
the menu bar.
 Tip
To avoid long data loading times, we recommend using the Threat Situation Last Hour tile, where alerts
are filtered for the last hour.
By default, the nodes are colored depending on data type and sized according to their cumulative score.
To view the legend for the graph, choose (Show/Hide Legend).
To see more information about the node, hover over the node. Click on the node for the tool tip to stick. You
can now navigate to the pattern and the alerts.
Choose a node to see its dependencies. The other nodes and their connections are now grayed out. In a
tool tip, there is a list of detailed information about the selected node as well as navigation options. You can
also drag and drop the nodes to position them on the screen so that you can see them better if they are too
closely clustered.
2. Change the time period or other filter settings.
You can set various filters for the alerts to be shown in the graph. Choose Filters to adjust the filter criteria.
Choose Go to apply the changes.
 Note
Extended time periods can have an impact on the time it takes for data to load.
3. Change the graph type.
By default, the color in the graph represents the data type of the node and the size shows its cumulative
score. You can change this view so that the node is colored according to severity and icons are shown for
the types.
a. Choose (Graph Settings) in the menu bar.

b. Choose Graph Type.
c. Select the preferred type of the graph visualization.
d. Confirm your choice.
4. Hide the graph nodes.
You can choose which nodes are displayed in the graph.
a. Choose (Graph Settings) in the menu bar.

b. Choose Visible Nodes.
c. Select the node types you want to be shown in the graph.
d. Confirm your choice.

12.5 Settings of SAP Enterprise Threat Detection
Review and change the settings of different features of SAP Enterprise Threat Detection.
You can find the documentation of the individual settings in the chapters on the features. The table below
provides an overview of the available settings.
Settings for SAP Enterprise Threat Detection
Feature Settings Available
Event Storage Define retention periods for original, normalized, and unrecognized events, or
manually delete old events.
For more information, see Managing Storage of Events and User Accounts [page
131].
Alert Publishing Define settings for publishing alerts.
For more information, see Publishing Alerts to a REST Endpoint or to E-Mail

Recipients in the Implementation Guide forSAP Enterprise Threat Detection.
Pattern Filter A pattern filter is a list of patterns that is used as a filter for publishing alerts. You
can add or delete pattern filters and add or delete individual patterns to filters.
Each pattern filter has a unique ID, which you need to add to the REST API or in
the user parameters for publishing specific sets of alerts.
For more information, see the sections Defining Pattern Filters for Alert Publish
ing or Alert Pulling and Alert Pulling via REST API in the Implementation Guide for
SAP Enterprise Threat Detection at https://help.sap.com/sapetd.
Content Replication Content replication is documented in Landscape Setup for SAP Enterprise Threat
Detection at http://help.sap.com/sapetd. If you have set up a two-tier system
landscape for parallel development/test activities and productive use, you can
define the connections between the replicating systems here. Note that systems
are identified by tenant and system ID (SID) as tenant@SID
Example for a single tenant HANA installation with the SID ET3:
ET3@ET3
You can activate and deactivate connections for context and development ob
jects separately here. You need to make this configuration in the source system
and the target system. The table lists the transportable objects for which this
configuration is valid. If you note that an object type is missing (for example,
because it has been added after you have made your configuration), we recom
mend that you delete the configuration and create it again.
Time Zone Specify the time zone that is displayed in the user interfaces of SAP Enterprise
Threat Detection. You can decide between local time (that is, the time of the
operating system in which your browser runs) and UTC.

Feature Settings Available
Anomaly Detection Define whether reference data for evaluations is collected for all evaluations or
only for those used in active anomaly detection patterns. For performance rea
sons, we recommend that you only collect reference data for evaluations in active
patterns. For more information, see the documentation of anomaly detection in
Detecting and Analyzing Anomalies [page 134].
Custom Values Allows you to specify additional values for investigations and workspaces.
Workload Management You can activate ETD-specific workload management. This will create workload
classes with default values specifically for ETD purposes. If you want to adapt
the default values, you can do so using the conventional (non-ETD) SAP HANA
tools for workload management (see Managing Workload with Workload Classes
in the SAP HANA Administration Guide at http://help.sap.com/hana). Be aware
that when you deactivate ETD workload management, the ETD workload classes
will be deleted regardless of any changes you may have performed on them.
For more information about the individual workload management classes, see
Workload Management Classes for SAP Enterprise Threat Detection [page 118].
Pseudonymization You can deactivate or activate pseudonymization.
12.5.1 Workload Management Classes for SAP Enterprise

Threat Detection
To optimize workload balancing, you can activate workload management classes that are specific to SAP
In the table below, you can see the preconfigured workload classes that are delivered with SAP Enterprise
Threat Detection.
For more information about how to monitor and configure the workload classes in the HANA cockpit, see
Monitor Workload Classes in the guide SAP HANA Administration with SAP HANA Cockpit.
Class Name Description More Information
ETD_Partitioning The amount of log data in SAP

Enterprise Threat Detection can exceed
the technical limitations for database
tables in SAP HANA. The partitioning
job circumvents these technical limita
tions by separating log data into differ-
ent partitions.

Class Name Description More Information
ETD_SDS_Data_Write This class is for all actions executed

by the technical user ETD_DATA_COM
MITTER. This user writes data from the
streaming server into the SAP HANA
database.
ETD_User_Context The user context job creates new user

accounts provided by the streaming
server, enriches user contexts from
ABAP master data and (re)creates user
pseudonyms.
ETD_UI This class is for all actions executed by

the ETD users on UI level.
ETD_Trigger This class contains the following two

jobs:
• Dispatcher: Checks if logs corre

sponding to trigger criteria arrived
and triggers according patterns
• Thread: Allows asynchronous pat
tern execution and can be started
on demand (dynamically)
ETD_Pattern_Execution The pattern job executes all active at Attack Detection Patterns [page 89]
tack detection patterns.
ETD_HealthCheck_Execution The health check job triggers the execu Health Checks [page 61]
tion of health checks.
ETD_Anomaly_Execution The anomaly job executes all active Detecting and Analyzing Anomalies
anomaly patterns. [page 134]
ETD_Security_State_Monitoring The security state monitoring job reg Monitoring the System Landscape
ularly evaluates how the systems in [page 64]
your system landscape are affected by
threats found by SAP Enterprise Threat
Detection. The results can be accessed
via the system monitoring user inter
face.
Related Information
Settings of SAP Enterprise Threat Detection [page 117]

13 Viewing Alerts in Clusters
The Alert Clusters user interface visualizes alerts based on the users, hosts, systems, or patterns involved. The
alerts are dynamically grouped according to these criteria, and you can display the entities involved.
Context
As the monitoring agent of a company, you need to monitor the alerts and react immediately. In the event of
a suspected attack, you usually need to identify the user behind it. Therefore, by default, the latest 20 alerts
of the last week are displayed, clustered according to the users involved. On the launchpad of SAP Enterprise
Threat Detection, the Fields of Attention tile offers access to the alert clusters, case files, and snapshot pages.
When you open the user interface, a graphic similar to the following is displayed, where the user is at the
center, and the alerts and patterns involved are shown. If, as in the example below, the alerts have been added
to an investigation, the investigation is shown as well. Note that there is a legend that you can display by
choosing the (bulleted list) button.
The Alert Cluster user interface provides different options for researching the environment: The alerts are
clustered according to different aspects, such as users, systems, or patterns involved.
Procedure
1. Change the time of attention, focus of attention, as well as the entity of attention by clicking the
(Settings) icon in the upper right corner.
The selected focus of attention moves into the center of the individual graphics and the other entities are
shown as well. By default, the focus of attention is the user.

120 INTERNAL – Authorized for SAP Customers and Partners Viewing Alerts in Clusters
Focus of Attention Detailed information
User The alerts that involved this user are displayed, together
with their related events and related or triggering alerts.
Hostname The alerts that were initiated by the selected host name
are displayed, together with their related events and re
lated or triggering alerts.
System The alerts that involved this system are displayed, to
gether with their related events and related or triggering
alerts.
Pattern The last pattern execution is displayed, together with its

events and alerts.
2. Select and deselect individual entities by clicking the (Filter) icon in the upper right corner.
3. To do research in the environment of an alert, click an item in the graphic (for example, an alert) to open
the Case File user interface.
For more information, see Working with Case Files [page 122].
4. Add alerts to investigations or start new investigations by selecting one or more alerts with your mouse.
a. Click the area on the screen and move your mouse to circle one or more alerts.
b. With the Ctrl key pressed, select further alerts as needed.
c. Click on the gray area that you have drawn around the alert(s) and select the appropriate option from
the context menu.
You can either start a new investigation or add the alert(s) to an existing one. The investigation is then
displayed in the graphic.
5. Navigate to an investigation by clicking the investigation icon.
13.1 Working with Snapshot Pages
A snapshot page is a collection of snapshots of charts. You can share it in an e-mail or add it to investigations.
Context
For more information about snapshots, see Sharing Snapshots of Charts [page 84].

Viewing Alerts in Clusters INTERNAL – Authorized for SAP Customers and Partners 121
Procedure
1. On the launchpad of SAP Enterprise Threat Detection, choose Snapshots on the Fields of Attention tile.
2. You have the following options:
• Add a chart to the snapshot page by choosing Add Chart and selecting the chart from the list.
• Add comment to individual snapshots or the snapshot page.
• Send a link to the snapshot page in an e-mail.
• Add the snapshot page to an existing investigation or start a new one.
• Save the snapshot page.
13.2 Working with Case Files
A case file contains context, such as alerts or events related to the same suspected attack. They can then be
added to investigations for further research.
Procedure
1. On the launchpad of SAP Enterprise Threat Detection, on the Fields of Attention user interface, choose
Case Files to open the list of all case files.
2. Select the case file you want to work on by clicking the row.
The case file user interface is divided into a list of alerts at the top and the timeline at the bottom. On the
timeline, the alerts are displayed as red dots, together with the events that led to their creation. Further red
dots represent triggering alerts of the alert in question.
Note that you can move the timeline to view more alerts and events.
If you've called up the Case Files UI from the Alerts Clusters UI, you can create a new case file with all
events and alerts existing in the timeline graph. To do so, choose Move All Events to the Case File Table in
the timeline toolbar and then save the case file.
3. You can do the following:
• Add the case file to an existing investigation or start a new one.
• Add comments.
• View an attack path that displays connecting event attributes.
•  Note
The button to navigate to the attack path is only enabled if the following conditions are met:
• The case file must be saved. This might not be the case if you've called up the Case Files UI
from a different app such as Alert Clusters and you are just about to create the case file.
• All events added to the case file are up to date, that means within the configured retention
period specified in the Settings app.

• The number of events in the case file must not exceed a threshold of 20 events (since working
with more than 20 events in one attack path would be difficult).
13.3 Working with an Attack Path
You can view an attack path that displays connecting event attributes on a timeline. Additionally, you can add or
remove attributes in relation to a path. You can also customize events by giving them more meaningful names.
Displaying an Attack Path
1. From the launchpad, under Alerts and Investigations, go to the Fields of Attention tile and click Case Files.
2. Choose a case file to display it and its attributes, both as a list and graphically on a timeline.
3. To display the attack path, click the Display Attack Path button.
Viewing Event Details
Hover over an event to see its basic details (for example, element ID and timestamp).
Viewing Connecting Attributes
• Click two or more events to display the attributes that connect them. Clicking an event again removes its
connecting attributes.
• You can hover over the dots between connected events to view the attribute details.
• To show or hide attributes on the attack path, select the relevant checkboxes from the list.
• To show or hide all connecting attributes between events, click the Select All or Deselect All button as
appropriate.
Repositioning Path Elements
• Drag the dots between events to reposition them.

• You can also drag the events to reposition them vertically on the attack path.
 Note
The location of events on the timeline determines their horizontal position, so this cannot be changed.

Viewing Alerts in Clusters INTERNAL – Authorized for SAP Customers and Partners 123
You can assign a custom name to an event:
1. Click the pencil icon next to the listed event.

2. Enter your custom name for the event, such as "User X logged on".
3. Click OK to confirm your setting.
The event is then shown with this name in the attack path, and it appears with this new name in the events list.
Related Information
Working with Case Files [page 122]
13.3.1 Saving Attack Paths and Generating Patterns
Context
To save an attack path and generate a pattern based on it, proceed as follows:
Procedure
1. In the Case Files view, press the Display Attack Path button.
2. In the Attack Path view, create the attack path you need and then press the Save Attack Path button.
3. To open the new attack path, click the Back button, select the attack path you just saved from the table in
the Attack Path view, and press the Display Attack Path button.
4. In the Display Attack Path view, press the Generate pattern button to generate a pattern based on the
attack path you saved earlier.
Pressing the Generate pattern button takes you to the forensic lab, where you can see the pattern
generated on the basis of the path you saved. Each Path in the forensic workspace corresponds to each
event in attack path. Each Subset is an attribute and shows the value of that attribute for the event in an
attack path. The time range of the workspace is the time range between the first and last event.
You can also delete saved attack paths by navigating to the Case File view and choosing the attack path for
deletion.

14 Working with a List of Investigations
There are various filters and sorting options for viewing investigations. You can edit investigations collectively
or individually. You can also share the URL of a list with others or save a filtered list as separate tile.
To view a complete list of investigations, choose the Investigations tile on the launchpad.
Finding Investigations
You can sort the investigation columns alphabetically or numerically by clicking on the relevant column header.
To filter the results, show the filter bar and select the filter criteria. You can customize the filter bar by clicking
the Filters button and selecting/deselecting the checkboxes. Note that you also apply the filter directly from
here.
By entering an investigation ID in the search field, you can go quickly to a particular investigation.
Editing Investigations
If you want to edit investigations, you can do so collectively by selecting the relevant investigations and
choosing Edit. This allows you to change the severity, processor, or management visibility of the selected
investigations. If you select only one investigation, you will be taken to the details overview, where you can make
more detailed changes (see Working with a Single Investigation [page 127]).
Sharing Investigations
For management reporting, you can share the URL of the list of investigations via e-mail:
1. Apply filters to the investigations as required.

2. Select specific investigations or select all.
3. Click the envelope icon to create the e-mail.
The system creates an e-mail with a link that leads to the filtered list of investigations in the Investigations UI.
To prevent sensitive information from being disclosed, the e-mail does not include investigation information
such as alert messages themselves. If the mail recipients need to log in to the user interface to see the
investigations, this ensures that they have the required authorization to do so.

Working with a List of Investigations INTERNAL – Authorized for SAP Customers and Partners 125
Creating Custom Tiles for Filtered Investigation Lists
You can specify filter criteria according to which investigations are displayed and then save the resulting list as
a new tile on your launchpad. To create such a custom tile in the home group of your launchpad, filter the list
and choose  (Save as Tile).
14.1 Best Practices: Working with Alerts and Investigations
We recommend using investigations and benefit from the various features related to investigations.
As monitoring agent, you typically use the alerts app as your main application. Using the Alerts tile, you can
show all current alerts sorted by creation time and apply filters as required. We recommend that you observe
the open alerts using the Open Alerts tile. In the list of open alerts, you select related alerts and create a new
investigation for them. If there is already an investigation that relates to an alert, we recommend to add the
alert to the existing investigation. Once the open alerts are assigned to investigations, their status changes and
they disappear from the open alerts list.
By using investigations, you can benefit from the following investigation features:
• You can protocol the investigation progress using comments, related events, snapshots, case files or any
other document that can be attached to the investigation.
• You can use the investigation statuses Open, In Process, Completed, Canceled, and On Hold to use the
investigation as a workflow object. This is not possible for alerts which only have one status Open and four
different final statuses that are automatically set by the system when the alert is forwarded, exempted,
assigned to investigation or created from a pattern created for test purposes.
• You can print out an investigation report to hand over the investigation to IT forensics authorities.
• You can send an e-mail with a link to a filtered list of investigations.
Related Information

Working with a List of Investigations [page 125]
Working with a Single Investigation [page 127]
14.2 What are Investigations?
Investigations are collections of related material such as alerts, case files, and snapshots. They are the central
item with which the security expert starts his forensic research, because they can lead to an incident.
When the monitoring agent considers an alert suspicious, we recommend starting an investigation. The
investigation is assigned a description, a severity, and a status. Comments can be added. The investigation

126 INTERNAL – Authorized for SAP Customers and Partners Working with a List of Investigations
can be shared easily in e-mails or as a PDF file. More alerts and other related material can be added later, and
the status can be changed to make tracking the investigation easy. It is also possible to create a CSV file with a
list of all triggering or related events of the alerts in the investigation.
You can not only create a new investigation from alerts, but also from snapshots or case files. That means
you don't need an alert to start an investigation if you detect a suspicious situation using the tools of SAP
As the investigation is an item that more than one person might work with, there is a discussion and timeline
tab in which manual comments as well as changes to the investigation are tracked.
Alerts, snapshots, and case files can be assigned to investigations in following ways:
• From the Investigation user interface.

• From the Alert, Snapshot, or Case File user interface.
Alerts assigned to an investigation are displayed on the Alerts tab in the investigation details. Snapshots and
case files assigned to an investigation are displayed on the Objects tab in the investigation details.
14.3 Working with a Single Investigation
Working with a single investigation allows you to add or remove objects, change administrative attributes, or
leave comments in the discussion thread.
Context
The screen displays basic data about the investigation and the alerts assigned to the investigation. In the
investigations with the status Open, you can remove and add objects.
You access the single Investigation user interface by clicking the ID of an investigation in the list of
investigations. This list is called by clicking the relevant tile on the launchpad of SAP Enterprise Threat
Detection. You can also access this user interface by adding an alert or case file to an investigation or by
starting an investigation from there.
Apart from editing the investigation, you have the following options:
• Send an e-mail with a link to the investigation. To do so, choose the (send e-mail) icon.
• Print the investigation or save it to a PDF file. Such a PDF file can, for example, be used to attach an
investigation to an external ticketing system. To do so, choose the (print) icon.
 Recommendation
Use Chrome as web browser and select Save as PDF as destination. This ensures best scaling, and
embedded links are clickable in the PDF.

Procedure
1. To edit an investigation, choose Edit on the Investigation user interface.
You can make the following changes:
• Enter a description.
• Set the severity of the investigation.
• Assign a processor.
• Set a status for the investigation.
• Indicate whether the investigation includes an attack. Note that this attack value can be set for the
individual alerts in an investigation.
When you set an investigation to Completed, you have to specify a value for Attack.
• Indicate if the investigation needs management attention.
• Add a comment.
The comments editor is a rich text editor with advanced features. Using the icons at the top, you can
embed an HTML link to a Web page or an image link to a picture file. This can be useful, for example, to
provide links to documents or pictures on your document server. This rich text editor supports copy &
paste from other Web pages, preserving embedded HTML links and image links.
 Note
Copy & paste will not work for dynamically generated images. For example, graphs from the
forensic lab cannot be copied into a comment. To do so, you would have to save a snapshot and
add this to the investigation.
2. (Optional) If an investigation has been set to Completed, you can start a job to collect all triggering events
of the alerts of the investigation.
a. Ensure that the sap.secmon.framework.investigation::investigation job for the
provisioning of triggering events is active.
b. On the Investigation user interface, choose Start Triggering Events Job.
c. Refresh your browser. Note that, depending on the number of events, this may take a few seconds.
A link to download the triggering events appears in the header part of the investigation.
d. Click the link and save the CSV file.
14.4 Working with Investigation Templates
Investigations are collections of related material, such as alerts. If an alert is considered to be suspicious, we
recommend starting an investigation. You can create templates that allow you to implement investigations
quickly and easily from a predefined set of parameters. If an investigation template has a specified pattern, it
will only be offered for alerts that match this pattern.
From the launchpad, click the Investigation Templates tile to display a complete list of existing templates.

Sorting and Filtering Templates
You can sort the list columns by clicking the relevant column header.
Filter the results by showing the filter bar, selecting the filter criteria, and clicking Go. You can customize the
filter bar by clicking Filters, selecting/deselecting the relevant checkboxes, entering the required values, and
clicking Go. When you remove filter criteria, you also need to click Go to implement your changes. (Note that
you can also apply the filter directly from here.)
At the top of the list, you see the selected filter criteria for your reference.
Creating Templates
Proceed as follows:
1. Choose New.
2. Enter the relevant information and select the appropriate options.
3. Confirm your settings by clicking Save.
4. The window that then appears enables you to review the details of your new template, make any changes,
delete it, or mark it for export.
Editing Templates
Proceed as follows:
1. Click the arrow at the end of the row.

2. Choose Edit in the details window that then appears.
3. Make the necessary changes.
4. Confirm your changes by clicking Save.
Deleting Templates
In the overview list, you can delete an individual template by selecting its checkbox and choosing Delete. If you
are in the details view for a template, you can delete that template by clicking Delete.
You can delete multiple templates collectively by selecting the relevant checkboxes in the overview list and
choosing Delete.

Exporting Templates
If you want to export one or more templates, select the relevant checkboxes in the overview list and choose
Mark for Export.

15 Managing Storage of Events and User
Accounts
To prevent the SAP HANA database from running out of memory, a background job regularly moves events to
SAP HANA Native Storage Extension or deletes them. You can also remove old events manually. In addition,
you can specify whether table partitions should be distributed manually and change the retention period for
user account data.
Prerequisites
• You have a user with the EtdAdmin role for SAP Enterprise Threat Detection.
• You have backed up the event data from the SAP HANA database.
For more information about backing up data, see SAP HANA Database Backup and Recovery in the SAP
HANA Administration Guide for SAP HANA Platform.
Context
Depending on the number of systems you have connected to SAP Enterprise Threat Detection, the system
saves hundreds or even thousands of events per second. With so many events coming into the system, you
can run out of memory quickly. Here you can specify retention periods for normalized log events, unrecognized
events, and original events. The hot storage retention period specifies how long the data will be kept in HANA
In-Memory storage. When the hot storage retention period ends, the data will be moved to SAP HANA Native
Storage Extension, if the given warm storage retention period is greater than 0. The warm storage retention
period specifies how long the data will be kept in SAP HANA Native Storage Extension. The total retention
period is thereby the hot storage retention period in addition to the warm storage retention period. You can also
manually delete log events, unrecognized events, and original events.
All logs are stored in their original form before they are normalized. Logs that have not been learned in
the log learning application or logs for which there are rules in the Log Learning application that do not
allow normalization are also stored in their original form. Both unrecognized logs and original logs use up
significantly more storage space. The default retention period for unrecognized and original log events is 10
days, while normalized log events are stored for 90 days by default. The warm storage is turned off by default.
For more information about memory requirements, see the SAP Enterprise Threat Detection Sizing Guide.
 Caution
If SAP HANA runs out of memory, the system ceases to function.
To prevent a system failure, the sap.secmon.services.partitioning::clearData background job

runs on SAP HANA. This job moves all events older than the hot storage retention period to SAP HANA
Native Storage Extension and deletes all events older than the total retention period.

Managing Storage of Events and User Accounts INTERNAL – Authorized for SAP Customers and Partners 131
We recommend that you monitor the available memory of the SAP HANA platform closely and move or delete
old event data before available memory becomes an issue.
For more information about determining the available memory on the SAP HANA platform, see Disk-Related
Root Causes and Solutions in the SAP HANA Troubleshooting and Performance Analysis Guide.
The capacity of your database is one key factor in event storage. You can also limit the volume of events stored
by applying restrictions to the retention time.
Procedure
1. From the launchpad, choose Settings and then Manage Event Storage.
Under Event Information, you see the number of log events, unrecognized events, and original events. The
symbol indicates the measure of events.
Symbol Measure of Events
K Thousands
M Millions
B Billions
2. For all three types of log events, review the retention periods and change them in accordance with your
requirements.
The retention period in hot storage extends the specified number of days into the past.
If you use SAP HANA Dynamic Tiering for warm storage, you configure the retention parameter in the
properties of the Warm Storage Writer (kafka_2_warm) of SAP Enterprise Threat Detection Streaming. For
more information, see Event Storage in the implementation guide.
If you use SAP HANA Native Storage Extension for warm storage, the retention period for warm storage
starts with the end of the hot storage period and extends the specified number of days into the past.
 Example
Today is July 30. You specify 10 days for hot storage, which means logs up to 10 days old are kept in hot
storage. The period for hot storage is July 20 to July 30.
For warm storage, you specify 15 days, which means that after 10 days in hot storage, logs are kept in
warm storage for 15 days. That means the period for warm storage is July 5 to July 20.
In total you will have log events stored for the last 25 days.
3. Select whether partition distribution should be applied automatically and save your setting.
4. Choose a partition length and click Save to confirm your entry.
5. To delete log events manually, perform the following steps:
1. Using the calendar, choose the date up to which the system shall delete the events.
The system calculates the amounts of the selected events.

132 INTERNAL – Authorized for SAP Customers and Partners Managing Storage of Events and User Accounts
 Caution
When you choose a date for data deletion, you select not only the events of that day, but also all
events created before that day.
2. Click the appropriate button depending on the type of logs you want to delete (for example Delete
Original Events).
3. Confirm the deletion.
6. Optional: You can change the default value for the user retention period.
The user retention period specifies the number of days during which the user data is kept in the SAP
Enterprise Threat Detection system when the user is inactive.
 Note
The user retention period must be a least 90 days and must be longer than or equal to the longest
period specified for event storage (hot, warm, or cold storage).
15.1 Retention of User Account Data
In order to prevent SAP Enterprise Threat Detection from storing redundant data and to comply with data
protection and privacy laws, the user account data stored in the system has a retention period.
User accounts are handled by the retention frameworks in the source systems of the logs and master data.
SAP Enterprise Threat Detection keeps only copies of the users. If SAP Enterprise Threat Detection neither
receives new master data nor new log data for the user until the retention period has expired, the user account
data will be deleted.
If the number of days that the user has been inactive exceeds the configured retention period, the user and all
his dependencies are deleted from the system. The default value is 365 days. It can be changed in the settings,
but it must least 90 days and must be longer than or equal to the longest period specified for event storage
(hot, warm, or cold storage).
The user account data is deleted using the job sap.secmon.framework.user::UserContext. Make sure
the job is active, otherwise the user account data cannot be deleted once the retention period is over.

Managing Storage of Events and User Accounts INTERNAL – Authorized for SAP Customers and Partners 133
16 Detecting and Analyzing Anomalies
Anomalies are events that deviate from the normal or usual behavior in your system landscape. SAP Enterprise
Threat Detection provides patterns for detecting anomalies. Just like the attack detection patterns, anomaly
detection patterns result in either indicators or alerts.
Anomaly detection patterns compare the current activities in the system landscape with those in the past
and alert you when something unexpected or entirely new happens. Each anomaly detection pattern includes
at least one evaluation. An evaluation defines the acceptable range of behavior (for example, system or user
behavior) and at what point an alert or indicator will be produced. We suggest you evaluate for yourself whether
the anomaly detection patterns delivered by SAP meet the needs of your company. You can either use them as
they are or modify them. You can also define your own patterns and evaluations.
Patterns and evaluations are grouped in scenarios for a better overview. You manage the patterns, evaluations,
and scenarios in the anomaly detection lab. For each anomaly detection pattern, you can display the results
(in other words, the detected anomalies) in the anomaly detection lab. The anomaly detection lab provides
different visualization options for analyzing these results, and you can simulate how the results would change if
you changed the settings of a pattern.
Alerts from anomaly detection patterns can be viewed and processed in the Alerts user interface. They are
marked as coming from an Anomaly Pattern, which you can filter for. Indicators resulting from anomaly
detection patterns can be viewed in the forensic lab, where you can use them as a basis for building further
patterns. In forensic lab, filter for Event Log Type Indicator, Event (Semantic) Indicator from Anomaly.
After creating and testing new patterns, you might want to export them to your productive system. For
more information, see Marking Anomaly Detection Patterns for Export in the landscape setup guide at http://
help.sap.com/sapetd.
16.1 Anomaly Detection Lab
In the anomaly detection lab you display the anomaly detection results and you can manage anomaly detection
patterns, evaluations, and scenarios.
When you open the anomaly detection lab from the launchpad, the system displays the available scenarios
as a list on the left side of the screen. The purpose of the scenarios is to group the patterns and evaluations
thematically for a better overview. Using the tabs above the list, you can switch between the display of the
object lists for scenarios, patterns, and evaluations. If a scenario already contains patterns or evaluations,
a small arrow is displayed in the row of the scenario. When you select the row, you navigate to the
patterns contained in this scenario. The same applies to the navigation between patterns and the associated
evaluations.
The system uses the following icons to represent scenarios, anomaly detection patterns, and evaluations:

134 INTERNAL – Authorized for SAP Customers and Partners Detecting and Analyzing Anomalies
Icon Entity
 Scenario
 Pattern
 Evaluation
Scenario Details
When you click the link of a scenario name in the list, the system shows the scenario details overview on
the right side of the screen. To see which patterns and evaluations are assigned to a scenario, switch to the
Assignments tab. Here you can also create additional assignments or delete existing ones.
Pattern Details
When you click the link of a pattern name in the list, the system shows the pattern details overview on the right
side of the screen. To see which scenarios and evaluations are assigned to a pattern, switch to the Assignments
tab. Here you can also create additional assignments or delete existing ones. To see the data of the evaluations
assigned to the pattern (including the evaluation methods and statuses of the evaluations), switch to the Data
tab.
To view the current anomaly detection results of the evaluations assigned to the pattern, choose Analyze
Pattern. In the new screen, the system displays the score diagram on the left and the table of selected entities
including the normalized total scores on the right side of the screen. From here, you can display further details
by clicking on the name of an entity in the table row. Using the icons at the top right, you can also choose a
different pattern or hour and simulate the calculation with different pattern settings by changing the output
rule.
Evaluation Details
When you click the link of an evaluation name in the list, the system shows the evaluation details overview
on the right side of the screen. To see which scenarios and patterns are assigned to a pattern, switch to the
Assignments tab. Here you can also create additional assignments or delete existing ones. On the Data tab for
the evaluation, you can use different visualization options to display the evaluation results for the last full hour
(or any other hour that you choose). From here, you can also open the corresponding chart in forensic lab using
the icon at the top right.
Related Information
Statuses Used for Evaluations and Anomaly Detection Patterns [page 136]
Viewing and Analyzing Anomalies [page 144]

Detecting and Analyzing Anomalies INTERNAL – Authorized for SAP Customers and Partners 135
16.2 Statuses Used for Evaluations and Anomaly Detection
Patterns
There are different statuses for evaluations and anomaly detection patterns which show you for example why a
pattern cannot be used yet or if the collection of reference data was already started for an evaluation.
The system displays the status information in the anomaly detection lab at the top of the evaluation and
pattern details overview page. The following statuses are available:
Evaluation Statuses
Status Description More Information
Collection of reference data is not started, because evalua The system uses this status if you have specified in the
tion is not assigned to an active anomaly detection pattern. Settings tile that reference data is only to be collected if
the evaluation is assigned to an active anomaly detection
pattern.

Collection of reference data has already started but is not This status means that all conditions for data collection are
yet complete. met and the data collection has already started. However,
the system has not yet collected enough data to execute an
anomaly pattern.
Usually an evaluation will have this status for at least some

hours or days. If the evaluation remains in this status lon
ger than you would expect, make sure that the specified
hot storage retention period for log events is at least four
weeks. If it's less than four weeks, the system cannot collect
a sufficient amount of reference data and the status of the
evaluation cannot change to "Reference data is up to date.
Patterns using this evaluation can be executed.".
If you have specified a time range in the evaluation that is

longer than the defined retention period for the log events,
the system can collect enough data to change the status if
the retention period is at least four weeks. But it can only
take into account the log events that are available according
to the retention period.
 Example
If the evaluation time range is eight weeks, but the re
tention period is only six weeks, then the status of the
evaluation will change to "Reference data is up to date"
after the collection is done for the last four weeks, but
the system will afterwards only collect further data up to
the last six weeks. It will not be able to take the whole
eight weeks into account as intended by the specified
evaluation time range.
 Note
As long as the system collects reference data after the
initial activation of a pattern, the CPU load and memory
consumption of the system is increased.

Reference data is up to date. Patterns using this evaluation The system has collected enough data to execute an anom
can be executed. aly detection pattern.
Note that an evaluation already reaches this status when the

system has completed the reference data collection for the
last four weeks after the initial activation of the pattern. It
does not necessarily mean that the reference data collection
is complete. If the specified time range for the collection of
reference data is longer than four weeks, the system contin
ues to collect data.
 Note
As long as the system collects reference data after the
initial activation of a pattern, the CPU load and memory
consumption of the system is increased.
There is no reference data yet because the evaluation has This status applies in the following situations: Either data
just been created or the statistics job is inactive. collection has already been started and the first repetition of
the data collection is still in process or the statistics job is
inactive.
Statuses of Anomaly Detection Patterns
Status Description
Pattern is ready to run. All evaluations are taken into ac All related evaluations have enough data and the pattern can
count. be executed.
Pattern is ready to run. Not all evaluations are taken into The system sets this status if sufficient data is available for
account. ate least one of the associated evaluations and the pattern
settings allow the execution of the pattern in this case.
Pattern is not ready to run. Check the related evaluation The system cannot execute the pattern for one of the follow
statuses. ing reasons::
• The assigned evaluations have not collected enough

data. Check the evaluation statuses for the exact rea
son..
• The pattern is inactive

Related Information
Settings of SAP Enterprise Threat Detection [page 117]
16.3 Editing and Creating Anomaly Detection Patterns
Anomaly detection patterns compare the current activities in the system landscape with those in the past and
alert you when something unexpected or entirely new happens.
Prerequisites
• To create a new anomaly detection pattern, there must be evaluations in the system that you would like to
assign to your pattern. Note that you can only assign evaluations with the same dimensions and groups to
one pattern because these attributes are used to correlate the results of the evaluations.
Context
SAP Enterprise Threat Detection provides you with a number of predefined patterns that detect anomalies. You
can adjust the delivered patterns or create new ones that meet your needs. The following minor settings can
be changed in an existing pattern. For all other modifications, a new pattern with a new name and namespace
must be created by choosing Save As....
• Create Output When: Define whether the pattern produces an output (alert or indicator) if at least one
evaluation has detected an anomaly or only if all evaluations have detected an anomaly, or if the average of
evaluations shows an anomaly.
• Severity: According to the pattern and the needs of your organization, set a severity between Low and Very
High.
• Status: An inactive pattern is not executed and therefore no results are produced. Reference data is only
collected for evaluations assigned to active patterns. You can change this on the Settings user interface
accessible from the launchpad, under Anomaly Detection.
• Test Mode: A pattern in test mode produces alerts with the status No Reaction Triggered (Test Result).
Procedure
1. From the SAP Enterprise Threat Detection launchpad, choose Anomaly Detection Lab.
2. Choose the pattern that you want to modify from the list of patterns or choose  (Create Entity)
Create Pattern at the top of the list.

3. Specify the required settings:
a. Specify a name and a namespace.
b. (Optional) Add a description.
c. Specify the execution output: alert or indicator:
• Alerts: Choose Alert if you consider an anomaly created by this pattern suspicious enough to
require further analysis. If you have configured a pattern to create alerts, then these alerts will be
visible in the Alerts user interface, from where you can start investigations.
• Indicator: Indicators are specially marked events that do not need to be handled individually.
However, they can be used as input for further patterns. Choose Indicator if you only want to use
the anomalies that are found as input for further patterns. You can also view the details of an
indicator in the forensic lab.
d. Specify in which case to produce an alert or an indicator:
• The anomaly is detected by all evaluations of the pattern.

• The anomaly is detected by at least one evaluation.
• The average output of all evaluations is an anomaly.
e. Specify the minimum severity of the output.
f. Specify the status as active or inactive. Note that reference data for the evaluations is collected as
soon as the pattern is set to Active.
g. Specify whether the pattern should run in test mode.
We recommend that you initially set the pattern to test mode. After saving, you can test the pattern
configuration and see whether it produces the results you expect. If the configuration performs as you
expect, deselect the Test Mode checkbox.
h. Specify assignments to scenarios or evaluations.
You can assign evaluations that were delivered by SAP to the pattern you are about to create. But you
cannot assign scenarios delivered by SAP to newly created patterns. If you want to assign a scenario
to your new pattern, you must create a new scenario first or choose an existing scenario that was not
delivered by SAP.
4. Save the pattern.
Results
Your pattern has been saved.
Please note that you cannot execute anomaly patterns manually from the Patterns table of the launchpad. This
is because statistical data has to be collected via the anomaly pattern job before patterns can be executed.
Next Steps
You can now do the following:
• Analyze the results of the pattern by choosing Analyze Pattern.

• Mark the pattern for export to the productive system by choosing Export. For more information, see
Marking Anomaly Detection Patterns for Export in the landscape setup guide at http://help.sap.com/
sapetd.
• You can view the anomaly detection patterns in the Patterns tile of the launchpad. Anomaly patterns are
indicated by the entry Yes in the Anomaly Pattern column of the Patterns table.
16.4 Editing and Creating Evaluations
An anomaly detection pattern consists of one or more evaluations. An evaluation is a systematic assessment of
the data that is monitored.
Prerequisites
Context
You can define that an anomaly is created either when the system behavior deviates sufficiently from the
expected behavior with respect to the standard normal distribution or when something entirely new happens.
As statistical data such as averages and the standard deviation are only calculated for whole days, the system
only finds anomalies for the whole day. All evaluations in one pattern must be based on the same group
of semantic attributes that you want to observe. For example, they must all evaluate the behavior of User
Pseudonym, Acting. Note that if a pattern is already assigned an evaluation, you can only add compatible
evaluations to it.
SAP Enterprise Threat Detection provides you with a number of predefined evaluations. If you want to modify
an evaluation, choose Save As to create a new evaluation with a new name and namespace. Note that if you
modify an evaluation, any reference data of the previous version of the evaluation will be deleted. By default,
reference data is not collected until the evaluation is added to an active pattern. If you want to collect reference
data for all evaluations, you can change this in the Settings user interface accessible through the launchpad.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Anomaly Detection Lab.
2. Select the Evaluations tab.
3. Choose the evaluation that you want to modify from the list of evaluations or choose  (Create Entity)
Create Evaluation at the top of the list.

a. Specify a name and a namespace.
c. Assign a chart to view the data you want to observe by choosing + in the Assignments section. The
charts are created in the forensic lab user interface.
d. Choose whether the evaluation is based on deviations from the normal behavior, for example the
system or user behavior, or whether entirely new behavior should be detected.
• Standard Normal Distribution: Statistical evaluation based on the standard normal distribution of
the reference data within the defined time range in the past. A threshold in the form of a z-score is
defined for the evaluation on the pattern user interface. For patterns delivered by SAP, the z-score
is fixed and cannot be changed. For custom patterns, you can define the z-score on the Data tab
of the pattern UI. The z-score is a factor by which the standard deviation is multiplied to define the
confidence interval (that is, the range of behavior still defined as normal). Values that lie outside
this confidence interval are detected as anomalies.
 Example
If the value for the average is 100, the standard deviation is 20, and the z-score is 2, the system
considers all values below 60 and above 140 an anomaly.
• New Occurrence: For a given time range, the observations defined in the charts are collected as a
list. Values that are not part of this list are detected as anomalies.
e. Specify the time range in weeks for the reference data.
Make sure that this time range is long enough for the system to gather reference data. It must be at
least four weeks.
Please also ensure that the retention time for the log events is at least as long as the specified time
range for the evaluation. When a pattern is activated for the first time, the system can only collect
reference data for the evaluation if the log events for the specified time range are still available in the
hot or warm storage.
 Note
By default, for performance reasons, the reference data will be collected as soon as the evaluation
is added to an active pattern. If you want to collect data for all evaluations, you can specify this by
clicking the Settings tile on the launchpad and choosing Anomaly Detection.
Reference data that is older than the time range defined for the reference data is deleted and
therefore not taken into account when the system detects new occurrences or deviations from the
standard behavior.
f. If you use the standard normal distribution as the evaluation method, specify the following:
• The time interval that will be compared to the same time interval of the reference data to detect
anomalies. This allows better comparability with the reference data because, for example, the
number of successful logon events during typical office hours is different from the number of such
events outside office hours. You can specify that the system behavior in either the same hour or
the same quarter of the day is compared.
• Whether you want to create anomalies for occurrences above and below or only above the
confidence interval, negative deviations from the mean are usually not critical. For example,
if there are significantly fewer successful logons in a system, it might simply be because the
system is down or it is the weekend. However, significantly more logon attempts might be worth
investigating.

g. Specify the semantic attributes that are to be compared. For example, System ID, Actor and System
Type, Actor.
Please note the following information for the evaluation method "New Occurrence":
An event is counted as new occurrence if the following applies: The event has at least one value
in the set of attributes that differs from the corresponding set of attributes in the reference data
(data collected over the configured time period). The system takes into account all attributes listed in
the evaluation configuration in the Evaluate for section, regardless of whether the checkboxes of the
attributes are selected or not.
If you have chosen "New Occurrence" as evaluation method, you can use the checkboxes in the
Evaluate for section to control how many alerts are generated by the system:
 Example
An evaluation has two attributes, System and User. In the Evaluate for section, you have only
selected the System checkbox. When the system receives events from two new users for a
particular system during the evaluation time period, one alert is created. The fact that two new
users were detected are counted as one new occurrence.
 Example
An evaluation has two attributes, System and User. In the Evaluate for section, you have selected
both the System checkbox and the User checkbox. When the system now receives events from
two new users for a particular system during the evaluation time period, the system creates two
alerts, one for each combination of system and user. The fact that two new users were detected are
counted as two new occurrences.
5. Save the evaluation.
The system estimates the volume of the expected data. If it is higher than 500 million records, you get
a warning message. If the number of expected records is higher than one billion, you cannot save the
evaluation. If this is the case, reduce the time period or revise the chart to produce fewer records.
Results
The system saves the evaluation.
Next Steps
You can now do the following:
• Add the evaluation to a pattern. To do so, select the pattern and assign the evaluation. Remember that if
a pattern already has one evaluation, only compatible evaluations can be added. In the pattern, you can
then specify the threshold values for the confidence interval. Note that reference data is only created if an
evaluation is assigned to an active pattern.
• Add the evaluation to a scenario. To do so, open the Assignments tab of the evaluation and add the
scenario. Note that this is only intended to provide a better overview and has no other effect.

16.5 Editing and Creating Scenarios
Evaluations and patterns that belong together can be grouped as scenarios. This allows you to find them more
easily when you create new patterns.
Context
SAP Enterprise Threat Detection provides you with a number of predefined scenarios. If you want to modify a
scenario, choose Save As to create a new one with a new name and namespace.
Procedure
2. Choose the scenario that you want to modify from the list of scenarios or choose  (Create Entity)
Create Scenario at the top of the list.
a. Provide a name and a namespace
c. Add existing patterns and evaluations to a scenario by choosing + in the Assignments tab.
Alternatively, from within an evaluation or pattern, you can add these objects to a scenario in the
Assignments tab using the +.
4. Save the scenario.
16.6 Viewing and Analyzing Anomalies
View and analyze the results of anomaly detection patterns to see whether you need to start further
investigations.
Prerequisites
You have started the background job sap.secmon.framework.anomalydetection.jobs::anomalyJob to

compute the reference data for anomaly detection.

Context
To compute the reference data, a background job is run every hour for the existing log data. By analyzing
this reference data, the job recognizes an overall trend in the behavior in the system landscape. The anomaly
detection patterns identify deviations from this usual behavior and entirely new occurrences. An anomaly
might not necessarily be an incident but could be a significant indication. In the anomaly detection lab, you can
analyze these anomalies with the help of diagrams to find out whether they need further investigation.
All log events are compared to the reference data and they are given a score that indicates whether something
lies within the range of accepted behavior. This is a normalized score of 0 to 100. The normalized threshold for
the anomaly detection of SAP Enterprise Threat Detection is 63. A score of less than 63 means that the events
lie within the defined confidence interval, while a score of equal to or greater than 63 means that events show
anomalous behavior. The higher the normalized score, the more the events deviate from normal behavior.
For the calculation of the anomaly score for anomalies based on the deviation from the standard normal
distribution, the system uses the following formula:
1- exp(- (z-Score^2/(threshold^2))
For anomalies based on new occurrences, the system always shows an anomaly score of 74 if a new occurrence
was found.
Procedure
2. Select a pattern. In the pattern view, choose Analyze Pattern in the footer toolbar.
The anomalies are displayed in the score overview diagram, and the table on the right displays the
anomalies as a list. For patterns with at least three evaluations, there is a second type of diagram that
you can display by selecting it from the dropdown box. This score diversity diagram shows how the entities
differ from one another. For more information, see Viewing Anomalies in the Score Overview Diagram and
Viewing Anomalies in the Diagram of Score Diversity below.
3. Using the Score Selector at the bottom, limit or expand the number of anomalies or all entities displayed
in the diagram and in the table. You can specify that the normal entities are also displayed by selecting the
checkbox. This is useful to check whether the pattern needs to be adapted.
The Score Selector at the bottom of the screen displays all entities relating to the anomaly detection
pattern as dots. By default, only anomalies whose behavior deviates most from the expected behavior
(closer to 100) are selected. The selected anomalies appear in the table on the right.
4. To select a different pattern or to change the time range, choose the (Edit) icon.
Note that the time range is always one hour. You specify when this hour starts.
5. To show details of individual entities, click them in the table on the right.
A table with detailed information opens. For more information, see Viewing the Details of Anomalies.
6. To simulate the output of a pattern with different settings, choose the (Settings) icon and change the
settings.

Use this function to calibrate your patterns: The output of the pattern is shown according to the new
pattern settings. If you decide that your pattern needs to be changed, open the pattern itself and make the
settings there.
Results
Note that the selected pattern is part of the URL, so you can share this URL with colleagues if you want them to
look at this analysis as well.
16.6.1 Viewing Anomalies in the Score Overview Diagram
View the events detected as anomalies by a pattern. For each evaluation of the pattern, the anomalies are
shown with their score in the diagram. Each evaluation of the pattern makes one dimension in the graph.
Prerequisites
• You have read Viewing and Analyzing Anomalies.

• Your anomaly detection pattern has detected anomalies. If not, you can use this diagram to display the
occurrences that are within the defined confidence interval by selecting this option in the score selector or
by simulating the results of this pattern with other settings.
Context
Note that the entities are displayed in different colors: Anomalies are red, and non-anomalies are blue. If you
select an entity in the table, this entity is displayed in green.
The score overview diagram shows the anomalies with their mean scores that have been detected according to
the semantic attributes the pattern is based on (for example, the system and the system ID). This diagram has
an entirely different look, depending on the number of evaluations in the pattern:
• For patterns with only one evaluation

If the pattern only consists of one evaluation, the diagram simply displays the different occurrences with
their scores along the y-axis. At the top, you find the occurrences with the highest score (in other words,
those that deviate most from the usual system behavior).
• For patterns with two evaluations
One evaluation is shown along the x-axis and the other one along the y-axis. The scores of each occurrence
are displayed.
• For patterns with three or more evaluations
Multidimensional patterns are displayed in a spider diagram in which an axis starts from the same point
0 and ends with 100 for each evaluation. Along these axes, the threshold of 63 (which is defined as the
cutting point from which onwards an entity is defined as an anomaly) is marked, and a gray polygon is

drawn to show the normal expected behavior of the systems or users. For each evaluation, the normalized
score is also indicated, and a polygon of anomalies is drawn. From the two overlapping polygons, you can
easily see for each evaluation how much the system or user behavior deviates from the expected behavior.
Procedure
1. See Viewing and Analyzing Anomalies [page 144].

2. To show details of the entities in a separate ring diagram, click the entities in the diagram (dots, polygons,
bars, depending on the diagram) and then click Show details.
A new ring diagram opens with the entity at its center. In the first ring around the entity, the evaluations of
the pattern that have detected anomalies are shown. In the outer rings, the relevant semantic attributes of
the entity are displayed. These are the semantic attributes used by the chart that the pattern is based on
to group the entities, and the other filter criteria of the chart's path. These are ordered by their number of
distinct values; those with fewest distinct values are closer to the middle.
3. Zoom in on the individual attributes by clicking the parts of the ring.
This moves the attribute to the center of the ring and displays the dependent information around it.
4. To return to the diagram or to show the entity in the forensic lab, click the center circle on the diagram and
select your choice.
16.6.2 Viewing Anomalies in the Diagram of Score Diversity
View the details of anomalies and how they differ from one another.
Prerequisites
The pattern has a minimum of three evaluations.
Context
Two anomalies detected by the same evaluation that have a similar normalized score do not necessarily have
similar characteristics. This diagram compares the different features of anomalies with one another.
The diversity diagram takes the areas of the polygons from the score diagram of patterns with at least three
evaluations and compares their characteristics in this three-dimensional diagram. Picture the polygon from
the score diagram as positioned in the first quadrant of a two-dimensional coordinate system. From this, each
polygon's center of area (called the centroid) is calculated. This centroid's coordinates are then located on the
first and second axes of the score diversity diagram. The third axis represents the area of the polygon. In this
way, each component of the anomaly is positioned in a coordinate system and the distance between them
represents their diversity. Dots that appear close to one another are similar; dots that appear far apart deviate

from the rest. This might indicate that it is worth analyzing the information in more detail – for example, by
taking a closer look at the behavior of the relevant entity value. You can drill down to a specific user or system
and navigate to the appropriate forensic workspace.
Procedure
1. See Viewing and Analyzing Anomalies [page 144].

2. Click a dot within the diagram of diversity.
As the distance between the dots represents their diversity, choose a dot that is located at a greater
distance from the rest.
3. Drill down further and view specific information such as the application/transactions names or the user
that has processed the applications.
4. When you have drilled down to one user pseudonym or one system, click the corresponding part of the
circle.
16.6.3 Viewing the Details of Anomalies
Entities selected in the Selector at the bottom of the page are displayed as a list, indicating the semantic
attribute of the data observed in the evaluations together with the score of the anomaly.
To view more detailed information of the entity, choose the semantic attributes from the table. In our example,
it is the system and the system type.
Evaluation Actual Value Reference Value Standard Deviation Score
The name of the evalu The value of the anom The average of all For evaluations that Indicates whether an
ation. aly. The % in brackets events found for the use the standard nor entity value lies within
represents the differ- same hour or same mal distribution, the the expected behavior.
ence of the value from six-hour slot on the standard deviation is The score has a range
its reference value. If same weekday in the shown here. For eval from 0 to 100. The
it is smaller or big past is shown. uations that look for higher the score, the
ger than the reference new occurrences, no more unexpected the
value, the percentage value can be specified behavior. Our thresh
part is marked by - or here. old for normal behav
+ respectively. ior is 63. Everything
with a value of 63 or
higher is defined as an
anomaly.

17 Pseudonymization of User Data
Pseudonymization is a procedure by which the user ID and other person-related data in a record is replaced
by a pseudonym, so as to make it difficult or impossible to identify the person in question. In contrast to the
anonymization procedure, pseudonymized data still references the original data.
In SAP Enterprise Threat Detection, pseudonymization takes place in SAP HANA with the help of the user
context and the user account name. In SAP HANA, a human-readable pseudonym is assigned to the user
account name.
SAP Enterprise Threat Detection changes the pseudonym associated with a user once a week. The applications
of SAP Enterprise Threat Detection, such as the forensic lab, can only access the current pseudonym of a user.
You cannot use your past knowledge of user pseudonyms to pursue a user. SAP Enterprise Threat Detection
protects this application with authorizations and records read-access to this data.
In addition to the pseudonymization of the usernames in the semantic attributes specific to user accounts,
you can mask all usernames that occur in attributes other than the username attribute and that match the
configurable regex defined in the UsernameMasking.Regex setting of the normalizer.
Related Information
Username Masking [page 157]
17.1 Best Practices: Pseudonymization of User Data
We have some recommendations for you related to the pseudonymization of user data.
Excluding Technical Users from Pseudonymization
To be able to recognize more quickly whether an action runs under a technical or a personal user, it's useful
to exclude the technical users from pseudonymization, since the technical users are not subject to data
protection and privacy requirements. For the technical users excluded from pseudonymization, the system will
display the actual names in the user interface.
To exclude technical users from pseudonymization, you create a new value list which most probably contains
the types “C”(Communication), “S”(service) and “B”(system).
 Note
If you want to exclude some dedicated users in addition to the ones excluded based on this value
list, you can use the value list SAPStandardUsers. If you want to reuse the users entered in the

Pseudonymization of User Data INTERNAL – Authorized for SAP Customers and Partners 149
SAPStandardUsers value list in patterns, you might want to create new value lists as subsets of
the SAPStandardUsers value list so that the patterns only take into account a specific subset of non-
pseudonymized standard users or technical users.
1. From SAP Enterprise Threat Detection launchpad, choose Value Lists.

2. Choose New.
3. Enter the namespace, name (for example Types of Technical Users), and description.
4. Specify the types of users that the system should not pseudonymize. Most probably, this list will contain
the types “C”(Communication), “S”(service) and “B”(system).
5. (Optional) If you want to exclude some dedicated users in addition to the ones excluded based on
the value list using the types “C”(Communication), “S”(service) and “B”(system), use the value list
SAPStandardUsers. Make sure to specify each user by name or use the wildcards underscore (_) or
percent (%) to cover more than one user. For more information about creating value lists, see Preparing
Value Lists [page 106].
Result: If you use the value list in your attack detection patterns, the system will not pseudonymize the user if
at least in one system the user has a type included in the value list Types of Technical Users. In this case, the
system shows the actual user instead of the pseudonym in the attributes Account Name Pseudonym, <Role>.
17.2 Deactivating Pseudonymization
Pseudonymization is active per default when you install SAP Enterprise Threat Detection, but you can
deactivate it to see the user account names instead of the pseudonyms in the user interfaces of SAP Enterprise
Threat Detection.
Prerequisites
You need the privilege sap.secmon::SettingsPseudonymizationWrite to be able to deactivate or

activate pseudonymization. By default this privilege is not assigned to any user because not everybody should
be allowed to do this. Depending on the company and country, only dedicated people might be allowed to
deactivate or activate pseudonymization after an agreement has been made with the works council. If you do
not have the rights, you still see the status, but cannot change it.
Context
All the actions regarding pseudonymization deactivation or activation are reflected in the Records of Actions
app. For more information see Viewing the Record of Actions [page 9].

150 INTERNAL – Authorized for SAP Customers and Partners Pseudonymization of User Data
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Settings and then Pseudonymization.
2. Choose Deactivate to switch off pseudonymization.
 Note
It may take a few moments before the function is actually disabled. How long this might take
depends on the schedule for the UserContext background job that must be executed to deactivate
pseudonymization. Per default, the job is scheduled to run once per minute.
 Note
It's not necessary to deactivate the jobs regeneratePseudonyms and UserContext. They must stay
active even if you deactivate pseudonymization.
Results
When pseudonymization is deactivated, the system will display all the attributes related to pseudonyms
(such as Account Name Pseudonym, Acting; Account Name Pseudonym, Initiating; Account Name Pseudonym,
Targeted; Account Name Pseudonym, Targeting) as user account names instead of pseudonyms in all user
interfaces of SAP Enterprise Threat Detection. Also the indicators and alerts raised by patterns will contain
user account names instead of generated pseudonyms until you activate pseudonymization again.
Next Steps
If you want to activate pseudonymization again, choose Activate.
 Note
It will take some time before pseudonymization is actually activated again. How long this might take
depends on the schedule for the regeneratePseudonyms background job that must be executed to
reactivate pseudonymization. Per default, the job is scheduled to run every ten minutes.
Related Information
Background Jobs of SAP Enterprise Threat Detection

17.3 Determining the True Identity of Users
When suspicious events occur, you may be required to determine the true identity of the person behind the
pseudonym shown in the user interface.
Prerequisites
• You have a user with authorizations for SAP Enterprise Threat Detection to reveal the identity of users.
Who is allowed to view the identities of users is governed by local laws and the data privacy policy of your
organization.
• You have a user pseudonym from which you want to resolve the real user name.
For more information about authorizations for SAP Enterprise Threat Detection, see Creating Users and
Assigning Authorizations in the SAP Enterprise Threat Detection Implementation Guide.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Resolve User Identity.
2. Enter the pseudonym and choose Resolve.
Results
The application displays the user context information, revealing the name of the person behind the user
pseudonym if this information is maintained in the source systems. The application also shows all the systems
where the account name is known.
Next Steps
To get more information about the person behind a pseudonym, you can identify the related accounts for the
pseudonym.
Related Information
Identifying Related Accounts for a Pseudonym [page 153]

17.4 Identifying Related Accounts for a Pseudonym
To get more information about the person behind a pseudonym, you can determine the user account name
from a pseudonym and check if the user account is related to other user accounts. From the result list of
related accounts you can retrieve properties of the person owning the accounts, such as firstname, surname,
email address and so on.
Prerequisites
You have a user with the EtdResolveUser role.
Procedure
2. On the Resolve tab, enter and resolve a pseudonym to determine the related account name.
3. Select the user context properties that you want the system to use to determine related accounts.
4. Choose Calculate Related Accounts.
Based on the selected user context properties, the system calculates and displays a list of related
accounts. The result list shows for each account name which property values exist for the user context
properties. From this list of property values you can judge the data quality of a user context property.
5. To display the detailed user information for the related accounts, you can click the individual rows.
The system shows the available data for each system.

6. If the calculation result lists account names which are not related, refine the property selection and
recalculate the related accounts.
Results
Based on the selected user context properties, the system calculates and displays a list of related accounts.
The result list shows for each account name which property values exist for the user context properties.
Related Information
Calculation of Related Accounts [page 155]

Identifying Activities Performed by One Person Using Different User Accounts [page 154]

17.5 Identifying Activities Performed by One Person Using
Different User Accounts
You can check if multiple user accounts are related and see what actions one person has performed with
different user accounts.
Prerequisites
You have a user with the EtdSecExpert role.
Procedure
2. On the Reverse tab, enter an account name.
3. Expand the section Related Accounts Calculation.
4. Choose Related Accounts Calculation.
Based on the selected user context properties, the system calculates and displays a list of related
accounts. The result list shows for each account name which property values exist for the user context
properties. From this list of property values you can judge the data quality of a user context property.
5. If the calculation result lists account names which are not related, refine the property selection and
recalculate the related accounts.
6. In the results table, select the account names for which you want to determine the pseudonyms.
7. Choose Resolve.
8. Select the pseudonyms for which you want to show the related activities in forensic lab.
9. Choose Process in Forensic Lab.
10. Select the roles to inspect, such as User Pseudonym, Acting.
11. Choose OK.
Results
The system opens forensic lab and shows all actions that where performed under the selected pseudonyms.
Related Information
Calculation of Related Accounts [page 155]

17.6 Calculation of Related Accounts
With the function Related Accounts Calculation the system tries to calculate which account names belong to
the same person. The system treats the accounts as related if they have at least one common user context
value, for example an e-mail address that is used as e-mail address for one account and as account name for a
second account.
In SAP Enterprise Threat Detection, log data contains account names, such as MUELLER, D012345,
fred.mueller@xy.com. Related Accounts Calculation tries to calculate which account names belong to the same
person.
An account consists of:
• System type (such as ABAP)

• System (such as B90/100)
• Account name
For each account, SAP Enterprise Threat Detection collects additional user context information from the
connected systems, such as
• E-mail address
• SAP name
• Account number
• Personal number
• Alias
• SNC name
Two accounts are treated as related if they have at least one common user context property value.
Example
Account 1
System Account Name Personnel Number
B20 MUELLER D012345
Account 2
System Account Name E-Mail Address
B30 D012345 fred.mueller@xy.com

Account 3
System Account Name
B40 fred.mueller@xy.com
Account 1, Account 2, and Account 3 are considered related for the following reasons:
• Account 1 and Account 2 share the user context property value D012345.
• Account 2 and Account 3 share the user context property value fred.mueller@xy.com.
Related Information

Identifying Activities Performed by One Person Using Different User Accounts [page 154]
17.7 Logging Access to User Identities
Personal user information is protected by local laws and regulations, SAP Enterprise Threat Detection logs
when someone accesses this information.
Prerequisites
You have a user with authorizations for SAP Enterprise Threat Detection to reveal the identity of users
(sap.secmon.db::EtdResolveUser). Who is allowed to view the identities of users is governed by local
laws and the data privacy policy of your organization.
For more information about authorizations for SAP Enterprise Threat Detection, see Creating Users and
Assigning Authorizations in the SAP Enterprise Threat Detection Implementation Guide.
Context
Logging access enables auditors to track when such user information was seen and by whom.
 Note
Logging is only possible when depseudonymization is done through the user interface. A user with the
relevant access rights and database tools can access the same information with SQL select statements.
When users have such low-level access, no logging takes place.

Procedure
2. Choose the Log tab.
The table shows the following information:

• The user that attempted to resolve the pseudonym
• The pseudonym
• The success or failure of the operation
• Time stamp of the attempt
17.8 Username Masking
You can mask all usernames that occur in attributes other than the username attribute and that match the
configurable regex defined in the UsernameMasking.Regex setting of the normalizer. This masking is done in
addition to the pseudonymization of the usernames in the semantic attributes specific to user accounts.
For example, if a username appears in the semantic attribute "Resource Name", then the normalizer will mask
the username within this semantic attribute.
Masking is done in the following way::
Any match of a username will be replaced with "***** <Role> *****", with <Role> referring to the role of the
user in the log event.
Acting User ***** Acting *****
Initiating User ***** Initiating *****
Targeted User ***** Targeted *****
Targeting User ***** Targeting *****
Username masking is applied to the following semantic attributes:
• Resource Container Name

• Service, Workflow Name
• Generic, Purpose
• Resource Name
• Service, Function Name
• Service, Executable Name
• Parameter Name, Context
• Event (Semantic)
• Parameter Name
• Attack Name
• Generic, Outcome
• Service, Outcome

• Service, Transaction Name
• Service, Request Line
• Service, Program Name
• Service, Version
• Parameter Value, String
• Generic, Action
• Generic, Explanation
• Event Scenario Role Of Actor
• Trigger Name, Acting
• Privilege Name
• Generic, Outcome, Reason
• Network, Network Prefix, Target
• Service, Instance Name
• Event, Scenario Role Of Initiator
• Generic, Path
• Generic, URI
• Network, Network Prefix, Actor
• Privilege, Grantee Name
• Service, User Agent
• Resource Content Or Hash
• Trigger Name, Targeted
• Service, Access Name
• Service, Application Name
• Parameter Value, String, Context
• Parameter, Direction, Context
• Service, Referrer
• Event, Message
• Parameter Direction
Related Information
Processing Settings for the Normalizer

18 Recurring Tasks to Help Ensure Smooth
Operations
The following tasks help you make sure that SAP Enterprise Threat Detection functions properly. By
performing these tasks regularly, you can avoid issues. If you do run into problems with your SAP Enterprise
Threat Detection installation, see the separate Troubleshooting Guide.
Automated Checks to Monitor Continuously
Always monitor the health checks of SAP Enterprise Threat Detection and your SAP HANA alerts.
Health Checks and SAP HANA Alerts
Automatic Checks More Information
Actively monitor the health checks of SAP Enterprise Threat If the partitioning checks or the pseudonym generation
Detection on the Monitoring user interface, which is called
check show errors, check whether the jobs are running in
up from the launchpad.
the XS Job Dashboard.
If you realize that you would rather work with alerts than
monitor the health checks, you might want to consider cre
ating an attack detection pattern for the health checks.
Actively monitor your SAP HANA alerts. Note that you can We recommend deactivating the alerts with Alert Checker
configure e-mail notifications for these alerts. IDs 606 through 609. In the SAP HANA cockpit, choose
Configure Alerts, search for the word "throughput" and deac
tivate those four alerts.
Tasks to Carry Out at Least Once a Day
We recommend that you make it a habit to start your day with the tasks in the table below and carry them out
again a few times during your day.
Perform at Least Once Daily.
Tasks Suggested Action
Check whether the log event files directory is full or is about Ensure that the FileSubscriber of the log collector is running.
to become full.

Recurring Tasks to Help Ensure Smooth Operations INTERNAL – Authorized for SAP Customers and Partners 159
Tasks Suggested Action
If you have deployed the cold storage application, check Ensure that the project cold storage application is running.
whether the archive files for original log data are full or is
Start or restart the clean-up/archiving job or increase the
about to become full.
volume of the CRON jobs.
In the SAP HANA cockpit, choose the User Tables tile to If the used memory of original log events, unrecognized log
check the persistent memory load for all tables. events, and statistics data is more than 50%, check the re
tention time and the distribution of partitions. Scale up if
necessary.
Check whether the partitioning job is running. This job If the status of the partitioning job is not SUCCESS,
performs partitioning the following tables: LogEvents, you could perform partitioning with the SQL statement
OriginalLog, UnrecognizedLogs, statisticsJob. ALTER TABLE <schema name.table name> DROP
PARTITION <partition clause>.
Check the job scheduler of SAP HANA In the XS Job Dashboard, check whether all jobs are running
properly.
Checks to Prevent Issues with Kafka
We recommend performing the tasks in the table below to avoid issues with Kafka and Zookeeper.
Kafka-specific Checks
Tasks Suggested Actions
Perform checks to prevent problems with Kafka and Zoo Ensure that the data directory of your Kafka installation pro
keeper. vides sufficient storage for holding the data for the config-
ured retention time.

160 INTERNAL – Authorized for SAP Customers and Partners Recurring Tasks to Help Ensure Smooth Operations
Tasks Suggested Actions
Check whether Kafka is running. If you have installed a systemd unit for Kafka, check if the
service is running using the following statement:
systemctl status kafka
If you don't have installed a systemd unit for Kafka, use the
following statement on the Kafka broker operating system:
ps ax | grep server.properties | grep

java
If a line is shown, then Kafka is running.
You can more accurately check whether Kafka is running us

ing the following method (nc package should be installed):
echo dump | nc <zookeeper-hostname>

<zookeeper-port> | grep brokers
If Kafka is running, the output should be:
/brokers/ids/0
Check whether Zookeeper is running. If you have installed a systemd unit for Zookeeper, check if
the service is running using the following statement:
systemctl status zookeeper
If you don't have installed a systemd unit for Zookeeper, use

the following statement on the Zookeeper operating system:
ps ax | grep zookeeper.properties | grep

java
If a line is shown, then Zookeeper is running.
 Note
The default <zookeeper-port> is 2181.
Also check current status for ports 9095 and 2181 related to
Kafka and Zookeeper via netstat:
ntpl | grep 2181
ntpl | grep 9095
Check whether the Kafka disk is full, especially in the event If the Kafka disk is nearly full, reduce the retention period in
of onboarding new logs or extending the retention period. the server.properties and restart Kafka. Keep in mind
that this must be done on each Kafka broker. Alternatively,
increase the disk capacity.

Recurring Tasks to Help Ensure Smooth Operations INTERNAL – Authorized for SAP Customers and Partners 161
19 Preventing Out of Memory Issues
Depending on the causes of the out of memory issues, you have different options to prevent them.
If you encounter an out of memory error, for example in the Forensic Lab or when searching for logs in the
Sherlog app, it could be due to one of the following reasons:
• There was already a high memory consumption caused by other activities, and your request eventually
triggered the error because it took up the last memory space. To find out if this is the case, please check
the system's memory usage in SAP HANA Cockpit and identify the causes of the high memory usage.
• The out of memory error was caused by the search request itself. In this case, try the following to optimize
the search:
• Check if you can choose a smaller time range for the search and still get the data you need to analyze.
• If you need to analyze a big time range, break up the time range into several smaller searches.
• In the Sherlog app, specify the log type for your search or use other filters to narrow the search if
possible.
For more information about sizing, event storage and recommendations for saving SAP HANA resources when
developing and configuring patterns, see:
• Sizing Guide for SAP Enterprise Threat Detection at https://help.sap.com/sapetd

• Managing Storage of Events and User Accounts [page 131]
• Best Practices: Pattern Development and Configuration [page 89]

162 INTERNAL – Authorized for SAP Customers and Partners Preventing Out of Memory Issues
20 Content Delivery
SAP regularly delivers configurable standard content packages with predefined patterns to expand the attack
detection scope of SAP Enterprise Threat Detection. Use the Content Delivery app to see which content
packages are already imported and import new content packages.
The list of packages contains a short description for each package, it also shows the namespace and status of
the package as well as the releases for which the content package is valid.
 Note
Make sure to only import packages that are suitable for your release. If you import a package that is not
suitable for your system, this might lead to data mismatch such as broken workspaces.
Although the workspaces delivered for SAP Enterprise Threat Detection provide extensive coverage, it
would be impossible to address the vast range of potential threats using standard content alone. The
delivered patterns are meant to be used as templates. They are based on SAP security recommendation
and may not match all company security policies. To reliably detect attacks in your specific systems,
make sure to check if you need to adapt the content configuration such as the value lists, schedules and
thresholds of the delivered attack detection patterns. Please copy the delivered patterns and adjust them
to your needs before using them productively.
Pattern development is time consuming and requires the necessary knowledge. If you need help, please
contact SAP Consulting.
To display the development objects belonging to a content package, click on the content package row in the list
to display the details.
The system can import the following development objects: workspaces and value lists.
Related Information
Best Practices: Pattern Development and Configuration [page 89]
20.1 Importing New Content Packages
To enhance protection against malicious attacks, you can import the latest content packages provided by SAP.
Prerequisites
You have a user with EtdAdmin authorization.

Content Delivery INTERNAL – Authorized for SAP Customers and Partners 163
You have downloaded the content DU (Delivery Unit) from Software Download Center and installed it using SAP
HANA Application Lifecycle Management. For more information, see the content DU installation information
that is available on SAP Help Portal at https://help.sap.com/sapetd under Installing Content Packages in the
Security section.
Context
Procedure
1. Open the Content Delivery app.

2. Check which packages you have not yet imported.
3. Identify the new packages that you want to add to your system.
We recommend to only import the packages that you really intend to use.
To display the development objects belonging to a content package, click on the content package row in
the list to display the details. Choose the back button to go back to the content package list.
4. Select the workspaces that you want to import.
5. Choose Import.
The system opens the Content Replication app and shows the content that is part of the packages to be
imported.
6. Select all content to be imported.
7. Click Start Import.
The system imports the selected workspaces and value lists.

8. Optional: You can display the imported items using the app Record of Actions.
Next Steps
Activate the patterns in the imported packages. To do so, open each pattern individually in forensic lab or in the
pattern UI and set the status to Active.
 Note
Make sure to only activate patterns for which data source configuration and the recommended value list
customization have been carried out.

164 INTERNAL – Authorized for SAP Customers and Partners Content Delivery
Related Information
Viewing the Record of Actions [page 9]

Content Delivery INTERNAL – Authorized for SAP Customers and Partners 165
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.

166 INTERNAL – Authorized for SAP Customers and Partners Important Disclaimers and Legal Information
Important Disclaimers and Legal Information INTERNAL – Authorized for SAP Customers and Partners 167
www.sap.com/contactsap
© 2023 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

Sapetd

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sapetd

Uploaded by

Copyright:

Available Formats

Operations Guide | INTERNAL – Authorized for SAP Customers and Partners

SAP Enterprise Threat Detection

Operations Guide for SAP Enterprise Threat

THE BEST RUN

2 Introduction to Semantic Events and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Monitoring the State of the System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4 Monitoring the System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

5 Monitoring the Distribution of Security Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6 Viewing Log Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

7 Browsing in Forensic Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Operations Guide for SAP Enterprise Threat Detection

9 Attack Detection Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

10 Searching All Logs with Sherlog Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

11 Value Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

12 Working with a List of Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

13 Viewing Alerts in Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

14 Working with a List of Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Operations Guide for SAP Enterprise Threat Detection

16 Detecting and Analyzing Anomalies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

17 Pseudonymization of User Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

18 Recurring Tasks to Help Ensure Smooth Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

19 Preventing Out of Memory Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

20 Content Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Operations Guide for SAP Enterprise Threat Detection

Follow SAP Enterprise Threat Detection on SAP Community at https://community.sap.com/topics/enterprise-

Date Change More Information

2023-03-20 Topic added Username Masking [page 157]

Topic changed Pseudonymization of User Data [page

Operations Guide for SAP Enterprise Threat Detection

2023-02-20 Topics changed: Semantic Events in Log Learning [page

1.1 What Is SAP Enterprise Threat Detection?

Operations Guide for SAP Enterprise Threat Detection

The symbol next to the number indicates the measure.

Operations Guide for SAP Enterprise Threat Detection

Business Roles of SAP Enterprise Threat Detection

Monitoring Agent The monitoring agents view events, sap.secmon.db::EtdUser

The monitoring agents monitor the sys­

Security Expert The security expert is an administra­ sap.secmon.db::EtdSecExpert

tor who configures attack detection

A security expert handles possible inci­

Operations Guide for SAP Enterprise Threat Detection

Other Roles in the System Landscape

System Administrator During the implementation of SAP Enterprise Threat

1.4 Viewing the Record of Actions

You have administrator authorizations.

Operations Guide for SAP Enterprise Threat Detection

The following actions are recorded:

Operations Guide for SAP Enterprise Threat Detection

Semantic Events in Log Learning [page 17]

2.1 Roles of Semantic Events with Examples

Operations Guide for SAP Enterprise Threat Detection

System/Host Role Description

Intermediary In some events, the system that mediates between two

Example of an Event Where Actor and Reporter Are Different Systems

User Role Description

Target In user administration, the account that is created, modified,

Why Do We Need Different Roles for Systems and Users?

Operations Guide for SAP Enterprise Threat Detection

Trigger Role Description

Actor A trigger that causes an event to occur and/or to be logged.

Target A trigger that is the target of an action. See example below.

Example of Trigger Roles

The monitoring agents monitor the sys

Security Expert The security expert is an administra sap.secmon.db::EtdSecExpert

A security expert handles possible inci

Parameter Attributes related to the parameters of an object (for exam

Resource Attributes that describe the passive elements of an IT sys

<OriginalDataOnly> Select <OriginalDataOnly> if you do not want to normal

Note that with special authorization, events marked as origi