SAP Enterprise Threat Detection Implementation Guide

PUBLIC
SAP Enterprise Threat Detection 1.0 SP 06

Document Version: 1.13 – 2017-09-14
SAP Enterprise Threat Detection Implementation

Guide
Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 What Is SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.2 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Installing SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 Planning Your Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Upgrading SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
2.2 Installing SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
2.3 Installing SAP Enterprise Threat Detection on SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Creating Users and Assigning Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Activating the SQL Connection for the Technical User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Finishing the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Starting Jobs for SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4 Installing SAP Enterprise Threat Detection on SAP HANA Smart Data Streaming. . . . . . . . . . . . . . . . . 22
Importing the SAP HANA Smart Data Streaming Projects for SAP Enterprise Threat Detection
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating the Cluster Workspace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Creating Data Services for SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Installing the SAP Enterprise Threat Detection Adapters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Setting the Java Max Heap Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring and Deploying Projects to the Cluster Workspace. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Enabling Configuration Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Starting the Streaming Web Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3 Starting SAP Enterprise Threat Detection Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
4 Providing Logs from SAP NetWeaver Application Server for ABAP. . . . . . . . . . . . . . . . . . . . . . . . 66

4.1 List of Logs of SAP NetWeaver AS for ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
4.2 Providing Read Access Log and Security Audit Log by Immediate Log Transfer. . . . . . . . . . . . . . . . . . . 72
4.3 Ensuring SAP Start Service Can Access the Gateway and HTTP Server Logs. . . . . . . . . . . . . . . . . . . . .73
4.4 Providing Logs from SAP NetWeaver Application Server for ABAP by File Transfer. . . . . . . . . . . . . . . . 75
5 Providing Logs from SAP NetWeaver Application Server for Java. . . . . . . . . . . . . . . . . . . . . . . . . 77

5.1 List of Logs of SAP NetWeaver AS for Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
6 Providing Logs from SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
SAP Enterprise Threat Detection Implementation Guide

2 PUBLIC Content
7 Providing Logs from Other Systems with Log Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.1 Log Layouts Supported by Log Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.2 Overview Procedure of Providing Logs from Other Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.3 Loading Sample Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
7.4 Parsing and Normalizing Markups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Assigning Log Types and Semantic Events to Markups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Assigning Semantic Attributes to Annotations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Parsing Markup with Value Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Parsing Markup With Constant Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
7.5 Testing Log Runs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.6 Making Rules for Log Runs Productive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
8 Additonal System Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

8.1 Encrypting Communication Between Log Providers and the Streaming Web Service. . . . . . . . . . . . . . 103
8.2 Encrypting Communication Between Log Providers and the Web Service Provider. . . . . . . . . . . . . . . .104
8.3 Defining Namespaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
8.4 Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Working With Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Adding Log Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Assigning Attributes to Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
8.5 Synchronizing User Context Information from an Identity Management System. . . . . . . . . . . . . . . . . . 111
8.6 Entering System Context Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
8.7 Entering Subnet Context Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
File Format for Uploading Subnet Context Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
8.8 Defining Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.9 Alert Publishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Configuring Alert Publishing as JSON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configuring Alert Publishing Via Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Alert Pulling Via JSON API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
8.10 Monitoring the Performance of the Log Learning Adapter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8.11 Archiving Log Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
8.12 Importing Archive Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
9 Securing SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

9.1 User and Role Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
9.2 Authorizations of the Log Provider for SAP NetWeaver Application Server for ABAP. . . . . . . . . . . . . . . 131
9.3 Authorizations of the Log Provider for SAP NetWeaver Application Server for Java. . . . . . . . . . . . . . . 132
9.4 Authorizations of SAP Enterprise Threat Detection in SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
9.5 Data and Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
A Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
A.1 Recommendations When Upgrading SAP HANA Smart Data Streaming and SAP Enterprise Threat
Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Content PUBLIC 3
A.2 Example of Configuration Settings in SAP Enterprise Threat Detection. . . . . . . . . . . . . . . . . . . . . . . . 139
A.3 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

4 PUBLIC Content
1 Getting Started
By reading this document, you will learn what SAP Enterprise Threat Detection is and how to install and configure
its component parts.
To learn how to operate and customize the configuration of SAP Enterprise Threat Detection, see the SAP
Enterprise Threat Detection Operations Guide.
Note
Check for the latest version of this documentation on SAP Help Portal at http://help.sap.com/sapetd.
Follow SAP Enterprise Threat Detection on SAP Community Network at http://scn.sap.com/docs/DOC-58501

.
For the current release note and other SAP Notes about SAP Enterprise Threat Detection, see SAP Note 2517276
.
We welcome your feedback under the support component BC-SEC-ETD.
1.1 What Is SAP Enterprise Threat Detection

SAP Enterprise Threat Detection enables you to do real-time evaluation of security threats in your IT landscapes
by leveraging SAP and non-SAP log data.
Firewalls, virus scanners, and security policies are important parts of your arsenal to keep attackers out of your
network, but they are not enough. You must harden every possible avenue of attack, while the attacker only needs
to find a single weakness. SAP applications hold your most important business data. It is vitally important that you
protect your SAP applications from people who want to damage or exploit your information.
SAP Enterprise Threat Detection detects potential attacks on SAP systems at the application level by gathering
and analyzing log data. Whether the threat is internal or external, SAP Enterprise Threat Detection alerts you to
potential attacks in real time. You have the opportunity to investigate and either dismiss the alert or pursue an
actual incident.
SAP Enterprise Threat Detection provides graphical tools to enable you to navigate the log data. With the log data,
you can support forensic analyses or gain new insights into your system landscape. From these new insights, you
can create new attack detection patterns and run them regularly against log data as the log data comes in. Any
matches to the patterns generate alerts.
1.2 Technical System Landscape

SAP Enterprise Threat Detection consists of a set of components deployed on SAP HANA, and SAP HANA Smart
Data Streaming(Streaming Component). To this infrastructure you can connect log providers. We provide

Getting Started PUBLIC 5
additional software so you can connect log providers, such as SAP HANA, SAP HANA Smart Data Streaming and
SAP NetWeaver Application Server (SAP NetWeaver AS). SAP Enterprise Threat Detection also enables you to
connect other log providers that provide unstructured log formats, such as syslog.
The following figure illustrates the technical system landscape.
Figure 1: Technical System Landscape of SAP Enterprise Threat Detection
Log Providers
These systems provide the logs monitored by SAP Enterprise Threat Detection.
To connect SAP HANA, configure SAP HANA to write an audit trail target of type syslog. Then configure the host
operating system to periodically send log data to the SAP HANA Smart Data Streaming project.
To connect SAP NetWeaver Application Server for ABAP (SAP NetWeaver AS for ABAP), apply SAP Note
2155046 to the systems you want to monitor. After applying the note, configure batch jobs to push the logs
you want monitored to the REST web service of SAP HANA Smart Data Streaming.
For more information, see Providing Logs from SAP NetWeaver Application Server for ABAP [page 66].
To connect SAP NetWeaver Application Server for Java (SAP NetWeaver AS for Java), you must configure the log
extraction application and configure a job to push the log data to the REST web service of SAP HANA Smart Data
Streaming.
Note
The log extractor application for SAP NetWeaver AS for Java will be released according to the regular support
package schedule.
For more information about availability, see SAP Note 2408213 .

6 PUBLIC Getting Started
For more information, see Providing Logs from SAP NetWeaver Application Server for Java [page 77].
SAP Enterprise Threat Detection can learn new log formats. This enables you to connect new kinds of log
providers to SAP Enterprise Threat Detection. To connect unstructured logs, you must first train SAP Enterprise
Threat Detection to parse the log and load the parsing rules into SAP HANA Smart Data Streaming. This requires
you to have a sample log from the new log provider. Afterwards, configure the log provider system to periodically
send log data to the SAP HANA Smart Data Streaming project.
For more information, see Overview Procedure of Providing Logs from Other Systems [page 83].
To connect structured logs, you must use the development tools of SAP HANA Smart Data Streaming to create
your own adapter. We provide a sample solution.
For more information, see Configuring and Deploying structured_event_import_from_file [page 53].
Tip
We recommend that you protect connections between log providers and SAP Enterprise Threat Detection with
transport layer security (TLS) where possible.
To archive log data, there is a project in SAP HANA Smart Data Streaming to save log data to the network file
system. Another project enables you to import such files.
For more information, see Archiving Log Data [page 125].
For more information, see Installing SAP Enterprise Threat Detection on SAP HANA Smart Data Streaming [page
22].
SAP HANA Platform
SAP Enterprise Threat Detection deploys an SAP HANA product on SAP HANA platform. SAP HANA database
stores the events, attack detection patterns, and context about the users and systems in your landscape. The
software uses this information to generate alerts. From a browser-based application, users can browse events,
configure patterns, manage alerts, and conduct investigations in your monitored network.
For more information, see Installing SAP Enterprise Threat Detection on SAP HANA [page 14].
SAP HANA Smart Data Streaming
SAP HANA Smart Data Streaming is an optional capability for SAP HANA. Installing this option enables you to
collect, process, and analyze events from streaming sources in real time. SAP HANA Smart Data Streaming is a
specialized option that processes streams of incoming event data in real time, and collects and acts on this
information. Smart data streaming is ideally suited for situations where data arrives as events happen, and where
there is value in collecting, understanding, and acting on this data right away. Data flows into streaming projects
from various sources, typically through adapters, which connect the sources to the smart data streaming server.
The streaming projects contain business logic, which they apply to the incoming data, typically in the form of
continuous queries and rules. These streaming projects are entirely event-driven, turning the raw input streams
into one or more derived streams that can be captured in the SAP HANA database, sent as alerts, posted to
downstream applications, or streamed to live dashboards.

Getting Started PUBLIC 7
Tip
We recommend that you protect connections between SAP HANA Smart Data Streaming and SAP HANA
platform with transport layer security (TLS).
22].
SAP Identity Management
SAP Identity Management (SAP ID Management) already contains information about users in your system
landscape, the persons the users represent, and the systems where these users are located. To keep the user
context information current, regularly synchronize this information with SAP Enterprise Threat Detection. The
following figure illustrates the system landscape.
Figure 2: Integration of SAP ID Management with SAP Enterprise Threat Detection
For more information, see Synchronizing User Context Information from an Identity Management System [page
111].
For more information about System Landscape Setup, see the SAP Enterprise Threat DetectionSystem Landscape
Setup.

8 PUBLIC Getting Started
2 Installing SAP Enterprise Threat Detection
After planning for the installation, install the SAP Enterprise Threat Detection software component on SAP HANA
and SAP HANA Smart Data Streaming.
Context
The following is an overview of the installation procedure. For more information, see the sections that follow.
Procedure
1. Plan your installation.
In this phase of the installation, make sure that your hardware and landscape meet the requirements of the
system.
For more information, see Planning Your Installation [page 10].

2. Install SAP HANA Database, Client, Spatial Map Client, and SAP HANA Smart Data Streaming
3. Install the delivery unit for SAP Enterprise Threat Detection on SAP HANA Database, and install the projects
for SAP Enterprise Threat Detection on SAP HANA Smart Data Streaming.
Download SAP Enterprise Threat Detection from the Software Download Center and install the delivery unit on
the host SAP HANA platform. Extract the projects for SAP HANA Smart Data Streaming.
For more information, see Installing SAP Enterprise Threat Detection on SAP HANA [page 14].
Configure the connection between SAP HANA Smart Data Streaming and SAP HANA and the log providers.
Import and configure the projects for SAP HANA Smart Data Streaming you extracted from the delivery unit.
For more information, see Installing SAP Enterprise Threat Detection on SAP HANA Smart Data Streaming
[page 22].

Installing SAP Enterprise Threat Detection PUBLIC 9
2.1 Planning Your Installation
Carefully review the system requirements for your landscape. Ensure that you have adequate licensing for your
installation.
2.1.1 System Requirements
Before installation, familiarize yourself with the requirements and recommendations for installing the software
components of SAP Enterprise Threat Detection.
For information about what is new in SAP Enterprise Threat Detection SP05, see SAP Note 2342436 .
For more information about compatibility between software component, see 2137018 .
For more information about our recommendations for sizing host systems, see the SAP Enterprise Threat
Detection Sizing Guide.
SAP HANA Platform and SAP HANA Smart Data Streaming
SAP HANA platform 1.0 SPS 12 rev. 122.11 with the SAP HANA Studio and Lifecycle Management components and
the corresponding version of the SAP HANA smart data streaming option.
Note
SAP is strongly committed to supporting all of its customers by shipping regular corrections and updates for
the SAP HANA platform and all of its components. With the availability of SAP HANA revisions, SAP HANA
maintenance revisions, and the SAP HANA datacenter service points, SAP provides several options to maintain
or upgrade to a new release of SAP HANA.
For more information, see SAP Note 2021789
Web Browser Support
We suggest you use a web browser such as Google Chrome or Mozilla Firefox.

10 PUBLIC Installing SAP Enterprise Threat Detection
2.1.2 Licensing
Install a permanent SAP license. When you install your SAP system, a temporary license is automatically installed.
Caution
Before the temporary license expires, apply for a permanent license key from SAP. We recommend that you
apply for a permanent license key as soon as possible after installing your system.
For more information about SAP license keys and how to obtain them, see Keys and Requests on the SAP Support
Portal.
For more information, see https://support.sap.com/licensekey .
2.1.3 Upgrading SAP Enterprise Threat Detection
You upgrade to a new version of SAP Enterprise Threat Detection by installing the new version without removing
data from your existing installation.
Preparing for an Upgrade
We recommend installing new versions of SAP Enterprise Threat Detection in the development system. When you
have ensured that SAP Enterprise Threat Detection runs as expected, you can push the content to your
productive system. For more information on how to set up such a two-tier system landscape, please see the SAP
Enterprise Threat Detection Landscape Setup Guide on the SAP Help Portal at http://help.sap.com/sapetd.
1. Upgrade your SAP HANA to the latest revision of SP12.
Note
Note that during an upgrade of SAP HANA smart data streaming, the Java max heap size is reset to its
default value. This default value is too low for SAP Enterprise Threat Detection. Please set it back to the
value you had set before. For more information, see Setting the Java Max Heap Size [page 33].
2. Stop the log providers from sending data.
Note
Note that you might want to ensure that this log data is not lost but will be sent to SAP Enterprise Threat
Detection after the upgrade.
3. Use SAP HANA studio to stop the projects of SAP HANA smart data streaming.
4. Stop all jobs of SAP Enterprise Threat Detection. To stop all jobs on SAP HANA, stop the scheduler on SAP
HANA.
For more information about jobs of SAP Enterprise Threat Detection, see Starting Jobs for SAP Enterprise
Threat Detection [page 18].
For more information about the scheduler, see the documentation of SAP HANA.

5. Note that the amount of log data in your SAP HANA database has an impact on the duration of the upgrade
procedure. Consider storing your data someplace else during the upgrade.
6. If you are upgrading from SAP Enterprise Threat Detection SP04 or SP04 PL01, you must install the SP05
core delivery (HCOSECURITYMON05_0-10013386.ZIP) first, and then install the SP06 core delivery unit.
7. If you are upgrading from SAP Enterprise Threat Detection SP04 or SP04 PL01, ensure that the role
sap.secmon.db::EtdUser is not assigned to any ETD catalogs or groups.
You do this in Configure Role-based Cockpit Access at <protocol>://<hostname>:<port>/sap/
hana/uis/clients/role-editor/RoleEditor.html?
scenario=onPremise&siteId=sap.secmon.ui.mobile.launchpad%7CETDLaunchpad. Select the role
sap.secmon.db::EtdUser and unassign both the catalog SAP Enterprise Threat Detection and the group
SAP Enterprise Threat Detection Main Group.
8. Install the new version of SAP Enterprise Threat Detection on SAP HANA as described in the installation
chapters below.
9. Install the new version of SAP Enterprise Threat Detection on SAP HANA smart data streaming as described
in the installation chapters below.
Note
If you want to use SAP Enterprise Threat Detection to detect calls of malicious domains, ensure that you
have added the Dnsjava 2.1.7 open source libary to the following directory: <HANA Installation
path>/streaming/cluster/<sid>/adapters/libj.
After the new installation of the adapters, ensure that only one version of the *.jar files exists. You might
have to delete an old version: <HANA Installation path>/streaming/cluster/<sid>/adapters/
libj.
10. Open the following URL in order to finish the installation: https://<host>:<port>/sap/secmon/
services/install/finish.xsjs
This calls a script that will carry out a few minor upgrade procedures.
11. Restart all jobs and projects.
12. Before you use the launchpad or any user interfaces of SAP Enterprise Threat Detection, ensure that the
browser caches on all clients are cleared, so that all alerts and other data are up-to-date.
13. If you want to use the detection of malicious domains and you have installed SAP Enterprise Threat Detection
SP05 PL02 or a later version, create a new user in SAP HANA with the authorizations delivered in the
sap.secmon.db::EtdDRCommitter role to enable the detection of malicious domains. This user (or an
existing user whom you have given this additional role) must be entered in the data service for the dart
project.
14. To be able to use all new features, ensure that your AS ABAP log providers are also updated to SP06. For
more information, see 2155046 and 2477281 .
Note
If you have implemented Notes on connected AS ABAP systems related to a newer version of SAP
Enterprise Threat Detection than your SAP Enterprise Threat Detection system, specify this release in
report SECM_CONFIGURATION.

Note
You can either first update your SAP Enterprise Threat Detection system and then implement the SAP
Notes in your AS ABAP systems as described here, or you can first update the AS ABAP systems and then
update SAP Enterprise Threat Detection.
Upgrading Within the Current SP
In general, you can safely install patches on top of the current SP. However, check the release information in the
SAP Note for the release.
2.2 Installing SAP HANA
Installing SAP HANA for SAP Enterprise Threat Detection.
Context
The following is an overview of the installation procedure. For more information, see the SAP HANA
documentation that is referenced below.
Note
For more information,see the documentation of SAP HANA on SAP Help Portal, for example the Masterguide
for SAP HANA.
Procedure
1. Install a single-tenant SAP HANA platform edition with SAP HANA Database, Client, Studio, and SDS option.
2. Add an additional host to your SAP HANA system with role streaming. On this host, the SAP HANA smart data
streaming will be run. For more information, see https://help.sap.com/viewer/
9cca8e6289ce4d9495a6012d32f3b7d1/1.0.12/en-US/90b88419ac6e4c9399ec113623d8b833.html.

3. Install the SAP HANA Spatial Map Client.
With this delivery unit installed, you can view the locations of the systems in your landscape on a geographical
map. For more information, see Defining Locations [page 118].
2.3 Installing SAP Enterprise Threat Detection on SAP HANA
Installing SAP Enterprise Threat Detection on SAP HANA is primarily the import of delivery units.
Prerequisites
● You have installed SAP HANA platform on a host server according to the system requirements.
● You have logged on with a user on SAP HANA platform with sufficient authorizations to install delivery units.
Context
Procedure
1. Download the product SAP Enterprise Threat Detection from the SAP Software Download Center at https://
support.sap.com/swdc .
SAP Enterprise Threat Detection consists of three delivery units:
○ ENTERPRISE THREAT DETECT is the core delivery unit, which contains the product SAP Enterprise
Threat Detection
○ ETD SAMPLE SCENARIO CONTNT provides sample content. This delivery unit is optional. Do not deploy
this in your productive systems.
2. Use SAP HANA Application Lifecyle Management to deploy SAP Enterprise Threat Detection.
For more information, see Installing and Updating Add-On Products and Software Components in the
documentation for SAP HANA platform on SAP Help Portal.

2.3.1 Creating Users and Assigning Authorizations
After installing the software you are ready to assign authorizations to users on SAP HANA.
Prerequisites
You have logged on with a user on SAP HANA platform with sufficient authorizations to perform user and role
management. We recommend to use the database superuser SYSTEM, which is automatically created during the
installation of SAP HANA.
Procedure
1. Create the following users with the respective authorizations:
We recommend to use the Streaming Permissions tile to give permissions to the users. For more information
about user authorization policies for SAP HANA Smart Data Streaming, see the Security Guide of SAP HANA
Smart Data Streaming on the SAP Help Portal at http://help.sap.com/Download/Multimedia/zip-
hana_options_sds/streaming_security_guide.pdf.
Table 1:
Example User Authorizations
A <communication> user for SAP HANA smart data We provide an example roles
streaming. This user writes data from SAP HANA smart sap.secmon.db::EtdDataCommitter to base this role
data streaming into SAP HANA database. on.
A <domain_rating_communication> user for SAP HANA We provide an example role

smart data streaming that writes data from SAP HANA sap.secmon.db::EtdDRCommitter to base this role on.
smart data streaming into SAP HANA database, like the
<communication> user above, but also reads data in the
SAP HANA database. This user is needed for the detection
of malicious domains.
An <SDS admin> user for administration tasks in SAP Authorization for cluster to start, stop, and deploy projects.
HANA smart data streaming.
<SDS runtime> user for communication between SAP Read and write authorizations for streams. Authorizations
HANA smart data streaming and SAP NetWeaver AS for for SAP NetWeaver AS for ABAP configurations with read
ABAP, SAP NetWeaver AS for Java, and the adapters, re and write permissions for all projects or for individual
spectively. projects, for example transfer_log_event and
transfer_master_data.

Example User Authorizations
<ETD batch> user to run background jobs. We provide the example role sap.secmon.db::EtdBatch
for the <ETD batch> user.
2. Assign business users of SAP Enterprise Threat Detection privileges appropriate to their business role.
SAP Enterprise Threat Detection identifies the roles listed in the table below. The table also lists the example
roles delivered with the software.
Table 2: Business Roles of SAP Enterprise Threat Detection

Role Tasks Example Role
Monitoring Agent The monitoring agents view events, sap.secmon.db::EtdUser

alerts, and incident and manage their
status.
The monitoring agents monitor the

system landscape in a security moni
toring center at all times. When an alert
is shown, the monitoring agent must
immediately react according to the
process defined in the organization. If
he considers an alert suspicious
enough to require further analysis, he
might have to hand it over to a security
expert. If he finds a lot of false posi
tives, he can also send this information
to the security expert.
Security Expert The security expert is an administrator sap.secmon.db::EtdAdmin

who configures attack detection pat
terns and maintains any other configu
rations of SAP Enterprise Threat
Detection. They can also perform all
operator tasks.
A security expert handles possible inci

dents and makes forensic research in
order to find the root cause. He checks
the attack detection patterns and
charts in the forensic lab of SAP Enter
prise Threat Detection and possibly
modifies them or creates new ones for
better alert detection in the future. If he
learns about many false positive alerts
from the monitoring agent, he will also
modify the patterns accordingly.

Role Tasks Example Role
Special role for resolving user identity, By default, all user information is re sap.secmon.db::EtdResolveUser
for example from HR department placed by a pseudonym in the user in
terface. With this role, the identity of
the person behind the pseudonym can
be revealed. Who can resolve pseudo
nyms is governed by local regulations
and by the data privacy policy of your
organization.
For more information about the authorizations delivered with SAP Enterprise Threat Detection, see
Authorizations of SAP Enterprise Threat Detection in SAP HANA [page 132].
2.3.2 Activating the SQL Connection for the Technical User
Configure this connection for the technical user to access SAP HANA database.
Prerequisites
You have an administrator user for SAP HANA with at least the following roles:
● sap.hana.xs.admin.roles::JobAdministrator
● sap.hana.xs.admin.roles::SQLCCAdministrator
Procedure
1. Start the SAP HANA XS Administration Tool.
Enter the following URL in a browser:
<protocol>://<host>:<port>/sap/hana/xs/admin and search for etd_connection.
You can start this application directly at <protocol>://<host>:<port>/sap/hana/xs/admin/#/

package/sap.secmon/sqlcc/etd_connection
2. Select the etd_connection.xssqlcc and choose Activate.
The technical user is created with the role sap.secmon.db::ETDTechnicalUser.

2.3.3 Finishing the Installation
Finish the instalation by calling a URL that will initialize your version of SAP Enterprise Threat Detection.
Prerequisites
You have a user with administrative rights for SAP Enterprise Threat Detection, see the "security expert" role
described above under Creating Users and Assigning Authorizations.
Procedure
Open the following URL in order to finish the installation: https://<host>:<port>/sap/secmon/services/

install/finish.xsjs.
2.3.4 Starting Jobs for SAP Enterprise Threat Detection
SAP Enterprise Threat Detection has a number of background jobs that must run on SAP HANA.
Prerequisites
● You have logged on with a user with administrator authorizations SAP Enterprise Threat Detection and the XS
Administrator role sap.hana.xs.admin.roles::JobAdministrator.
● You have created the ETD batch users in SAP HANA to run the jobs.
For more information, see Creating Users and Assigning Authorizations [page 15].
● You have enabled the job scheduler for SAP HANA XS. For example, you can do so in SAP HANA studio's
Administration perspective by setting the configuration variable xsengine.ini scheduler enabled .
For more information, see The XS Job Dashboard in the documentation for SAP HANA platform on SAP Help
Portal.
Context
SAP Enterprise Threat Detection runs the following jobs in the background. The frequency is either hard coded or
the job is started on demand. For performance reason, we recommend that you only activate the jobs that you
actually need. You find more information about each job in the table below.

Table 3: Background Jobs of SAP Enterprise Threat Detection
Job Name Frequency Mandatory Description
sap.secmon.framework.ano Once per hour No Computes the aggregate and deviation on the basis of data
malydetection.jobs::stat from the last twelve weeks for anomaly detection. You only
isticsJob need to activate this job if you want to use the anomaly de
tection function.
Note
For the initial run or after an outage, the job may not be
able to process all the data from the previous hours.
The job may take multiple runs to catch up.
Until the job has caught up, SAP Enterprise Threat

Detection cannot display the latest information.
sap.secmon.framework.pat Once per day Yes Deletes all pattern execution results older than 7 days. The
tern.jobs::patternExecut pattern execution results log information such as when and
ionResultJob how long a pattern ran, whether the run was successful,
and how many alerts were generated.
sap.secmon.framework.pat Once per mi Yes Starts patterns.

tern.jobs::patternjob nute
sap.secmon.services.heal Once per mi Yes Checks for the arrival of logs and pings from log provider
thcheck::healthcheck nute systems. The health checks job also checks for specific
events from the SAP Enterprise Threat Detection infra
structure, such as pings from SAP HANA smart data
streaming and successful execution of the partitioning and
pseudonymization jobs. The job creates an OK or failed
(not OK) health check according to the rules of the health
check jobs.
sap.secmon.framework.inv On demand On demand Enables the provisioning of triggering events of an investi

estigation::investigatio gation. You trigger this job as you need it to create a CSV
n file containing the triggering events of the alerts of an in
vestigation.
sap.secmon.services.part Once per day Yes Deletes partitions of sap.secmon.db::Log.Events table

itioning::clearData in the SAP_SEC_MON schema if they are older than the re
tention period. The default retention period is 90 days.
You can change the retention period and delete log data
manually from the Settings application in the launchpad
(under Manage Event Storage).
sap.secmon.services.part Once per day Yes Partitions the table sap.secmon.db::Log.Events in the
itioning::partitioning schema SAP_SEC_MON. SAP Enterprise Threat Detection
partitions these tables to keep the tables from becoming
too large and to help performance.

sap.secmon.services.pseu Every 10 mi Yes Creates pseudonyms for users and records old pseudo
donymization::pseudonymi nutes nyms in the pseudonym history for users.
zation
sap.secmon.trigger.jobs: Every 5 sec Yes Checks if an event corresponding to a trigger in a pattern

:dispatcher onds definition has arrived and triggers the corresponding pat
tern.
sap.secmon.trigger.jobs: On demand Yes Allows asynchronous pattern execution.

:thread
sap.secmon.ui.browse.ser Once per day Yes Cleans up temporary data created by the forensic lab.
vices2.jobs::rawdata
sap.secmon.framework.pat Once per mi No Activate this job if you want to publish alerts to external
tern.publishalerts.jobs: nute systems. For more information on alert publishing, see
:alertPublishingJob Alert Publishing [page 118].
Note that if you want the job to get the resolved user IDs
and the user pseudonyms, you need to provide the user in
this job with the
sap.secmon.services::ResolveUserOnAlert
Service privilege.Authorizations of SAP Enterprise
Threat Detection in SAP HANA [page 132].
sap.secmon.services.clea Once per day Yes Sweep old entries from _SYS_XS.JOB_LOG for
njoblog::cleanjoblog sap.secmon.
sap.secmon.services.doma Every five mi No You only need to activate this job if you want to use the do
inrating.internal::domai nutes main rating functionality and have deployed and started
nRatingInterface the dart project.
sap.secmon.services.heal Once per day Yes Sweep old entries from

thcheck::cleanhealthchec sap.secmon.db::HealthCheck.HealthCheckResult
klog
sap.secmon.services.pseu Once per day Yes Sweep old entries from

donymization::cleanpseud sap.secmon.db::Log.LogUserPseudonymHistory
onymhistory
sap.secmon.services.perf Every 10 sec No Enables the simulation of event load.

ormance.jobs::perf onds
sap.secmon.services.perf Every 5 mi No Collects statistics data for performance analyses. We rec
ormance.jobs::perf_stat nutes ommend to only activate this job when you want to collect
statistics. Deactivate it after your analysis is finished.
sap.secmon.services.util Every 5 mi Yes Processes entries from UserInterface to UserContext

::userInterface nutes

sap.secmon.services.util Once per mi Yes Processes Entries from MasterDataInterface.Content Ta
::masterDataInterface nute ble to enable configuration checks.
sap.secmon.ssm::PatternE Once per mi No Pattern Execution for Security Notes Monitor.
xecutionSSM nute
You only need to activate this job if you want SAP
Enterprise Threat Detection to analyze if relevant security
notes are missing in our system landscape.
sap.secmon.services.repl Once per mi No Export/Import process of ETD Objects

ication::exportImport nute
sap.secmon.trigger.jobs: Will be sched On demand On demand dynamically started job allowing asynchronous
:thread uled by pattern execution.
sap.secmon.
trigger.job
s::dispatch
er
sap.secmon.services.util Every 5 mi Yes Processes entries from SystemInterface to SystemCon

::systemInterface nutes text.
sap.secmon.services.migr Once after up No Migrate alert details to SP4 format.

ation.jobs::alertDetails grade from
Migration SP03
sap.secmon.services.idm: Once per mi No SAP ID Management Interface: Transfer Data from Identity
:IDMInterface nute Management Interface Tables to User Context Persis
tence.
Procedure
1. Start the XS Job Dashboard in the SAP HANA XS Administration Tool.
<protocol>://<host>:<port>/sap/hana/xs/admin/jobs
2. Search for sap.secmon jobs and activate them.
a. For each job, navigate to the job configuration tab. Enter the data as required.
Table 4: Required Job Parameters

Field Entry
User Enter the user ID of the system user created for the job.

Field Entry
Locale Enter English (en).
Active Select the checkbox.
Note
Do not enter a start time or end time.
b. Save your entries.

Repeat these steps until you have configured all the jobs.
2.4 Installing SAP Enterprise Threat Detection on SAP HANA

Smart Data Streaming
Installing SAP Enterprise Threat Detection on SAP HANA Smart Data Streaming includes the installation of
projects and the installation of the gateway log adapter and log learning adapter.
Prerequisites
● You have installed SAP HANA smart data streaming.

● You have logged on with a user with sufficient authorization, for example the <SDS admin> user.
Note
We assume that you use SAP HANA smart data streaming Studio and use SAP HANA Studio for the installation.
On the SAP HANA Studio you install the plugin to run SAP HANA smart data streaming.
For more information, see the documentation for SAP HANA smart data streaming on SAP Help Portal at
http://help.sap.com/saphelp_hana_options_sds_inst/helpdata/en/72/7321566fa842cf812968d7bae35335/
frameset.htm
The following is an overview of the installation procedure. For more information, see the sections that follow.
Context

Procedure
1. Import the SAP HANA smart data streaming projects into the design-time workspace for SAP HANA smart
data streaming Studio.
2. Create a server URL and runtime workspace for the SAP HANA smart data streaming cluster.
3. Create a SAP HANA data service for the server URL.
4. Install the adapters for the gateway log and log learning.
5. Set the Java max heap size.
6. Configure the the projects.
7. Deploy the projects to the cluster workspace.
8. Enable REST connectivity for ABAP backend.
Results
If you run into trouble during the installation, you can check the following logs in SAP HANA smart data streaming
in the SAP HANA Studio on the Diagnosis File tab.
Table 5: Logs for Troubleshooting SAP HANA smart data streaming

Log Name
project.log ● streamingserver_<host>.log
● streamingserver~default.transfer_log_event.
0<host>.out
● streamingserver~default.transfer_log_event.
0<host>.trc
● streamingserver~default.log_event_replicati
on.0<host>.out
● streamingserver~default.log_event_replicati
on.0<host>.trc
● streamingserver~default.import_udp_tcp_2_tr
ansfer_log_event.0<host>.out
● streamingserver~default.import_udp_tcp_2_tr
ansfer_log_event.0<host>.trc
server.log $STREAMING_HOME/cluster/config/
<subdirectories>
wsp.log $STREAMING_HOME/wsp/logs
Next Steps
We recommend that you configure transport layer security (TLS) between the SAP HANA smart data streaming
server, any log providers, and SAP HANA platform.
For more information, see Encrypting Communication Between Log Providers and the Web Service Provider
[page 104].

2.4.1 Importing the SAP HANA Smart Data Streaming Projects
for SAP Enterprise Threat Detection
This procedure imports the projects into the Eclipse Studio workspace for SAP HANA smart data streaming.
Prerequisites
● You have installed the delivery unit HCO_SECURITY_MON on your SAP HANA.
● From the delivery unit, you have checked out the folder that contains the SAP HANA smart data streaming
projects (/sap/secmon/esp/esp_projects/projects) and made the folder available to your SAP HANA
smart data streaming system.
● You have logged on to SAP HANA smart data streaming with a user that has the authorization to deploy
projects (for example, the <SDS admin> described above).
Context
SAP Enterprise Threat Detection has two main SAP HANA Smart Data Streaming projects:
transfer_log_event normalizes and enriches the data sent by log providers so that it can be stored as events
in SAP HANA platform. The other project (transfer_master_data ) collects the user master data sent by log
providers so that it can be used to provide user context for log entries in SAP HANA.
The dart project is a third project you need to import. This project enables the detection of malicious domains.
There are a number of further projects that you need depending on your system landscape, for example for the
replication of log data.
Note
For more information about studio workspaces, see the Eclipse documentation.
Procedure
1. In SAP HANA Studio, open SAP HANA Streaming Development perspective.
2. In the context menu of the Project Explorer, choose Import... Existing Project into Workspace .
3. Choose the Select archive file and select the archives files from where you have stored the esp projects files
from the SAP HANA delivery unit.
4. Choose the project(s) you want to import.
The table below gives an overview of the projects for SAP Enterprise Threat Detection.
5. Choose Finish.

2.4.1.1 List of Projects for SAP Enterprise Threat Detection
This is a list of all projects. Information about their configuration and deployment is provided in the chapters
below.
Table 6: The following are the projects and their description
Project Name Description
content_replication_connector Connector part for content replication, required for each SAP
HANA instance that should work with content replication.
With content replication, you can replicate system contexts,
locations, subnets, and user contexts, for example between a
development system and a productive system.
content_replication_server
dart Needed for the detection of malicious domains. This project

analyzes the domains that are called and rates them. If do
mains are rated as possibly malicious, Server part for content
replication. This project is only required once and we recom
mend to deploy it to the development (source) system.SAP
Enterprise Threat Detection creates indicator events. A user
interface for the classification of the domains is offered, in
which you can evaluate the classification of domains.
filter_logs Server part for content replication. This project is only re
quired once and we recommendThis project is used to ex
clude events before you replicate them. For example, if you
want to replicate log data from a productive system to a de
velopment system, you can specify system IDs in this project
for which event data is excluded. You can either use this
project to filter first and then do content replication, or you
can run the project after the content replication project.
fireeye_events_over_tcp_in_etd Use this project to send logs from FireEye to SAP Enterprise
Threat Detection.
import_file_2_transfer_log_event Use this project to send unstructured logs to the

transfer_log_event.
import_itoa_2_transfer_log_event Project for integration with SAP IT Operations Analytics.
import_udp_tcp_2_transfer_log_event You use this project to receive log data via UDP or TCP in a
separate network.
log_event_replication Replication of log events in a two-fold system landscape, for

example from a productive system to a development system.
pull_events_from_file Import of log events from files.

Project Name Description
structured_event_import_from_file Example of import of structured log to SAP Enterprise Threat

Detection.
transfer_log_event Normalization and enrichment of events for SAP Enterprise

Threat Detection.
transfer_log_event_2_archive Interface project for archiving original and normalized data.
transfer_log_event_from_archive Read events from archive.
transfer_master_data Imports master data from ABAP backend systems SAP

Enterprise Threat Detection.
trendmicro_events_over_tcp_in_etd Example project for trendmicro integration over tcp.
2.4.2 Creating the Cluster Workspace
The cluster workspace is the runtime environment in which the projects for SAP Enterprise Threat Detection run.
Context
When you deploy a project, you assign it to a cluster workspace: a named, runtime, server-side construct that lets
you group related projects, adapters, and data services and manage their permissions together.
Procedure
1. Start the SAP HANA Smart Data Streaming Studio.

2. Open the SAP HANA Streaming Run-Test perspective.
3. Create a new server URL.
a. In the context menu of the Server view, choose New Server URL.
b. Enter data as required.
c. Save your entries.
4. In the context menu of the server URL, choose Create Workspace.
5. Enter the workspace name and save your entries.
The default workspace name is default.

Next Steps
Remember the server URL and workspace name. You must know the server URL and workspace name for the
following configurations:
● Configuring the adapter_config.xml in the log learning, the gateway log, and the dart adapter
configurations.
● Determining the workspace to deploy the projects under.
● The log provider configuration for SAP NetWeaver Application Server.
2.4.3 Creating Data Services for SAP HANA
SAP HANA Smart Data Streaming uses the SAP HANA data service to connect to SAP HANA.
Prerequisites
● You have created a cluster workspace to run the projects.

● You have a user with administration rights for SAP HANA Smart Data Streaming, for example the <SDS
Admin> user described above.
Procedure
1. Create two data services that can be used in all workspaces server-wide as described in the documentation
for SAP HANA Smart Data Streaming.
Fore more information, see Configuring External Database Access in the documentation for SAP HANA Smart
Data Streaming on SAP Help Portal at http://help.sap.com/saphelp_hana_options_sds_conf/helpdata/en/
e7/8d0f156f0f1014a048880d763bd299/content.htm?frameset=/en/
e7/8d0f156f0f1014a048880d763bd299/frameset.htm&current_toc=/en/cc/
e7f7ba55ea403392517f89e74d4e98/plain.htm&node_id=23&show_children=true#jump23.
Note
○ Give the SAP HANA data services names, for example <local> and <dart>. The <dart> data service
will beused in the dart project for the detection of malicious domains.
○ Provide these name later when you configure the projects in the .ccr files.
2. Follow these steps to connect to SAP HANA.

a. Right click on the Server-wide folder to select the Add HANA Service.
b. Provide the User and Password. For the <local> data service, use the example <communication> user
described above. For the <dart> data service, use the example <domain_rating_communication>
user described in chapter Creating Users and Assigning Authorizations above.

c. Check the Default HANA Server or choose from the Single or Multiple Tenant if you want to connect the
SAP HANA Smart Data Streaming to a different HANA Server.
d. If you choose Single or Multiple Tenant provide Hostname and Instance.
3. Check Multi-byte Character Support (Unicode System).
4. Test the data service with the Discover function from the context menu.
2.4.4 Installing the SAP Enterprise Threat Detection Adapters
You install two adapters for SAP Enterprise Threat Detection with an installation script: the log learning adapter
for consuming unstructured log data and the dart adapter for the detection of malicious domain calls.
Prerequisites
From the SAP Enterprise Threat Detection delivery unit, you have checked out the folder that contains the adapter
files (/sap/secmon/esp/esp_projects/adapter) and copied it to your SAP HANA smart data streaming
server. The <sid>adm user must have authorizations in this directory.
Procedure
1. Ensure that the script in the adapter folder (/sap/secmon/esp/esp_projects/adapter/

etd_install_adapters_<esp/sds>.sh) is executable.
2. Log on to SAP HANA smart data streaming with the <sid>adm user and execute the installation script.
3. If you want to use the function to detect malicious domains, download and add the Dnsjava 2.1.7 open source
library to this directory: <HANA Installation path>/streaming/cluster/<sid>/adapters/libj.
Next Steps
If you do not want to use the default port or workspace, you can specify them in the adapter_config.xml.
Related Information
Settings in rtparseradapter_config.xml and dartadapter_config.xml [page 30]

2.4.4.1 Result of the Installation Script
If you run into trouble when installing the adapters for SAP Enterprise Threat Detection with our installation script,
check if the script has correctly copied the files.
Context
The following figure illustrates the folder structure in the SAP Enterprise Threat Detection delivery unit.
Figure 3: Overview of File Operations
After you have installed the adapters, the folders and files should be in the following locations in your SAP HANA
installation directory:
● The rtparseradapter.cnxml and dartadapter.cnxml files from the common folder: <HANA
Installation path>/streaming/cluster/<sid>/adapter/cnxml
● The etd_datamodel-<version>.jar, etd_runtimeparser-<version>.jar and etd_dart-
<version>.jar files: <HANA Installation path>/streaming/cluster/<sid>/adapters/libj
● The rtparseradapter_config.xml and dartadapter_config.xml files: <HANA Installation
path>/streaming/cluster/<sid>/adapters/config
Caution
In case of problems, ensure that you removed the *.jar files from these directories. You should avoid
having multiple copies of these *.jar files in your installation.
● The parametersdefine.xsd and custommodulesdefine.xml files: <HANA Installation path>/

streaming/cluster/<sid>/adapters/config.
Related Information
Settings in rtparseradapter_config.xml and dartadapter_config.xml [page 30]

Examples of the adapter_config.xml files [page 31]

2.4.4.2 Settings in rtparseradapter_config.xml and
dartadapter_config.xml
The adapter uses the default cluster workspace default of SAP HANA smart data streaming with TLS and the local
host name and default port of a typical installation of SAP HANA smart data streaming. You can change this by
modifying the adapter_config.xml of the respective adapter.
Procedure
1. Determine the protocols and ports for the syslog. The log learning adapter provides 3 ports to listen for input:
a UDP port, a TCP port, and a TLS port. To use the port for TLS, exchange encryption keys between the log
provider and SAP HANA smart data streaming.
Table 7:
Protocol
UDP Enabled; port, max packet size, thread count
TCP Enabled; port, max packet size, thread count (max concur
rent connections)
TLS Enabled; port, max packet size, thread count (max concur
rent connections); Create and specify Java keystore with a
private/public key pair.
Recommendation
We recommend that you protect connections between log providers and SAP Enterprise Threat Detection
with transport layer security (TLS) where possible.
Consider disabling any ports that you do not use.
Restrict access to ports on the network layer, for example, with a firewall. Use a whitelist for the IP
addresses that can use these ports.
For more information, see the documentation of SAP HANA smart data streaming on SAP Help Portal at
http://help.sap.com/saphelp_hana_options_sds_inst/helpdata/en/
72/7321566fa842cf812968d7bae35335/frameset.htm.
2. technical log collector name (_default_) falls nicht geändert- Dann wird geguckt, wie das System sich selbst
nennt (incl domain). Falls Name geändert werden soll: zB um auszudifferenzieren. Name ändern
(codesnippet)

2.4.4.3 Examples of the adapter_config.xml files
The resulting file for the log learning adapter (rtparseradapter_config.xml) should appear similar to the following
example:
Example
<?xml version="1.0" encoding="utf-8"?>

2 <Adapter>
3 <Name>rtParserAdapter</Name>
4 <Description>External ESP Adapter that handles Log Discovery and
5 Runtime Parsing
6 </Description>
7 <Log4jProperty>./log4j.properties</Log4jProperty>
8 <Modules>
9 <Module type="transporter">
10 <InstanceName>MyRTAdapterTransporter</InstanceName>
11 <Name>RTAdapterTransporter</Name>
12 <Next>MyInStream_Publisher</Next>
13 <Parameters>
14 <RTParserAdapterParameters>
15 <UDPPorts>
16 <UDPPort>
17 <Enabled>true</
Enabled>
18 <Port>5514</Port>
19 <MaxPacketSize>8192</
MaxPacketSize>
20 <ThreadCount>10</
ThreadCount>
21 </UDPPort>
22 </UDPPorts>
23 <TCPPorts>
24 <TCPPort>
25 <Enabled>true</
Enabled>
26 <Port>10514</Port>
MaxPacketSize>
ThreadCount>
29 </TCPPort>
30 </TCPPorts>
31 <TLSPorts>
32 <TLSPort>
33 <Enabled>false</
Enabled>
34 <Port>10443</Port>
MaxPacketSize>
ThreadCount>
37 <Keystore>
38 </Keystore>
39 <KeystorePass>
40 </KeystorePass>
41 <KeystoreAlias>
42 </KeystoreAlias>
43 </TLSPort>
44 </TLSPorts>
45 <Threading>

46 <Parsers>-1</Parsers>
47 <Publishers>-1</Publishers>
48 </Threading>
49 <Processing>
50 <LogCollector>false</
LogCollector>
51 <LogCollectorName>_default_</
LogCollectorName>
52 </Processing>
53 </RTParserAdapterParameters>
54 </Parameters>
55 </Module>
56
57 <Module type="espconnector">
58 <InstanceName>MyInStream_Publisher</InstanceName>
59 <Name>EspPublisher</Name>
60 <Parameters>
61 <EspPublisherParameters>
62 </EspPublisherParameters>
63 </Parameters>
64 </Module>
65 </Modules>
66
67 <GlobalParameters />
68
69 </Adapter>
The resulting file for the dart adapter should appear similar to the following example:
Example
<?xml version="1.0" encoding="utf-8"?>

<Adapter>
<Name>dartAdapter</Name>
<Description>Domain Analysis Rating Tool</Description>
<Log4jProperty>./log4j.properties</Log4jProperty>
<Modules>
<Module type="espconnector">
<InstanceName>MyOutStream_Subscriber</InstanceName>
<Name>EspSubscriber</Name>
<Next>MyDartTransporter</Next>
<Parameters>
<EspSubscriberParameters>
</EspSubscriberParameters>
</Parameters>
</Module>
<Module type="transporter">
<InstanceName>MyDartTransporter</
InstanceName>
<Name>DartTransporter</Name>
<Parameters />
</Module>
</Modules>
<GlobalParameters />
</Adapter>

2.4.5 Setting the Java Max Heap Size
The default max heap for SAP HANA Smart Data Streaming is not sufficient for SAP Enterprise Threat Detection.
Context
We recommend to change the heap size by allocating half of the memory size to the Java process. For more
information about hardware requirements, see the SAP Enterprise Threat Detection Sizing Guide on SAP Help
Portal at http://help.sap.com/sapetd10. In this example, the heap size is set to 20 GB.
Note
Note that this setting is lost during an upgrade. You have to set the Java max heap size after each upgrade of
your SAP HANA Smart Data Streaming.
Procedure
1. Edit the file $STREAMING_HOME/adapters/framework/bin/start.sh.

2. Add the heap size -Xmx<20G> as follows:
"$STREAMING_HOME/lib/jre/bin/java" -Xmx20G "${SYSTEM_PROPERTIES_VAL[@]}"

$POLICY_PARAMETER -cp "$FRAMEWORK_CLASSPATH" $DEBUG_PARA
3. Save your entries.
2.4.6 Configuring and Deploying Projects to the Cluster

Workspace
The projects for SAP Enterprise Threat Detection have different parameters that you have to configure.
Prerequisites
You have imported the SAP HANA Smart Data Streaming projects for SAP Enterprise Threat Detection.
For more information, see Importing the SAP HANA Smart Data Streaming Projects for SAP Enterprise Threat
Detection [page 24].
You have logged on to SAP HANA smart data streaming with a user with sufficient authorizations to configure and
deploy projects, for example the <SDS admin> user.

Context
This is the overall procedure. You find detailed information for each project in the chapters that follow.
Procedure
1. Configure the project.

2. Configure the bindings, if necessary.
3. Deploy the project.
Deploying the projects to their runtime environments enables the projects for streaming data.
4. If you deploy a project more than once, note that you need a .ccr and .ccx file for each instance. We
recommend that you set up a central repository or directory for all of your .ccr and .ccx files outside of your
SAP Enterprise Threat Detection so that you can always reuse them if you ever have to reconfigure the
projects. For example, after an upgrade, the configurations might get lost.

2.4.6.1 Projects of SAP Enterprise Threat Detection
This architecture diagram illustrates an example of how you can deploy the projects of SAP Enterprise Threat
Detection.
Figure 4: Overall Project Deployment of SAP Enterprise Threat Detection
2.4.6.2 Configuring and Deploying transfer_log_event

You need to deploy a transfer_log_event project on each SAP HANA. This ensures that the log data is
enriched with the correct user context data.
Context

Procedure
1. In the SAP HANA Studio, open the SAP HANA Streaming Run-Test perspective.
2. In the Project Explorer, open transfer_log_event transfer_log_event.ccr .

3. On the Parameters tab, enter parameter values according to the following tables.
Table 8: Parameters for SAP HANA Connection
Parameter Name Description
DataServiceName Identifies name of the data service for the connection to the
SAP HANA system in which the logs are to be stored.
Caution
The name of the data service must match the name of
the data service you defined in SAP HANA Smart Data
Streaming.
PseudonymizationOn Determines if user IDs are pseudonymized. We do not rec

ommend that you change this parameter.
OriginalDataOutOn Determines if the original log data are stored in SAP HANA.
You can specify a retention period for the original log data
through the Settings tile on the launchpad of SAP
UnrecognizedLogsOutOn Unrecognized logs are logs that are sent to SAP Enterprise
Threat Detection, but which cannot be parsed because no
rule have been defined in the Log Learning application. This
parameter determines if the unrecognized log data are
stored in SAP HANA. You can specify a retention period for
these logs through the Settings tile on the launchpad of SAP
bulkBatchSize Determines the size of the batches for sending log events to
SAP HANA. The time limit for sending a batch is 1 second,
i.e. a new bulk is sent every second, even if there are fewer
entries than specified.
threadCount Determines the number of parallel connections to the SAP

HANA database for sending normalized log events.
The parameters in the following table configure e-mail notification. When enabled, if the host SAP HANA of
SAP Enterprise Threat Detection stops answering pings from SAP HANA Smart Data Streaming, SAP HANA
Smart Data Streaming sends an e-mail to the configured addresses.

Caution
These parameters must have values, even if you disable e-mail notification. Except for
TimeSpanBetweenEmailsInSecs, these parameters have dummy values by default. The project can only
start if these parameters have values.
Table 9: Parameters for Emergency E-Mail Notification
EMailNotificationOn Default value is TRUE. To disable e-mail notification, set to

FALSE.
toAddress The recipient e-mail address to notify when the host SAP
HANA stops functioning.
cctoAddress An additional e-mail address to notify when the host SAP

HANA stops functioning.
fromAddress The sender e-mail address of the notification message.
SDSInstanceId An identifier for SAP HANA Smart Data Streaming. You can
use a host name or IP address or another name that ena
bles you to identify the SAP HANA Smart Data Streaming
server. This information appears in the message subject.
smtpHost The host name of the e-mail server to send the notification
message.
smtpPort The port number of the e-mail server to send the notifica
tion message.
TimeSpanBetweenEmailsInSecs The number of seconds between e-mail messages from

SAP HANA Smart Data Streaming. The system continues to
send e-mails until SAP HANA answers pings again or SAP
HANA Smart Data Streaming server is stopped. The default
value is 600 seconds.
5. In the Server view of the SAP HANA Streaming Run-Test perspective, choose <server name>
<workspace name> .
6. From the context menu of the workspace, choose Load Project(s) into Workspace.
7. Select the compiled project (*.ccx file).
The system looks for the *.ccr file one folder above the *.ccx file.
8. Choose Open.
The project appears beneath the workspace.

9. In the context menu of the project, choose Start Project.

2.4.6.3 Configuring and Deploying transfer_master_data
This project transfers the initial user context data to the SAP HANA system.
Context
Procedure
1. In the Project Explorer, open transfer_master_data transfer_master_data.ccr .

2. On the Parameters tab, enter the name of the data service for SAP HANA in the Value field of the
DataServiceName parameter.
This parameter identifies name of the data service for the SAP HANA connection to the SAP HANA system in
which the information about the system context and user context is to be stored.
Caution
The name of the data service must match the name of the data service you defined in SAP HANA Smart
Data Streaming.
3. Enter the parameters for e-mail notification.
Configure e-mail notification for transfer_master_data.ccr just as you did for

transfer_log_event.ccr, described in the previous chapter.
5. In the Server view of the SAP HANA Streaming Run-Test perspective, choose <server name>
<workspace name> .
8. Choose Open.


2.4.6.4 Configuring and Deploying Projects for Content
Replication
To enable the replication of content in a two-fold system landscape, you need to deploy two projects: the content
replication connector and the content replication server.
Prerequisites
See the SAP Enterprise Threat Detection System Landscape Guide on the SAP Help Portal at http://
help.sap.com/sapetd for detailed information about content replication.
Context
This chapter provides an example of how you can deploy the projects in your landscapes. In the figure below, the
source system is the development system and the target system is the productive system. This direction is
necessary for development objects that you want to replicate to your productive systems.
You first need to deploy the content replication server project (content_replication_server). We
recommend to deploy it on your development (source) system. Note that you do not need to configure anything in
this project. Then you deploy the content replication connector project content_replication_connector on
every local SAP HANA smart data streaming cluster. Then you configure the bindings in
content_replication_connector.

Procedure
2. In the Project Explorer, open content_replication_connector content_replication_connector.ccr .

3. On the Clusters tab, configure a connection to the cluster in which the content_replication_server
project is located.
Click Add and specify the connection:
Table 10:
Cluster URL esps://<content_replication_server-

hostname>:<port>
The default port is 30026
Cluster manager http://<content_replication_server-

hostname>:<port>
(If the Cluster Manager is not displayed in the user inter
face, right-click the cluster and choose New > Cluster The default port is 30026. Note that the protocol is HTTP.
Manager.)
Type remote
Authentication Enter user credentials of a user who is authorized to read

and write in content replication server project.

4. On the Bindings tab, define the four bindings as illustrated below:
○ ImportIn is an input binding

○ ImportInStatusOut, ExportIn and ControlIn are output bindings
○ For each binding, enter the cluster of the content replication server project.
○ Use the Discover pushbutton. Make the settings for each binding as shown in the following table.
5. On the Parameters tab, enter the DataServiceName name for the connection to the SAP HANA, for example
local For more information, see Creating Data Services for SAP HANA [page 27].
9. Choose Open.

11. Repeat steps 7 to 10 for all instances where you want to deploy the content replication connector project.

Results
After the deployment and configuration of the projects, you configure which system replicate data to which
system in the Settings tile on the launchpad of SAP Enterprise Threat Detection. For more information, see the
SAP Enterprise Threat Detection System Landscape Guide on the SAP Help Portal at http://help.sap.com/
sapetd.
2.4.6.5 Configuring and Deploying the dart Project
This project is used for the detection of malicious domains.
Context
Procedure
2. In the Project Explorer, open dart dart.ccr .


SAP HANA system. The user of this data service must have
the authorizations delivered in the
sap.secmon.db::EtdDRCommitter role. You can either
use a separate user or add this role to the user with the
sap.secmon.db::EtdDataCommitter role.
Caution
Streaming, this guide used the example name <dart>
for this data service.
ExclusionTimerangeInHours Defines the time range for the creation of indicators if a do
main has been called that might be malicious. If such a do
main is called a second time within this time range, no sec
ond indicator is created.

7. Choose Open.


2.4.6.6 Configuring and Deploying the Fireeye Project
Deploy the fireeye_events_over_tcp_in_etd project as illustrated below.
Context
Procedure
2. In the Project Explorer, open fireeye_events_over_tcp_in_etd fireeye_events_over_tcp_in_etd.ccr .

3. On the Bindings tab, define LogEventIn as an output binding to transfer_log_event.

SocketPort Identifies the port to which fireeye events have to be sent.

8. Choose Open.

2.4.6.7 Configuring and Deploying

import_file_2_transfer_log_event
Use this project to transfer unstructured log data to the log learning adapter as if it had been transfered via UDP/
TCP.
Context
To ensure that an entire log entry is transferred to one field, our default delimiter to separate individual log entries
is the '$' (dollar sign), because logs usually do not contain those. If your log might contain a '$', please enter a
different delimiter in the project.
Note
The adapter that imports files uses US-ASCII by default. You need to change this to UTF-8 in the
adapter_config.xml file under $STREAMING_HOME/adapters/framework/instances/file_csv_input/.

In the adapter_config.xml, ensure that the character set UTF-8 is used as follows: <CharsetName>UTF-8</
CharsetName>.
Procedure
2. In the Project Explorer, open import_file_2_transfer_log_event import_file_2_transfer_log_event.ccr .

3. On the Bindings tab, define LogEventIn as an output binding to transfer_log_event as illustrated below:
FileSourceEvents Directory of source files. For more information, see the

Sandboxing chapter in the SAP HANA Smart Data Stream
ing: Security Guide on the SAP Help Portal.
RemoveAfterProcess Delete file after processing.
CSVDelimiter Delimiter in source file. The default delimiter to separate in

dividual log entries is the '$' (dollar sign).
CSVHasHeader Specify if there is a header in each file.
PollingPeriodinSecs How often is the directory polled for new files.
ESPInstanceId Host name of the streaming server.
filePattern Pattern of file names.


8. Choose Open.


import_itoa_2_transfer_log_event
Use this project for the integration with SAP IT Operations Analytics, for reading and importing data to SAP
Context
Procedure
2. In the Project Explorer, open import_itoa_2_transfer_log_event import_itoa_2_transfer_log_event.ccr .

3. On the Bindings tab, define GenericLogIn as an output binding to transfer_log_event as illustrated
below:

SAP HANA system from which the is to be read.
Caution
Streaming.
DBQuery Database query to be executed on HANA default is “select

"MSG", "TIMESTAMP" from "<Schema>"."<Table>" where
"TIMESTAMP" > ?;“; requested is “MSG” and “TIME
STAMP” as return table

8. Choose Open.


import_udp_tcp_2_transfer_log_event
If you cannot receive UDP or TCP directly from the log providers because of network limitations, you use this
project to receive log data via UDP or TCP from a streaming cluster that acts as a proxy.
Prerequisites
You have installed the log learning adapter in the same streaming cluster in which the
import_udp_tcp_2_transfer_log_event project is deployed.
Note
The transfer_log_event project must be deployed on a different SDS host than
import_udp_tcp_2_transfer_log_event. Both projects use the log learning adapter, which can only log
on to a streaming server once, so even if the projects were in different workspaces on the same server, you
would run into issues with duplicates of log events.

Context
Note
CharsetName>.
Procedure
2. In the Project Explorer, open import_udp_tcp_2_transfer_log_event

import_udp_tcp_2_transfer_log_event.ccr .
3. On the Bindings tab, define OriginalDataRTParserIn as an output binding to transfer_log_event as
illustrated below:

7. Choose Open.

2.4.6.10 Configuring and Deploying log_event_replication
This project enables you to configure only one receiving system in all of your sending systems: For example, send
all log events to the transfer_log_event project in your productive system. In the other systems, in which you
need these log events, for example, the quality and the development system, you can deploy the
log_event_replication project to receive the log events from this transfer_log_event project.
Context
Procedure
2. In the Project Explorer, open log_event_replication log_event_replication.ccr .

3. On the Bindings tab, define bindings to and from transfer_log_event as illustrated below:
○ LogEventIn and OriginalDataRTParserIn from remote host are input bindings

○ LogEventIn and OriginalDataRTParserIn to local host are output bindings
7. Choose Open.


2.4.6.11 Configuring and Deploying pull_events_from_file
Use this project to import log events from files that have the LogEventWithTimestampAsTimestamp schema.
This is a schema usually used by J2EE or SAP AS ABAP systems.
Context
Note
CharsetName>.
Procedure
2. In the Project Explorer, open pull_events_from_file pull_events_from_file.ccr .


4. On the Parameters tab, enter the parameter value according to the following table.
Table 15: Parameter for SAP HANA Connection
FileSourceEvents Directory from which all files are read.

8. Choose Open.


structured_event_import_from_file
This is an example project for uploading structured logs and doing mappings in the project. You only need this as a
fallback if providing the log through the log learning application does not work.
Prerequisites
● If you have run into problems providing your log file through the log learning application, we recommend to
contact our support at component BC-SEC-ETD and discuss whether this implementation is a suitable
alternative for you.
● Source system must be able to provide structured, text-based logs.
The example implementation reads logs from a source directory /home/esp/import/myNewLogType every
second. The example also provides an example log testlog.csv. You are free to develop your own
implementation using adapters provided by SAP HANA Smart Data Streaming.
● You have developer experience with projects on SAP HANA Smart Data Streaming.
We provide only an example implementation. You customize the example we provide or create your own.
● The transfer_log_event project is running on your SAP HANA Smart Data Streaming.

Context
This description assumes that you install the sample project and modify it. On SAP HANA Smart Data Streaming,
you can develop your own content based on the sample solution we provide. The following figure illustrates the
sample solution. The solution reads log files in the source directory and deletes them. The project converts the
content of the input stream SourceEventData into the derived stream ConvertedLogEvent. For each record,
the project builds a time stamp from the date and time coming in. The data from the output stream LogEventOut
is sent to project transfer_log_event.
Figure 5: Block Diagram of Sample Implementation
Procedure
2. In the Project Explorer, open structured_event_import_from_file structured_event_import_from_file.ccr .

4. On the Parameters tab, enter the parameter value according to the following table.
FileSourceEvents Directory from which all files are read: := '/home/esp/

import/myNewLogType';
FileDelimiter := ';';

8. Choose Open.

2.4.6.13 Configuring and Deploying proxy_tle
The proxy_tle project has the same interfaces as transfer_log_event, but does not normalize the log data.
Context
You deploy the proxy_tle project on a system whose main purpose is collecting logs. Such a log collector is
located between the log providers on the one hand and the SAP Enterprise Threat Detection systems on the other
hand. You configure your log providers to send their logs to the log collector and the SAP Enterprise Threat
Detectionsystems can collect the logs from there.

Procedure
2. In the Project Explorer, open proxy_tle proxy_tle.ccr .

3. On the Bindings tab, define the four bindings as illustrated below.
All four bindings are inbound bindings and defined in log_event_replication:
○ LogEventIn
○ OriginalDataRTParserIn
○ PingFromSystemIn
○ PingDetailFromSystemIn

6. Choose Open.


transfer_log_event_2_archive
Interface project that writes original and normalized log data into files that can then be used, for example, for
archiving purposes.
Context
SAP Enterprise Threat Detection provides a basic archiving function for the long term storage of log data with this
project.
Note
The adapter that exports files uses US-ASCII by default. You need to change this to UTF-8 in the
adapter_config.xml file under $STREAMING_HOME/adapters/framework/instances/file_csv_output/.

CharsetName>.
Procedure
2. In the Project Explorer, open transfer_log_event_2_archive transfer_log_event_2_archive.ccr .

3. On the Bindings tab, define the input bindings to transfer_log_event as illustrated below:
MaxFileSizeInBytesOriginalEvents Maximum file size for original log events.
TimeBasedRotateOnOriginalEvents Switch on time-based rotation for original log events.
TimeBasedRotateIntervalinSecsOriginalEvents Time-based rotation interval for original log events, in sec

onds.
FilePrefixOriginalEvents File prefix for original log events.
FilePathOriginalEvents File path for original log events.
MaxFileSizeInBytesNormalizedEvents Maximum file size for normalized events, in bytes.
TimeBasedRotateOnNormalizedEvents Switch on time-based rotation for normalized events.

TimeBasedRotateIntervalinSecsNormalizedEvents Time-based rotation interval for normalized events, in sec

onds.
FilePrefixNormalizedEvents File prefix for normalized log events.
FilePathNormalizedEvents File path for normalized log events.

8. Choose Open.


transfer_log_event_from_archive
Use this project to send normalized log data from an archive to SAP Enterprise Threat Detection.
Context

Note
CharsetName>.
Procedure
2. In the Project Explorer, open transfer_log_event_from_archive transfer_log_event_from_archive.ccr .

3. On the Bindings tab, define NormalizedData as an output binding to transfer_log_event as illustrated
below:
FilePathNormalizedEvents Path to files with normalized events that are to be read.

8. Choose Open.


trendmicro_events_over_tcp_in_etd
This is an example project for the integration of Trend Micro software over TCP.
Context
Procedure
2. In the Project Explorer, open trendmicro_events_over_tcp_in_etd

trendmicro_events_over_tcp_in_etd.ccr .
4. On the Parameters tab, enter parameter values according to the following table.

SocketPort The port the tcp request is to be sent to.
NoOfPartitions Number of partitions for the input stream in order to distrib

ute the load.

8. Choose Open.

2.4.7 Enabling Configuration Checks
Configuration checks enable SAP Enterprise Threat Detection to carry out static checks of the log providing SAP
NetWeaver Application Server systems.
Context
SAP Enterprise Threat Detection delivers checks for about 50 profile parameters as well as two checks of the
ABAP standard users: it checks if all standard users have changed the initial password, and if a standard user is
locked. You can view the results of these checks in Forensic Lab by setting the browing context to Configuration
Checks.
To be able to use the configuration check framework, carry out the following installation steps on SAP HANA
smart data streaming, SAP HANA, and the SAP NetWeaver Application Server log providers.
Procedure
1. Install the HTTP Output Adapter on your SAP HANA smart data streaming. Please refer to the documentation
on SAP Help Portal at https://help.sap.com/doc/saphelp_esp_51sp09_adapt/5.1.9/en-US/
e7/7d42ab6f0f10148d4d80097837990f/frameset.htm.
2. Provide an adapter configuration file similar to the one described here: https://help.sap.com/doc/
saphelp_esp_51sp09_adapt/5.1.9/en-US/e7/7dbd676f0f1014b47a9c90e77427e0/frameset.htm
○ Set Element keepAlive to value False: <keepAlive>False</keepAlive>.
○ Set element contentType to value text/plain: <contentType>text/plain</contentType>

○ Value of element httpPort (Default: 23456) is relevant for connecting the Netweaver system to the
HTTP Output Adapter
3. Adjust the transfer_master_data.ccr file as follows:
○ Parameter configFilePath must refer to the adapter configuration file mentioned above. For detailed
information, see https://help.sap.com/doc/saphelp_esp_51sp09_adapt/5.1.9/en-US/
e7/7d42ab6f0f10148d4d80097837990f/frameset.htm. For example, /hana/shared/ETD/
streaming-1_00_122_10_170516/cluster/etd/adapters/config/adapter.xml
○ Parameter baseDir must refer to SDS toolkit directory, for example, /hana/shared/ETD/streaming/
STREAMING-1_0/adapters/http
4. In the SAP HANA job dashboard, activate job sap.secmon.services.util::masterDataInterface
under a user with role sap.secmon.db::EtdBatch. For more information, see Starting Jobs for SAP
Enterprise Threat Detection [page 18].
5. On your SAP NetWeaver Application Server log provider systems, install 2477281 .
6. In the SECM_CONFIGURATION report, define the configuration with SAP Enterprise Threat Detection version
1.0 SP06 and connection parameters to Streaming HTTP Output Adapter.
7. Define a variant for SECM_MASTER_DATA_2_ESP with the correct SAP Enterprise Threat Detection
configuration and mark the checkbox for Configuration Check Results.
8. For security reasons, we recommend to verify imported check code before execution: In
SECM_CONFIGURATION, on the Confguration for System Settings tab, enable SSF verification.
As SSF application, use an SSF application that you define in transaction SSFA.
9. Schedule a job for SECM_MASTER_DATA_2_ESP with according variant regularly, for example, once per day.
2.4.8 Starting the Streaming Web Service

Starting the Streaming Web Service (SWS) is the final step in configuring SAP HANA Smart Data Streaming for
SAP Enterprise Threat Detection.
Prerequisites
● You have a user with administration rights for SAP HANA Smart Data Streaming, for example, use the SDS
Admin User.
● Note that HTTP compression is not possible with SWS. If you use SWS, please make sure that you have not
set this option in report SECM_CONFIGURATION. Note that the ping will still work, but log data will not be sent
if HTTP compression is enabled.
● If you use WSP, implement 2391842 and add the JVM parameters as described in order to avoid issues
with the time zone.
Context
The Streaming Web Service is a scalable gateway providing HTTP-based access to SAP HANA Smart Data
Streaming. It provides higher performance and greater scalability than the older Web Services Provider, which is

why we recommend using the Streaming Web Service. If you use SAP Enterprise Threat Detection 1.0 SP03 or
older on your SAP Netweaver AS ABAP, you must use the older Web Service Provider. The procedure to configure
the WSP is the same as the one described below for SWS. For more infomration, see SAP HANA Smart Data
Streaming http://help.sap.com/hana_options_sds/
Procedure
1. To configure SWS, go to the Streaming Cluster Configuration tile in the SAP HANA cockpit or enter the
following URL: <protocol>://<hostname>:<port>/sap/hana/streaming/monitoring/ui/
cluster/ . We recommend to configure the SWS to start automatically at system start.
2. The Start and Stop of the SWS or is available in the Streaming Nodes tile in the SAP HANA cockpit.
<protocol>://<hostname>:<port>/sap/hana/streaming/monitoring/ui/nodes/#/
Nodes('hostname')/SWS or <protocol>://<hostname>:<port>/sap/hana/streaming/
monitoring/ui/nodes/#/Nodes('hostname')/WSP

3 Starting SAP Enterprise Threat Detection
Launchpad
The launchpad for SAP Enterprise Threat Detection provides you with access to all the functions of the product.
The launchpad also gives you an overview of the current status of alerts and investigations in your system.
Prerequisites
We suggest you use a web browser such as Google Chrome or Mozilla Firefox.
Procedure
1. Enter the following URL in your browser to display the launchpad: <protocol>://
<host_name>:<port>/sap/secmon/ui. The tiles on the launchpad are grouped in several categories. Note
that you can re-arrange the launchpad according to your preferences.
In the launchpad, some tiles display the number, which refers to the criteria defined by the tile title. Red
numbers indicate that there are investigations or alerts with very high severity and that you should look into
these issues first.
The symbol next to the number indicates the measure.
Table 20:
Symbol Measure
K Thousands
M Millions
B Billions
2. To re-arrange the tiles according to your preferences, choose the pencil icon in the lower right-hand corner to
start the edit mode.
You can now perform actions on tiles and groups. Choose the pencil icon again to end the edit mode.
3. Create your own tiles.
On some of the user interfaces of SAP Enterprise Threat Detection, for example Alerts, Investigations, and
Record of Actions, you can specify filter criteria according to which investigations or alerts are displayed and
then save these lists as tiles on your launchpad. For example, this is helpful if you want to monitor alerts that
result from specific patterns, or investigations that are assigned to specific users. This option is marked with
the (Save as Tile) icon.
A new tile is saved to your launchpad with the title, subtitle, and additional information you provided.

Starting SAP Enterprise Threat Detection Launchpad PUBLIC 65
4 Providing Logs from SAP NetWeaver
Application Server for ABAP
To consume logs from SAP NetWeaver Application Server for ABAP (SAP NetWeaver AS for ABAP), install and
configure a log provider on each host system for SAP NetWeaver AS for ABAP. Note that for the Read Access Log
and the Security Audit Log, there is way to immediately transfer the log data to SAP Enterprise Threat Detection
with the help of default properties of the application server.
Prerequisites
● You have logged on with a user on SAP NetWeaver AS for ABAP with the required authorizations.
For more information, see Authorizations of the Log Provider for SAP NetWeaver Application Server for ABAP
[page 131].
● To use transport level security (TLS), configure trust between SAP NetWeaver AS for ABAP and SAP HANA
Smart Data Streaming.
Note
We recommend that you protect the data connection with TLS.
For more information, see Encrypting Communication Between Log Providers and the Web Service
Provider [page 104].
Context
Note
The log provider gathers logs from SAP NetWeaver AS for ABAP and sends them on to SAP HANA Smart Data
Streaming for processing. In turn, SAP HANA Smart Data Streaming sends the processed logs to SAP HANA for
consumption by SAP Enterprise Threat Detection. Out of the logs, SAP Enterprise Threat Detection generates
alerts.
Procedure
1. Install the SAP Enterprise Threat Detection package for SAP NetWeaver AS for ABAP on your system.
To install the package, implement SAP Note 2155046 .

66 PUBLIC Providing Logs from SAP NetWeaver Application Server for ABAP
2. Configure the logs to read in the Display View (transaction SM30) for table SECM_LOGS.
Choose (Initialize Entries) to fill the table with default entries. If necessary, adjust the settings in column
Log Active to your needs. Only if the value is set to True will the data for the corresponding log type be
transferred to SAP Enterprise Threat Detection.
3. Configure the connection data for SAP HANA Smart Data Streaming.
Use ABAP: Program Execution (transaction SA38) to start report SECM: Configuration
(SECM_CONFIGURATION).
For more information, see the report documentation.

4. Test the connection. It is now possible to test the connection in three ways.
○ It is available in the SECM: Configuration report

○ It is available in the SECM: Push master data to ESP report
○ It is available in the SECM_LOG_2_ESP
Use ABAP: Program Execution (transaction SA38) to start report SECM: Push master data to ESP
(SECM_MASTER_DATA_2_ESP).
These report provides a ping function to test the connection. Ping Streaming is now available for configuration
in order to check whether the SECM: Configuration, SECM: Push master data to ESP and SECM_LOG_2_ESP
are running properly or not. It sends load to the web servers (SWS or WSP). Note that there is also a
transaction code SECM_MD_2_ESP for the SECM: Push master data to ESP report
5. Perform an initial load of the user and system context information.
To interpret the logs, all users involved in potential log events must be known to SAP Enterprise Threat
Detection. This report sends all user master data to SAP Enterprise Threat Detection, where the data is
collected and all user IDs belonging to the same natural person are combined into one user context. This user
context is then given a pseudonym, which is displayed in the user interfaces of SAP Enterprise Threat
Detection.
For more information, see the documentation about user context and pseudonymization in the SAP
a. Use ABAP: Program Execution (transaction SA38) to start report SECM: Push master data to ESP
b. Send HR and header data.
c. Send user system data.
d. Send implemented notes data
e. Send object authorization data
f. Send object directory data
Tip
If you use SAP Identity Management for identity management in your system landscape, we
recommend you use SAP Identity Management as your single source of truth for user context
information instead.

Providing Logs from SAP NetWeaver Application Server for ABAP PUBLIC 67
For more information, see Synchronizing User Context Information from an Identity Management
System [page 111].
g. Send system data.

6. Configure background jobs to run SECM_LOG_2_ESP and SECM_MASTER_DATA_2_ESP regularly.
Assign a technical user to run the batch jobs.
We recommend that you run SECM_LOG_2_ESP once per minute.
We recommend that you run SECM_MASTER_DATA_2_ESP once per day.
For more information, see Background Processing in the documentation for SAP NetWeaver AS for ABAP.
4.1 List of Logs of SAP NetWeaver AS for ABAP
The following is a list of logs monitored by SAP Enterprise Threat Detection and a short description of the data the
logs contain. Described is also how this log data is sent from SAP NetWeaver AS for ABAP to SAP HANA Smart
Data Streaming and SAP HANA.
Note
Not all these logs are enabled by default. The log provider only sends data for logs that have been enabled.
For more information about enabling logs, see the documentation for the logs in the documentation for SAP
NetWeaver AS for ABAP on SAP Help Portal at http://help.sap.com/nw_platform.
In table SECM_LOGS, you specify which logs are sent to SAP HANA Smart Data Streaming and SAP HANA. SAP
NetWeaver AS for ABAP pushes the log data to SAP HANA Smart Data Streaming with the report SECM: Push
logs to ESP (SECM_LOGS_2_ESP). The table below shows for which logs the default setting in table SECM_LOGS is
TRUE.
For more information about how to configure the table and run the report, see the report documentation
(transaction SA38).

Table 21: Logs of SAP NetWeaver AS for ABAP by SAP Enterprise Threat Detection
Log Monitored by Default? Description
Business Transaction Log Yes Also known as ABAP statistics records, this is a log of sys
tem activities. Every dialog step is logged and recorded with
technical information, such as response time, transaction
code, or CPU time. Business Transaction Analysis data are
logged by default. Check whether the ABAP profile parame
ter stat/level is set to 1.
For more information see http://help.sap.com/

saphelp_nwes73/helpdata/en/3d/
7b5f3c31727d59e10000000a114084/frameset.htm and
https://wiki.scn.sap.com/wiki/display/SRM/STAD+-
+ABAP+Business+Transaction+Analysis .
Change Document Log Yes Records changes to business objects. Many different appli
cations are using the change documents in order to log
changes to their (business) objects. Select the type of ob
ject you are interested in. We recommend that you at least
provide the data for the object SECURITY_POLICY to SAP
Enterprise Threat Detection as this provides information on
changes to ABAP profile parameters with security rele
vance. There are attack detection patterns that rely on the
events regarding changes to security policies.
To select which documents to monitor, use the table view

SECM_CDLOG_FILT. For each document object, set the sta
tus to Active and specify the time that is sent by the log is
UTC or system time.
For more information see http://help.sap.com/

saphelp_nwes72/helpdata/en/
c7/69bccff36611d3a6510000e835363f/content.htm.

Gateway Log No Monitors the activities of the gateway. The SAP Gateway
carries out RFC services within the SAP world, which are
based on TCP/IP. These services enable SAP Systems and
external programs to communicate with one another. A
proper configuration of the Gateway is of critical impor
tance for the overall security of an SAP system.
You should enable logging of SAP Gateway activities by set

ting the ABAP profile parameter gw/logging http://
help.sap.com/saphelp_nw73/helpdata/en/48/
b2a710ca1c3079e10000000a42189b/content.htm.
Note
● Requires the gateway log adapter.
● To send data from the gateway log, configure the
SAP Start Service in the ABAP report SECM:
Configuration (SECM_CONFIGURATION) or transac
tion code SECM_CONFIGURATION.
For more information, see http://help.sap.com/
saphelp_nw73/helpdata/en/48/
ace6623b1e35bae10000000a42189d/
content.htm.
HTTP Server Log No Logs HTTP requests to or from SAP NetWeaver AS for
ABAP. The HTTP Server Log is not enabled by default. Con
figure the HTTP logging explicitly
Note
To send data from the HTTP server log, configure the
SAP Start Service in the ABAP report SECM:
Configuration (SECM_CONFIGURATION) or use transac
tion code SECM_CONFIGURATION.
For more information, see https://help.sap.com/

saphelp_nw74/helpdata/en/
48/406e93ca2331c3e10000000a42189d/content.htm.

Read Access Log No Logs read access to data that has been categorized as sen
sitive by legal requirements, by external company policy, or
by internal company policy. Read Access Logging is not ac
tive by default. It will only be switched on for specific use
cases.
Currently, no pattern delivered with SAP Enterprise Threat

Detection depends on read access log data. Keep in mind
that you have to configure which read access log data to
monitor.
If you want to monitor the Read Access Log, ensure that

you have implemented 2041961 and follow these steps:
1. In transaction SRALMANAGER, configure what needs to

be logged. For more information see, http://
help.sap.com/saphelp_nw74/helpdata/en/
54/69BBEAB2E94C93B9031584711D989D/frame
set.htm.
2. In table SECM_RAL_CFG (accessible via transaction
code SM30), specify the log domains (software compo
nents) that should be logged.
3. In table SECM_LOGS, set the status of Read Access Log
to TRUE.
Security Audit Log Yes Logs security-related events on SAP NetWeaver AS for
ABAP. The system records events such as unsuccessful
logon attempts, the starting of transactions or reports, or
changes to user master records for your analysis.
Note that the Security Audit Log must be switched on (pro

file parameter rsau_enable) and configured, logging all
events for all users and all clients, as static configuration. If
this is the case, the log data is transmitted to SAP
For more information , see http://help.sap.com/

saphelp_nwes72/helpdata/en/b6/
d6af856bc011d1a56c0000e835363f/content.htm.

System Log Yes Logs all system errors, warnings, user locks due to failed
logon attempts from known users, and process messages.
System Log is switched on by default.
Note
To send data from the system log, configure the SAP
Start Service in the ABAP report SECM: Configuration
(SECM_CONFIGURATION) or use transaction code
SECM_CONFIGURATION.
For more information, see http://help.sap.com/

saphelp_nw70ehp2/helpdata/en/
c7/69bcbaf36611d3a6510000e835363f/frameset.htm,
and http://help.sap.com/saphelp_nwes72/
helpdata/en/1f/8311784bc511d189750000e8322d00/
frameset.htm.
User Change Log Yes Logs all changes made directly to the authorizations or pro
files of users, as well as changes to the user password, the
user type, the user group, the validity period, and the ac
count number. Keep in mind that you have to configure for
which clients to monitor user changes.
For more information, see https://help.sap.com/

saphelp_nw70ehp2/helpdata/en/
c7/69bcd8f36611d3a6510000e835363f/content.htm.
To select which clients to monitor, maintain table

SECM_UCL_CLIENTS. For more information, see SAP Note
2215748 .
4.2 Providing Read Access Log and Security Audit Log by

Immediate Log Transfer
Immmediate log transfer is possible for Read Access Log and Security Audit Log using an API on the kernel level
of SAP NetWeaver AS for ABAP.
Prerequisites
This feature is available with SAP_BASIS 7.52 or higher with kernel 7.53 or SAP_BASIS 7.69 or higher with kernel
7.53.
Ensure that you do not transfer any logs twice. If you have configured your SAP NetWeaver AS for ABAP to send
log data using the SECM_LOGS table, you should set the value to FALSE for the respective logs.

Context
To use this method of log transfer, you configure a few profile parameters.
Procedure
1. In the log providing system, enter transaction code RZ11.
Note that thissetting is only valid until the application server is restarted. To make it permanent, enter it in the
profileof the application server.
2. Specify etd_event_sender/enable by setting the value to on.
3. Specify the SAP HANA Smart Data Streaming host and port of the log learning adapter and the protocol to be
used (default = UDP) in the etd_event_sender/server parameter.
4. (Optional) Specify the SSL Config.
4.3 Ensuring SAP Start Service Can Access the Gateway and
HTTP Server Logs
Depending on your SAP NetWeaver AS for ABAP release, the SAP Start Service may not be able to access the
gateway log or the HTTP server log. To enable access, modify the profile of SAP NetWeaver AS for ABAP.
Context
For the logs, add the prefix dev_ or the affix .log to the log names. You modify the log names by setting profile
parameters.
As an alternative, you can patch the SAP Start Server. Implement SAP Note 877795 and see item 98 in the text
of the SAP Note.
You can also configure the SAP Start Service for authentication with x.509 certificates in SECM_LOG_2_ESP. To do
so, ensure that 2367684 is implemented, ensure that the SAP Start Service is enabled for HTTPS and
exchange certificates between you SAP NetWeaver AS ABAP and the SAP Start Service.
Procedure
1. Start Maintain Profile Parameters (transaction RZ11).

2. Edit or add the profile parameters as shown in the following table:

Table 22: Profile Parameters for the Gateway and HTTP Server Logs
Log Name Profile Parameter Example Entry
Gateway Log gw/logging ○ Prefix:

LOGFILE=dev_gw_log-%y-
%m-%d
○ Affix: LOGFILE=gw_log-%y-
%m-%d.log
HTTP Server Log icm/HTTP/logging_<X> ○ Prefix: dev_http_log-%d

○ Affix: http_log-%d.log
Note
<X> is an index to create logs with
different configurations.
Do not specify a path for parameter

LOGFILE. For parameter LOGFORMAT,
specify =%h %l %u %t "%r" %s
%b as default format CLF. You can also
enter another valid value.
You have changed the required profile parameters in system memory. However, your changes are lost after
the next restart unless you include them in the profile.
3. Start Edit Profiles (transaction RZ10).

4. Select a profile and version.
For example, the default profile and the newest version.
5. Select the Extended maintenance option and choose Change.
6. Edit or add the profile parameters as shown in the previous table.
8. In transaction SECM_CONFIGURATION under Configuration for SAP Start Service, select Certificates and
specify the client identity that is maintained in STRUST.
Results
You have updated the profile parameters in system memory. Since you have also updated the profiles for the
system, these settings also apply after SAP NetWeaver AS for ABAP restarts.

4.4 Providing Logs from SAP NetWeaver Application Server
for ABAP by File Transfer
Sometimes there is no direct connection between the log provider and SAP Enterprise Threat Detection. For such
use cases, we provide a file transfer process for exporting and importing logs.
Prerequisites
For your log providing system, you have implemented SAP Notes 2155046 and 2130073 .
Context
Examples of such use cases include the following:
● Security policies forbid a direct connection between networks.

● You want to import historical data for forensic research.
● You are evaluating SAP Enterprise Threat Detection as part of a proof-of-concept.
Procedure
1. On SAP HANA Smart Data Streaming, install and configure the project
sap.secmon.esp.esp_projects.pull_events_from_file.
a. Import the project.
For more information, see Importing the SAP HANA Smart Data Streaming Projects for SAP Enterprise
b. Configure the project.
For the parameter FileSourceEvent, provide the filepath to the location where the project should expect to
find the event log data.
SAP Enterprise Threat Detection reads from these directories every 5 seconds.
c. Binding the project.
Provide the Binding Details
Binding Type: Input or Output.
Binding Name: LogEventIn
Local stream/window: LogEventIn
Cluster: User specific
Remote stream: LogEventIn

Workspace: default
Project: transfer_log_event
d. Compile the project.
Run the following command.
<Installation_directory_of_SAP_HANA>/<SID>/streaming/STREAMING-1_0/
streamingcompiler -i <project_name>.ccl -o bin/<project_name>.ccx
e. Deploy the project to the cluster workspace.
For more information, see Configuring and Deploying Projects to the Cluster Workspace [page 33].
2. On SAP NetWeaver AS for ABAP configure the log provider with report SECM: Download logs
SECM_LOG_2_SERVER_FILE.
You specify the logical file path in transaction FILE. For more information, see the report documentation.
3. Configure the logs to read in the Display View (transaction SM30) for table SECM_LOGS.
4. Configure background jobs to run SECM_LOG_2_SERVER_FILE.
Assign a technical user to run the batch jobs.
For more information, see Background Processing in the documentation for SAP NetWeaver AS for ABAP.
5. Regularly transfer the copied logs from the target directories of SECM_LOG_2_SERVER_FILE to the
monitored directories of the SAP HANA Smart Data Streaming project.
In order to avoid information disclosure or unauthorized access to the log data, protect these paths
accordingly.

5 Providing Logs from SAP NetWeaver
Application Server for Java
To consume logs from SAP NetWeaver Application Server for Java (SAP NetWeaver AS for Java), configure SAP
NetWeaver AS for Java.
Prerequisites
● Your release of SAP NetWeaver AS for Java supports connection to SAP Enterprise Threat Detection.
● You have logged on with a user on SAP NetWeaver AS for Java with the required authorizations.
● You have the user ID and password of the SAP Host Agent.
● To use transport level security (TLS), configure trust between SAP NetWeaver AS for Java and SAP HANA
Tip
We recommend that you protect the data connection with TLS.
For more information, see Encrypting Communication Between Log Providers and the Web Service
Provider [page 104].
Procedure
Implement SAP Note 2372375 .
As described in the note, use SAP NetWeaver Administrator to generate HTTP destinations and configure the
properties of the application etd_logextraction. Then you configure reading of system and user context,
activate, and test your settings. Then you schedule two jobs in the Java Scheduler.
With this note, the user and system context data is sent to SAP Enterprise Threat Detection with the logs from
SAP NetWeaver Application Server for Java. To interpret the logs, all users involved in potential log events must
be known to SAP Enterprise Threat Detection. All user IDs belonging to the same natural person are combined
into one user context. This user context is then given a pseudonym, which is displayed in the user interfaces of
The system context contains the information about the installed software components of SAP NetWeaver
Application Server for Java and their patch level.

Providing Logs from SAP NetWeaver Application Server for Java PUBLIC 77
5.1 List of Logs of SAP NetWeaver AS for Java
The following is a list of logs monitored by SAP Enterprise Threat Detection and a short description of the data the
logs contain.
Table 23: Logs of SAP NetWeaver AS for Java Monitored by SAP Enterprise Threat Detection
Log Description
Security Log This file contains the log entries of a number of security re
lated services, including authentication, destination service,
user management, virus scanner interface, web services, suc
cessful and failed user logons and logouts.
Security Audit Log The security audit log contains security events, such as suc
cessful and failed user logons, and creation or modification of
users, groups and roles.
HTTP Access Log The http access log contains entries about client side request
access over HTTP/HTTPs on the AS Java. The log extractor is
disabled by default. HTTP Access Logs can be written in the
Common Log File (CLF)- and the SAP-format. The log extrac
tor has to be configured appropriately. SAP Enterprise Threat
Detection recommends usage of the CLF-format as log en
tries contain information about the user who accessed a spe
cific resource.

78 PUBLIC Providing Logs from SAP NetWeaver Application Server for Java
6 Providing Logs from SAP HANA
SAP Enterprise Threat Detection can consume audit trails from SAP HANA in syslog format.
Prerequisites
You have installed the log learning adapter on SAP HANA Smart Data Streaming.
22].
Procedure
1. Configure SAP HANA to write an audit trail of the syslog type.
For more information, see Audit Trails in the documentation for SAP HANA on SAP Help Portal.
2. Configure the host operating system of SAP HANA to send the data to the port of the log learning adapter on
SAP HANA Smart Data Streaming.
For more information, see the product documentation of your operating system.

Providing Logs from SAP HANA PUBLIC 79
7 Providing Logs from Other Systems with
Log Learning
SAP Enterprise Threat Detection can process text-based logs to monitor other types of systems. Configure the
system to send the log to SAP HANA Smart Data Streaming and use the Log Learning application to teach SAP
Enterprise Threat Detection how to interpret the events in the log.
Context
Log Learning allows you to normalize such log data into the semantic data model of SAP Enterprise Threat
Detection with its semantic events and attributes. This normalization then enables analyses and correlations
across log sources. If you want to familiarize yourself with the semantic events and attributes, please see https://
blogs.sap.com/2016/05/18/introduction-to-semantic-events-and-attributes/ .
The Log Learning application analyzes each entry in the log to find elements like variables and key-value lists. It
represents the discovered elements as what are called annotations. For example, a timestamp is represented by
the annotation <Timestamp>. During analysis each log entry is analyzed into a sequence of annotations, which
might be interspersed with fixed text. This sequence is called the markup for the log entry. Entries with the same
markup are grouped together, and are considered to be instances of the same entry type. The entry type is
essentially a technical artefact with an ID. As a user, you work with the markup to specify how to normalize the log
entry type to the semantic data model of SAP Enterprise Threat Detection.
7.1 Log Layouts Supported by Log Learning
SAP Enterprise Threat Detection differentiates between structured logs, logs with key-value lists, and free-text
logs.
Structured Logs
Structured logs have a regular structure with a fixed number of elements of a log entry, separated by a fixed
separator. When reading the log, everything that appears before the structured list is the header. The following is
an example of an instance from a structured log with 25 positions and a timestamp in the header.The separator in
this example is the " " (space) key.
2016-07-18 19:06:49 499 10.11.111.222 TCP_TUNNELED 200 4509 CONNECT - -
us1.hana.ondemand.com - 123 123 111.222.3.11 tcp 0 111.222.1.11 - 123.222.1.11
OBSERVED Technology/Internet "Apache-HttpClient/4.3.6(java1.5)" - VMSAMPLE--HTTP-
Service tcp://us1.hana.ondemand.com:111/ /

80 PUBLIC Providing Logs from Other Systems with Log Learning
This instance results in the following markup: <Timestamp><StructuredList>. Within the structured list, there
are 25 positions, numbered from 0 to 24.
Let's say there is the following second instance:

2016-07-18 19:06:57 980 10.11.1.254 TCP_ERR_MISS 503 185 CONNECT - -
connectivity.netweaver.ondemand.com - 443 200 111.121.6.11 tcp 0 147.204.6.18 -
147.204.6.18 DENIED Technology/Internet "AccAD" - VMSAMPLE-HTTP-Service tcp://
connectivity.netweaver.ondemand.com:111/ /
This instance would be grouped with the first one in the same markup to be processed together.
Logs with Key-Value Lists
A log may start with a header (for example a timestamp), followed by a list of key-value pairs. The elements in a
key-value list are not just listed one after another and separated by a separator, but each element consists of a
key-value pair, in which the key describes the content of the element, followed by its value. Key-value lists have a
separator between the key and the value, and they have a key-value pair separator between the individual key-
value pairs. Just like with structured logs, there may be a header in front of the key-value list. If your log matches
these criteria, you should learn it as a key-value list log and specify the separator and the key-value list separator.
When working with key-value lists, keep the following in mind:
● The separator and the key-value pair separator must not be part of the header.
● Key-value pairs may appear in any order in a log entry.
● A particular key may only appear once per log entry.
● Space characters ( ) before or after the separators are optional.
● Values may be surrounded with single quotation marks ('…') or double quotation marks ("…").
For example: key='value' or key="value"
The separator between key and value, like the equals sign (=), can appear within the quotation marks. The
separator between the key-value pairs, such as a comma (,) can also appear within the quotation marks.
For example: key1="value=3", key2="INSERT,DELETE"
● If you want to learn such a log with the log learning application, you must identify a set of keys that is unique to
this log and present in each log entry. This combination of elements defines the log entry type.
For example, a Sophos proxy log includes the keys sav-ev and sav-dv, which are used as identifiers. For a
McAfee firewall log, the keys date, fac, area, type and pri
● Apart from the keys used for identification of a log type, all keys are optional. are always available and used as
identifiers.
Keys not assigned with log learning and not in the sample logs can appear in logs at runtime, but SAP
Enterprise Threat Detection does not extract the relevant values. Therefore, you should ensure to use a
sufficiently large sample for log learning.
The following is an example of an instance with a key-value list:

HEC01-NAT-cmdb; service_id: g_http_8443; dst: 111.222.000.00; proto: tcp; xlatedst:
11.22.33.44; NAT_rulenum: 33; NAT_addtnl_rulenum: 1; product: VPN-1 & FireWall-1;
service: g_http_8443; s_port: 49166; product_family: Network;
This instance results in the following markup: <Var> <KeyValue.List>
In the key-value list, there are the following keys: service_id are always available and used as, NAT_rulenum,
NAT_addtnl_rulenum, product, service, s_port, product_family, proto, dst, xlatedst

Providing Logs from Other Systems with Log Learning PUBLIC 81
Free-Text Logs
A free-text log is a mixture of fixed text, variables, and the following type of key-value list, separated by the =
character :
key=value
key= value
key =value
key = value
key="value"
key= "value"
key ="value"
key = "value"
"key"="value"
"key" ="value"
"key"= "value"
"key" = "value"
The following is an example of an instance of a free-text log:
<30>Jan 9 09:49:01 ld3796.wdf.tst inetd[36639]: 10.10.10.10 test t=1,t2=3,t3=t5
This results in the following markup:
<<Integer>><Timestamp> <Host> <Syslog>: <IP.IP> test <KeyValue.List>
The key-value list in this markup has the following keys: t, t2, t3.
JSON Logs
Logs in JSON format are also supported by SAP Enterprise Threat Detection, and they are considered free-text
logs in our log learning application. Note that the JSON part of a log line can be proceeded by a header, i.e. it does
not have to be a pure JSON. In the example below, there is a header with a timestamp in the JSON log:
2017-02-21T09:03:58.569+0000 {"rbkey\"/\"test":"just for test","custom":
{"message":"This is a message."}}.
Other Log Types
There are naturally other log types that SAP Enterprise Threat Detection cannot parse in this release. For
example:
● Logs with deep structure, for example, XML.

● Logs with events spread over multiple lines
An example of this type of log is the Windows Event Log.
Logs can also be a hybrid of multiple types. Hybrid logs sometimes occur because various instances use different
infrastructures to collect and report log data.

7.2 Overview Procedure of Providing Logs from Other
Systems
This chapter gives an overview of how to provide logs from other systems. It outlines how to use the Log Learning
application to teach SAP Enterprise Threat Detection to interpret and normalize log data.
Prerequisites
Source system must be able to provide text-based logs.
● For example, syslog is a standard for log data. The log learning adapter interprets logs in UTF-8.
For more information about syslog, see RFC 5424: The Syslog Protocol.
● You have installed the log learning adapter on SAP HANA Smart Data Streaming.
For more information, see chapter Installing SAP Enterprise Threat Detection on SAP HANA SDS in the SAP
Enterprise Threat Detection Implementation Guide.
● The log provider must be able to send the data to the port of the log learning adapter on SAP HANA Smart
Data Streaming.
For more information about supported log formats, see Log Layouts Supported by Log Learning [page 80].
Context
The following is an overview of the steps required to provide logs from other systems. Details are provided in the
sections that follow.
Procedure
1. Either generate sample log data in the log provider system and save it as a text file, or use a log from the
Unrecognized Logs application, which is accessible from the launchpad of SAP Enterprise Threat Detection.
For the detailed procedure, see Loading Sample Logs [page 85].
The sample should include as many types of events that you want to monitor as possible. This is especially
important for logs with key-value lists, because during the staging of the log entries, only the keys present in
the sample log will be learned. Keys not included in the sample log will not be normalized.
2. Use the sample log data with the assistance of the Log Learning and Knowledge Base applications to teach
SAP Enterprise Threat Detection how to normalize the log data.
The following figure illustrates the log learning process. It is an iterative process that requires testing several
runs through before the log can be used productively. Once you are successful, you synchronize the rules you
have taught SAP Enterprise Threat Detection with the adapter in SAP HANA Smart Data Streaming. For a
detailed procedure, see Parsing and Normalizing Markups [page 86] and its subchapters.

Figure 6: Process for Log Learning
3. Configure the log provider to regularly send the log data to the port of the log learning adapter in SAP HANA
For more information, see the documentation of your log provider system.

Results
SAP Enterprise Threat Detection processes log data from the log provider and saves them as events in the
database. Log entries that cannot be parsed according to these productive rules are saved as unrecognized logs
in a separate table in the database. You can access them through the Unrecognized Logs tile in the launchpad of
SAP Enterprise Threat Detection. You can think of these unrecognized logs as a type of worklist. If you have
completed learning the logs you receive, this list should be empty.
7.3 Loading Sample Logs
The first step in learning a new log is loading sample log data into SAP Enterprise Threat Detection. Or you can use
the unrecognized logs as a worklist for learning a new log.
Prerequisites
You have a sample log available or there are logs in the Unrecognized Logs tile in the launchpad of SAP Enterprise
Threat Detection.
If the source system cannot provide a text file, you can develop a project on SAP HANA Smart Data Streaming to
import the log data. We provide a sample implementation that you can modify. For more information, see
Configuring and Deploying structured_event_import_from_file [page 53].
Procedure
1. From SAP Enterprise Threat Detection launchpad, in the Log Learning tile, choose Runs . Alternativly, choose
Unrecognized Logs tile.
On the Unrecognized Logs user interface, use the filter options to select the log events that you want to
include.
2. Choose Create.
3. Enter the name of the run and, optionally, a description.
4. Specify the log layout. For more information, see Log Layouts Supported by Log Learning [page 80].
If your sample is from a key-value log, specify the separator and the key-value pair separator. If it is from a
structured log, specify the separator.
Note that if you choose Free Text and your log contains a key-value list, the Log Learning application will
recognize the equal sign ( = ) as a separator between keys and values, and the , (comma) as the separator
between the key-value pairs.
5. If you are working with a sample log in the Log Learning application, specify the location of the file.
6. Choose Create.

Results
Loaded logs have the status Open until SAP HANA Smart Data Streaming reads and processes the log data. When
SAP HANA Smart Data Streaming is finished, the status of the log run changes to Successful.
7.4 Parsing and Normalizing Markups

In the staging area, you teach SAP Enterprise Threat Detection how to parse and normalize sample log data into
individual semantic events and attributes.
Prerequisites
You have loaded sample log data into the Log Learning application. The log run has the status Successful.
Context
As explained in Log Layouts Supported by Log Learning [page 80]Log Learning creates a markup for each type of
log entry it finds in the sample data. Each such entry type is assigned an identifier that associates the markup with
the assignments explained below as well as with the rules generated by the log learning process.
As shown in the left part of the following figure the markup groups together all the instances of the entry type, and
contains annotations, for example, a timestamp followed by a structured list with seven positions. The right part
of the figure shows the assignments you make in the Log Learning application: You first assign a log type to the
markup. The log type is a way to group the entry types that come from the same log source, in case you are
processing sample data from multiple sources, for example., data from an SSH server plus data from a firewall.
After assigning the log type, you assign a semantic event to each markup. Assigning a semanti event reduces the
semantic attributes available for the next step. Only attributes associated to the assigned event are available.
After assigning an event, you can assign the annotations (in this example eight) to semantic attributes. You are
also able to specify how to transform values from an instance before writing them into a semantic attribute.

The following is an overview of the log learning process. See the detailed procedures in the sections that.
Procedure
1. From SAP Enterprise Threat Detection launchpad, in the Log Learning tile, choose Runs.
2. Choose a run name.
3. For each markup, assign a log type and a semantic event. For a detailed procedure, see Assigning Log Types
and Semantic Events to Markups [page 87].
4. For each event, map the annotations of the markup to the corresponding attributes. For a detailed procedure,
see Assigning Semantic Attributes to Annotations [page 89].
5. Optionally, work with value mapping and constant values. For detailed procedures, see Parsing Markup with
Value Mapping [page 92] and Parsing Markup With Constant Values [page 100].
6. Repeat steps 3 and 4 (and maybe 5) for each of the rows in the table of markups.
Results
Test the results before making your configuration productive.
7.4.1 Assigning Log Types and Semantic Events to Markups
When learning new logs, SAP Enterprise Threat Detection groups similar log entries with markup. For each
markup grouping, assign a log type and a semantic event.
Prerequisites
The log type and semantic event exist in the knowledge base.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Runs in the Log Learning tile.
3. Select a row in the Markup column.
4. For each markup, assign a log type in the Log Type column.
In this step, for each group of log entries identified by a markup, you assign the type of log from which the log
entries came. If a file contains data from multiple logs, this assignment enables the tool to separate the log

types during productive operation. For example, if a system hosted a DHCP server and a firewall and it mixed
those logs into a single syslog file, you would assign different log types to the markup. This assignment
enables SAP Enterprise Threat Detection to identify which log entries came from the DHCP server and which
log entries came from the firewall.
5. For each markup, assign a semantic event in the Event column.
In the Event column, use the F4 help and select the appropriate semantic event. To display the
documentation of the semantic events, choose the (Help) icon. You can use the Search field or
breadcrumbs navigation within the documentation to read up on the concept of semantic events and
attributes.
Option Description
Assign an If you assign an event, you can use this event to profile the behavior of an attacker in the forensic lab.
event.
If you are missing suitable events, use the knowledge base to create a new one or select <No event>.
For more information, see Parsing Markup with Value Mapping [page 92].
Specify dy Some markups conceal multiple event types. To separate these individual events within the same
namic event markup, use the event <Dynamic event assignment> in combination with value mapping.
assignment.
For more information, see Parsing Markup with Value Mapping [page 92] and Example of Dynamic
Event Assignment [page 99].
Ignore the Choose <Ignore> if the log data should not be saved anywhere. Such log events will not appear in unrec
event. ognized logs.
Specify that Select <OriginalDataOnly> if you need the log data in its original format only.
the event will
Note that with special authorization, events marked as original events can be displayed in the forensic
not be normal
lab. Note that you can specify a separate retention period for the original data. For more information,
ized, but saved
see the SAP Enterprise Threat Detection Operations Guide.
as it is.
Do not assign If you do not assign an event, the log data is saved in the database as unrecognized logs. You cannot
an event. filter events or base any charts or patterns on unrecognized data.
The unrecognized log data should serve as a work list and remain empty. If you do not need the event,
we recommend to choose <Ignore>.
Note that you can specify a separate retention period for the unrecognized data. For more information,
see the SAP Enterprise Threat Detection Operations Guide.

7.4.2 Assigning Semantic Attributes to Annotations
When parsing log entries, you first assign semantic attributes to annotations and add identifying keys, in case the
log contains a key-value list. Additionally, you may need to add value mapping. You can also use constant values
to simplify the process of log learning.
Prerequisites
You have assigned a semantic event to the markups you want to process.
Procedure
3. Select a row in the markup table.
The lower half of the screen displays the details of the log entries that match this markup from the sample log.
The screen is divided into sections as shown in the following table:
Table 24: Log Entry Details

Annotation:Attribute:Identifying Key Original Data
The markup is divided into a series of annotations. In this In this section, compare the annotations to the actual log
section, you assign attributes to the annotations. entries from which SAP Enterprise Threat Detection derived
them.
Note
If the annotation is part of a <KeyValueList>, the appli
cation also offers an option for choosing identifying keys.
Check the identifying key option to indicate one or more

keys that always appear in a log entry and specifically
identify the entry type. The log learning adapter then
recognizes all log entries with these identifying keys as
being this entry type. It accordingly normalizes them to
the log type, event, and attributes you specify in log
learning when you process the markup of the entry type.
The application tests the identifying key when you
choose Activate.
4. For each annotation, decide if you want to assign an attribute.

Option Description
Assign an at Assigning attributes provides meta information that enables you to classify and use the attributes in
tribute. the forensic lab. Use the original data to help you decide the proper attributes.
Note that if you do not assign the Timestamp attribute, SAP Enterprise Threat Detectionwill add the
timestamp of the time it receives the log data.
Assign more There might be cases where an annotation must be assigned to more than one attribute. For example,
than one attrib if a system is both actor and reporter and the system ID and the network hostname might be the same.
ute.
Do not assign If you do not assign an attribute, SAP Enterprise Threat Detection does not parse this data. You only
an attribute. find this data when you examine a log entry in its raw format. You cannot filter events or base any
charts or patterns on these details.
Recommendation
You may be tempted to try and assign an attribute to every single annotation that an event has to offer.
Consider assigning only the attributes you are sure that you need. If you parse log entries too much, you
spend a lot of effort to create details you do not need. At the same time, if you parse too little, the events
you create will not have the details you need to analyze the information you are looking for.
Table 25: Troubleshooting

Problem Solution
None of the attributes match what appears in the annota Use the knowledge base to assign new attributes to the
tions of the log entries. event.
Note
After updating the knowledge base, restart the Log
Learning application to access the new entries.
There are no attributes to assign to the annotation. ○ You must assign an event to the type of log entry, be
fore you can assign an attribute.
○ The event must have attributes assigned to it in the
knowledge base.
The parser has broken up a phrase of the log message into One option is to leave the individual parts unassigned as the
too many small annotations. individual parts have no meaning on their own. Another op
tion would be to choose the most important part and
choose attributes that capture the whole meaning.
If the parser broke up a message phrase or text into words,

try to use the event type to summarize the meaning of the
message.
Another option is to merge two annotaions with the help of

value mapping, see Examples of Merging Annotations With
Value Mapping [page 93].

Problem Solution
The parser has grouped together too many different parts One option is to leave the annotation unassigned as there is
of the log message. no single attribute that covers the entire annotation. An
other option would be to choose the most important part of
the annotation and make an assignment based on that part.
Another option is to split one annotation with the help of

value mapping, see Example of Splitting Annotations With
Value Mapping [page 97].
5. If a word has not been detected as <var>, you can change it into a variable by selecting it with your mouse
and choosing toggle into var. Note that this cannot be undone.
Results
You have assigned the semantic attributes you want to be able to analyze in SAP Enterprise Threat Detection.
Depending on your log, you may need to add value mapping.
7.4.2.1 Changing the Time Zone of Incoming Logs
Events from all logs need to be stored in the database of SAP Enterprise Threat Detection with the same time
zone (we use UTC) to enable meaningful analyses across logs.
Context
Usually, the timestamp of a log includes information about its time zone. If this is not the case, the Log Learning
application supposes that the timestamps use UTC, which is correct most of the times. If your logs use a different
time zone and this time zone is not part of the timestamp, you can modify the timestamp in the log learning
process so that SAP Enterprise Threat Detection can calculate the offset and convert the original timestamps
correctly to UTC.
From SAP Enterprise Threat Detection launchpad, choose Runs in the Log Learning tile.
Procedure
1. Choose the run for which you want to change the time zone.
2. Select a markup in the table.
3. On the Annotations tab in the table below, right-click the header row and select Columns → Pattern from the
context menu to display the Pattern column.

For the timestamp annotation, the pattern is displayed.
4. In the Pattern column, type in the correct time zone at the end of the pattern, for example TZ:CET.
Example
If the time zone of the log is CET (Central European Time) and the pattern of the time zone is MMM d
HH:mm:ss, you type in TZ:CET, so that the pattern is MMM d HH:mm:ss TZ:CET. SAP Enterprise Threat
Detection will then use this information to calculate UTC time.
7.4.3 Parsing Markup with Value Mapping
The parsing performed by log learning may not be able to produce all the granularity of parsing you need. Log
learning provides a value mapping function to enable you to generate rules for a second round of data processing
for the markup of log entries.
Prerequisites
● You have started log learning.

● You have assigned semantic events to the markups you want to parse.
● The attributes exist in the knowledge base.
Context
Use cases of value mapping include the following:
● Dynamic event assignment for structured logs or key-value logs

Sometimes, the semantic event is not constant for all instances of one markup, but depends on the value of
one annotation. For example, the annotation in the markup that indicates whether an HTTP request was
allowed or blocked takes on the values OBSERVED or DENIED. SAP Enterprise Threat Detection provides two
different semantic events depending on these values: Communication, HTTP Request, Allow or
Communication, HTTP Request, Block. In order to assign the correct event at runtime, you first assign
the event <Dynamic event assignment> and then add a value mapping that maps the log entry to these two
semantic events. Find an example in chapter Example of Dynamic Event Assignment [page 99].
● Merging of annotations into one semantic attribute
For example, a filepath that includes spaces is detected as a filepath and two variables. Another example is a
SAP system ID and the client that is separated in two annotations and you want to merge them into one
semantic attribute system ID and add a slash ( / ) in between to get AA1/000. For an example, see chapter
Examples of Merging Annotations With Value Mapping [page 93].
● The log entry includes values that are not human readable.
For example, a log entry includes the values 0, 1, and -1. With value mapping, you can translate these into
True, False, and Undefined. For an example, see chapter Example of Simple Value Mapping [page 95].

● An annotation includes different values, hiding different events or attributes
You can use regular expressions to identify and map these otherwise hidden attributes. For examples, see
chapters Example of Splitting Annotations With Value Mapping [page 97] and Example of Normalizing an
Annotation With Value Mapping [page 96].
Procedure
1. Choose the Value Mapping tab.
2. Select Mapping Rules and choose Create Rule.
The application creates a rule with an index number; for example, Rule 1.
3. Select a rule and choose Create Condition.
The application creates a condition with an index number; for example, Priority 1. Below the condition,
source and target nodes appear.
4. Select a source node and choose Create.
Choosing Create enables you to enter data in the table at the bottom of the screen.
5. For a row, enter an annotation, an operator, and one or more operands.
This entry sets the conditions that define when the rule applies. Rows for the same annotation are joined by
logical OR. Rows with different annotations are joined by logical AND.
Note that you can specify a regular expression if you choose Regex in the Operator column. This is checked
immediately and you can simulate it for the sample file by choosing Simulate Regex. Note that with regular
expressions, only one row is allowed.
6. Select the target node and choose Create.
Choosing Create enables you to enter data in the table at the bottom of the screen.
7. For a row, enter a target value for an attribute when the source condition is true.
7.4.3.1 Examples of Merging Annotations With Value

Mapping
Merging a Filepath That was Broken Into Several Annotations Because of

Spaces
There is a log entry that contains a file path that appears as follows:
07.10.2015 18:39:36 C:\mydirectory \files \myfiles
The markup appears as: <Timestamp> <FilePath> <Var> <Var>
In Value Mapping, you create a condition with priority 1 as shown in the table below.

Table 26: Example of a Merge Operation in Value Mapping of Unstructured Log
Source Target
Annotation Operator Operand 1 Attribute Name Target Value
(Select any one of the Merge (Enter all annotations Resource Name =?FilePath1 ?
annotations you want you want to merge, Var1 ?Var2
to merge.)filepath separated by ; (semi
colon) and add the
number of the annota
tion after each one, i.e.
after the first var of a
log entry, add 1, add 2
after the sec
ond.)FilePath1;Va
r1;Var2
Merging Two Elements to an Email Address and Adding @
There is a log entry that contains an email address as follows:
02016-01-13T15:02:27.911 firstname.lastname domain.org SEND success 1MB
The markup appears as: <Timestamp> <Var> <Host> <Var>. In Value Mapping, you create a condition with
priority 1 as shown in the table below to combine the elements to an email address containing @ .
Table 27: Example of a Merge Operation in Value Mapping of a Structured Log
Source Target
(select any one of the Merge (Enter all annotations Resource Name =?Var1@?Host1
annotations you want you want to merge,
to merge)Var separated by ; (semi
colon) and add the
number of the annota
after the sec
ond.)Var1;Host1

Merging System ID and Client to One Semantic Attribute
There is a log entry that contains a system ID and a client:
2016-01-13T15:02:27.911 sample log from ABAP systemId = AA1 client = 000
The markup appears as: <Timestamp> sample log <Var> <Var> <KeyValue.List>
In Value Mapping, you create a condition with priority 1 as shown in the table below to combine the elements to the
attribute System Type, Actor (AA1/000 in this case).
Table 28: Example of a Merge Operation in Value Mapping of a Log With a Key-Value List
Source Target
(select any one of the Merge (Enter all annotations System Type, =?
annotations you want you want to merge, Actor Key:systemId /?
to separated by ; (semi Key:client
merge)key:systemI colon) and add the
d number of the annota
after the sec
ond.)Key:systemId
;Key:client
7.4.3.2 Example of Simple Value Mapping
There is a log entry that represents a truth test that appears as follows:
Dec 2 14:59:50 test01 0

Dec 2 14:59:51 test02 1
The markup appears as: <Timestamp> <Var> <integer>.
In Value Mapping, you create conditions as shown in the table below.
Table 29: Example of a Rule in Value Mapping
Condition Source Target
Priority 1 Integer = 0 Generic False

Outcome

Priority 2 Integer = 1 Generic True

Outcome
Priority 3 Integer > 1 Generic Unknown

Outcome
Integer < 0 Generic Unknown

Outcome
As a result of this configuration, if a test returns 1 or 0 in the log, the rule converts this entry to True or False,
respectively, in the forensic lab. Any other value returns Unknown.
7.4.3.3 Example of Normalizing an Annotation With Value

Mapping
Normalizing a MAC Address Using a Regular Expression
If the MAC address in your log entry does not have the standard format you need in order to correlate all MAC
addresses from other logs, use a regular expression to reformat it. In this example, your log contains a MAC
address as follows: 34A7BB8101F6.
Table 30: Example of a RegEx Operation to Normalize a MAC Address
Source Target
Annotation Operator Operand 1 Attribute Target Value
(Select the annotation Regex (Enter a regular expres (Specify the the se (Specify the format.)
you want to normalize.) sion that reformats the mantic attrib =?m1:?m2:?m3:?
Var MAC address to use : ute.)Network, MAC m4:?m5:?m6
(colons).) Address, Actor
(?<m1>..)(?
<m2>..)(?<m3>..)
(?<m4>..)(?
<m5>..)(?<m6>..)
Then you can test the

regular expression by
choosing Simulate
RegEx.
The resulting format of the MAC address is 34:A7:BB:81:01:F6.

7.4.3.4 Example of Splitting Annotations With Value
Mapping
Splitting Annotations Into Parts Using Regular Expressions and Constant

Value
The pseudonymization process of SAP Enterprise Threat Detection uses three elements to identify a user, or
more precisely, to assign a pseudonym to a user:
● username
● username domain name
● username domain type
If not all elements are included in a log, you might need to split one annotation. You can do this using a regular
expression. There is a log entry from a Windows log that contains a user name that appears as follows:
16.04.2015 12:52:51 MYDOMAIN\user012345
The markup appears as: <Timestamp> <Var>
You add a constant value for the semantic attribute Userame, Domain Type, Acting, as this is missing from the log
entry: On the Constant Value tab, enter Windows Domain as the semantic attribute Username, Domain Type,
Acting.
Table 31: Example of a RegEx Operation to Split Annotations
Source Target
(Select the annotation Regex (Enter a regular expres (Specify the two miss Specify the corre
you want to split.)Var sion that splits the ing target val sponding groups:?
MYDOMAIN ues.)User Account User ?Domain
\user012345 Var Name, Acting
into two groups.)(? Username, Domain
<Domain>\S+)\\(? Name, Acting
<User>\S+).
Then you can test the

regular expression by
choosing Simulate
RegEx.
This value mapping, together with the constant value, normalizes your log data in a way that the user cand be
identified as the triple of username, username domain name, and username domain type, as it is needed for user
pseudonymization.

7.4.3.5 Example of Value Mapping With Arithmetic Functions
You can use simple arithmetic functions such as building sums of annotations, multiplying annotations by
numbers or other annotations, or to initialize a value by setting it to zero.
Converting a Time Duration
You might have logs that use different units for the duration of time, which makes comparisons between them
difficult or impossible. We recommend to decide which unit is most common or suitable for you and convert the
logs that use a different one with the help of value mapping. In this example, your log includes durations in
seconds, which you want to convert to milliseconds.
The markup includes the following key-value pair: duration: <Integer>.
You add a value mapping as shown in the table below. It defines that, if the value of this <Integer> is greater than
0, it will be multiplied by 1000. For example, the value "3" in seconds in the original log will be converted to "3000"
milliseconds.
Table 32: Example of Converting a Time Duration From Milliseconds to Seconds
Priority 1 (Select the cor > 0 Time Duration = Integer3 *

rect<Integer> 1000
from the dropdown
list. Unfortunately,
they are only num
bered on the
Annotations tab.
Here, you have to
count them in the
dropdown list.)
Integer3

7.4.3.6 Example of Dynamic Event Assignment
If the semantic event of a markup depends on the value of an annotation, you use the dynamic event assignment
and then add a value mapping that assigns the correct semantic events at runtime.
Value Mapping to Assign Correct Semantic Event at Runtime
There are log instances that contain a timestamp and a structured list and thus result in the following markup:
<Timestamp><StructuredList>.
This markup groups the following instances from the original log:
2016-07-18 19:06:49 499 10.11.111.222 TCP_TUNNELED 200 4509 CONNECT - -

us1.hana.ondemand.com - 123 123 111.222.3.11 tcp 0 111.222.1.11 - 123.222.1.11
OBSERVED Technology/Internet "Apache-HttpClient/4.3.6(java1.5)" - VMSAMPLE--HTTP-
Service tcp://us1.hana.ondemand.com:111/ /
2016-07-18 19:06:57 980 10.11.1.254 TCP_ERR_MISS 503 185 CONNECT - -

connectivity.netweaver.ondemand.com - 443 200 111.121.6.11 tcp 0 147.204.6.18 -
147.204.6.18 DENIED Technology/Internet "AccAD" - VMSAMPLE-HTTP-Service tcp://
connectivity.netweaver.ondemand.com:111/ /
At one position, the result of an http request is indicated by the values OBSERVED or DENIED. Depending on this
value, the following semantic events would be suitable: Communication, HTTP Request, Allow or
Communication, HTTP Request, Block. In order to assign the correct event at runtime, you first assign the
event <Dynamic event assignment> and then add the value mapping that maps the log entry to these two
semantic events, as shown in the table below.
Table 33: Example of a Value Mapping in Combination With Dynamic Event Assignment
Priority 1 (Select the correct <> DENIED Event Communication

position from the (Semantic) , HTTP
dropdown list. Un Request,
fortunately, they Allow
are only numbered
on the Annotations
tab. Here, you have
to count them in
the dropdown
list.)Structured
Position.Posi
tion

Priority 2 (Same as above.) = DENIED Event Communication

StructuredPos (Semantic) , HTTP
ition.Positio Request,
n Block
7.4.4 Parsing Markup With Constant Values
If a piece of information is missing in your log file, you can add it to a log entry with the help of a constant value.
Prerequisites
● You have started log learning.

● You have assigned an event type to the log entries you want to parse.
● The attributes exist in the knowledge base.
Context
A use case for a constant value is that your log does not contain all three parts of the user name that is used for
the pseudonymization of user data by SAP Enterprise Threat Detection. For more information, see the example in
chapter Example of Splitting Annotations With Value Mapping [page 97], where a constant value is used for the
user name that is missing in the original log.
Procedure
1. Choose the Constant Values tab and create a new one.

2. Select the semantic attribute you need and enter a name.
3. If you want to reuse this constant value for a different log, select it and choose Create Building Block.
4. Enter a name for the building block and a namespace.

Results
In this user interface, you can re-use such a building block as a constant value by choosing Add Building Block. For
an overview of the existing building blocks, choose Building Blocks on the launchpad in the Log Learning tile. Here
you can edit the building blocks and you see the runs that use them. You can also navigate into these runs.
7.5 Testing Log Runs
When you are ready to test the rules you created through the log entry assignments, activate the configuration
and synchronize the rules with the parser in SAP HANA smart data streaming. The Test Results tab enables you to
check how effective your parsing rules are at handling your sample log file.
Prerequisites
You have staged your log entries by assigning log types, events, attributes and saved the results.
Procedure
2. Choose a run.
3. Choose Activate.
Your log run enters the Synchronization phase. SAP Enterprise Threat Detection generates the runtime
rules from your configuration and synchronizes the runtime rules between the database and SAP HANA
smart data streaming.
4. Wait until your log run has the status Successful.
5. Choose Test Run.
Your log run enters the Testing phase.

6. Wait until your log run has the status Successful.
SAP Enterprise Threat Detection applies the rules you activated. Log entries covered by those rules appear as
events on the Test Results tab.
7. Review the event data.
Note that events that you have defined as <Ignore> events are listed here. This way, you can ensure that the
assignment has worked.

Option Description
Everything is OK. You are ready to make the log run productive.
You want to make changes. Make your changes under the Entry Types. When finished, activate your run be
fore testing.
You realize that you have completely On the Staging Entry Types tab, choose Discard. This leaves your sample
misconfigured the log run. log file in place but removes all log, event, and attribute assignments.
7.6 Making Rules for Log Runs Productive
Once you have tested your run, you are ready to make the rules productive.
Prerequisites
You have staged your log entries by assigning log types, events and attributes, and you have activated the run.
The Status of the run is Successful and the Staging Status is In Sync.
Context
Until now, you have tested the sample data and generated the rules required to parse the data. Now you move the
rules from the staging area to the productive area.
Procedure
2. Choose the run.
3. Choose Copy to Productive.
The Status of the run is Successful and the Productive Status is In Sync.
Results
You are now ready to send log data from your log provider to the port of the log learning adapter of SAP HANA
smart data streaming, which parses and normalizes the log entries into events for SAP Enterprise Threat
Detection.

8 Additonal System Configurations
The following sections describe additional configurations needed for SAP Enterprise Threat Detection.
8.1 Encrypting Communication Between Log Providers and

the Streaming Web Service
We recommend that you use transport layer security (TLS), also known as secure sockets layer (SSL), to encrypt
the connection between SAP NetWeaver Application Server (SAP NetWeaver AS) and the streaming web service
for SAP HANA Smart Data Streaming.
Context
Not all versions of SAP NetWeaver AS for ABAP are able to communicate via TLSv1.2. Therefore the SWS has to
be switched in compatibility mode (TLSv1) to support TLS version lower than TLSv1.2. This can olny be done in
the console configuration. In this example procedure, you will see how to create a new keystore and covert it in
pkcs12 format, and how to import the streaming host certificates into these files.
Procedure
1. On the SDS server, create a keystore and a new key pair with the following command:
$STREAMING_HOME/lib/jre/bin/keytool -genkeypair -keyalg RSA -keysize 2048 -validity

10000 -keystore <keystore file>
2. Import the certificate chain into the keystore. For example, <example> CA certificator.
3. Have the certificate signed by a certification authority (CA).
If you already have a PKI infrastructure, you may already have a means to have the certificate signed. If you do
not, generate a certificate signing request (CSR) and send it to a CA.
For more information about generating a certificate signing request with keytool, see the documentation of
the Java Development Kit.
4. Import the certificate response from the CA into the keystore.
5. Convert the keystore into a pem formatted keystore (PKCS12 format).
6. Encrypt the server key with the cluster key.

Additonal System Configurations PUBLIC 103
7. Modify the configuration to support TLSv1 (called compatibility mode).
a. Convert the cluster.cfg to xml and insert the following property:
In the SWS section, below the echo-mode property, add <Property expand="true" name="hcp-
compatibility">true</Property>.
b. Deploy the xml file into the cluster.cfg configuration file.
8. In the HANA Cockpit, use the Streaming Cluster Configuration tile to configure the streaming web service to
allow TLS (or SSL) communication and enter the path to the keystore.
9. Stop and start the Streaming Web Service.
10. Test the certificate at https://<host>:9093.
8.2 Encrypting Communication Between Log Providers and

the Web Service Provider
We recommend that you use transport layer security (TLS), also known as secure sockets layer (SSL), to encrypt
the connection between SAP NetWeaver Application Server (SAP NetWeaver AS) and the web service provider for
SAP HANA Smart Data Streaming.
Procedure
1. Generate a keystore and a key pair certificate for the Web Service Provider.
You can either use your own public-key infrastructure (PKI) to generate the key pair certificate or you can use
keytool from Java.
2. Have the certificate signed by a certification authority (CA).
If you already have a PKI infrastructure, you may already have a means to have the certificate signed. If you do
not, generate a certificate signing request (CSR) and send it to a CA.
3. Import the certificate response from the CA into the keystore.
4. Import the standard CA certificate into the key storage of SAP NetWeaver Application Server.
○ On SAP NetWeaver AS for ABAP, use Trust Manager (transaction STRUST) to import the CA certificate
into the certificate list of the SSL PSE.
For more information, see Maintaining the SSL Server PSE's Certificate List on SAP Help Portal at http://
help.sap.com/nw_platform.
○ On SAP NetWeaver AS for Java, use Key Storage to import the CA certificate into the
ICM_SSL_<instance_ID> keystore view.
For more information, see Configuring the SSL Key Pair and Trusted X.509 Certificates on SAP Help
Portal at http://help.sap.com/nw_platform.

104 PUBLIC Additonal System Configurations
5. In the HANA Cockpit, use the Streaming Cluster Configuration tile to configure the web service provider to
allow TLS (or SSL) communication and enter the path to the keystore.
a. On the Web Service Provider tab, set https protocol.
b. Add TLSv1.
6. Stop and restart the web service provider for SAP HANA Smart Data Streaming.
For more information, see the documentation for SAP HANA smart data streaming on SAP Help Portal at
http://help.sap.com/hana_options_sds.
7. Test the certificate at https://<host>:9091.
8.3 Defining Namespaces
We use namespaces to keep software objects created by SAP separate from software objects created by our
customers. This enables you to share objects between systems without the danger of overwriting each other.
Prerequisites
You have decided on a namespace for your configurations and developments. All namespaces must begin with
http://.
Recommendation
We recommend using your company domain as the namespace and create any subdomains as required, for
example, http://company_domain/subdomain.
Context
The namespace for SAP Enterprise Threat Detection is http://sap.com/secmon. Other SAP products can
deliver content for SAP Enterprise Threat Detection under the SAP namespace http://sap.com/
<product_namespace>. Anything under this namespace is reserved for SAP and can be overwritten in future
upgrades or releases.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Namespaces.

2. Choose Add Namespace.
3. Enter the required data.

Results
The namespaces saved here are considered native to this system. You can change objects in these namespaces
freely. If you export objects within these namespaces and import them in another system, they cannot be
changed unless the namespace under which they were created is also added to the system.
Objects protected by namespaces include the following:
● Value lists
● Values within value lists
● Knowledge base entries
● Patterns
Note
Patterns have runtime attributes that you can configure without changing the underlying pattern.
In addition to the Namespaces application, you can also add namespaces in the forensic lab.
8.4 Knowledge Base
The knowledge base enables you to add metadata about new types of logs, the events that they include, and the
component parts of those log entries.
The knowledge base application enables you to manage these elements:
● Events
You can assign attributes to events and create .
● Log types
You can add and delete log types.
● Attributes
You can look up the attributes, their data types and see whether they are available in Forensic Lab and in Log
Learning.

Figure 7: Objects of the Knowledge Base and Relationship to Learning New Logs
8.4.1 Working With Events
SAP Enterprise Threat Detection supplies a list of semantic events with which you should be able to describe the
log entries from all of your logs.
Context
Events are a central concept in SAP Enterprise Threat Detection. Events are the carriers of information about
what is semantically happening in the system landscape. For example, an event would be that a user tried to log
on, but was rejected. Events are specified with the help of attributes that carry information about, for example, the
system in which it took place, the user IDs involved and the roles those users and systems played in the event.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Knowledge Base.

2. Choose Events.
3. Choose New.
Next Steps
After creating an event, assign the attributes you need for the event.

8.4.2 Adding Log Types
Log types enable you to identify the kind of log that produced a log entry when working with anything other than
the standard log types provided by SAP. For example, your network router produces a log that you want to
monitor, create a log type to monitor web traffic for your network router.
Context
You assign log types to log entries when staging log entries of new logs. The log types are then used to identify the
source of events from these logs in the forensic lab.
Procedure

2. Choose Log Types.
3. Choose New.
8.4.3 Assigning Attributes to Events
Before you can add attributes to annotations in the Log Learning application, assign the relevant attributes to
events first.
Context
Without the assignment of attributes to events, you cannot map annotations to these attributes. The Log Learning
application does not offer the attributes when staging a new log, unless you have configured this assignment in
the Knowledge Base application. For the events that we supply, the relevant attributes have been assigned by
SAP. However, you can assign further attributes to the events or delete the ones that you do not need.
Procedure

2. Choose Events.

3. Select an event.
4. Choose the Assign Attributes and select the attribute you want to assign.
5. To delete one or multiple attributes from an event, select them and choose Unassign Attributes.
Results
You can now assign the events to log entries and assign attributes to the annotations of events. To do this, use the
Log Learning application.
8.4.3.1 Roles of Semantic Events With Examples

Some semantic attributes include roles of the events. For example, a system ID involved in an event might have
the actor or target role. These two are differentiated with the help of semantic attributes that include the
respective role: system ID actor and System ID Target.
There are three entities involved in events that can have roles: Systems / Hosts, Users, and Triggers. In order to
differentiate between these entities, system roles are named with nouns (for example, Actor, Initiator) while user
and trigger roles are namend using adjectives (for example, Acting, Initiating). These nouns and adjectives do
correlate. For example, for most events, the actor system or host runs under the acting account. The same
applies to the pairs initiator/initiating and target/targeting.
System / Host Roles

Table 34:
System / Host Role Description
Actor The system that executes the software to perform the action
that is logged. The software runs under the acting user ac
count.
Initiator The system that asks the actor to perform the action of the
event, e.g., an end device that asks an SAP system to run a
transaction plays the initiator role.
Intermediary In some events, the system that mediates between two other
systems, usually between initiator and actor.
Reporter The system that writes events to a log. Often the actor and re
porter are the same system.
Target The system that the actor asks to perform some function,
e.g., an actor requests a remote system, the target, to run a
program.
Example of An Event Where Actor and Reporter are Different Systems

Actor and reporter are not always the same. For example, a web filter software is installed on a web client so that
the client blocks or allows requests, and then uploads the block event or allow event to the web filter to be logged

in the web filter log. In this case, the actor is the web client, and the reporter is the web filter. To make this clear,
events that occur on the web client have Event Scenario Role of Actor set to Web_Client. If the web filter itself
performs the block or allow action, Event Scenario Role of Actor is set to Web_Filter.
User Roles
Table 35:
User Role Description
Acting The user account under which the software on the actor sys
tem runs.
Initiating The user account under which the software on the initiator
system runs.
Targeted In user administration, the account that is created, modified,

or deleted.
Targeting The user account under which the software on the target sys
tem runs.
Why do we Need Different Roles for Systems and Users?
The method for representing semantic events separates system/host roles from user roles and trigger roles. One
reason for this is that the system and user roles do not always coincide. Logon is a good example. Software,
running on an actor, often under a system account (acting) performs authentication of a supplied user account,
the targeted user.
Example of an Events with 3 Users: Logon
At the request of an initiator (for example a SAP HANA client), the actor (for example a SAP HANA database)
authenticates a user account name targeted. The initiator tells the actor that his account is user account name
initiating. The authentication software on the actor runs under the user account name acting.
Employee Thomas Smith logs on as D02 using his laptop. Then he logs onto an SAP HANA database using his
database user account TSMITH. SAP HANA performs the logon under the user account SYSTEM. The SAP HANA
database (actor) writes a log entry that has the following semantics: An actor, the SAP HANA database,
authenticates a targeted user. The log entry has three user accounts with the following roles:
● D02: initiating
● TSMITH: targeted
● SYSTEM: acting
In this example, two systems are involved: the laptop and the HANA system. The laptop plays the role of the
initiator and the SAP HANA system plays the role of the actor.
Note
Note that the user roles in forensic lab do not display the actual user account names but only the pseudonyms.
For more information about pseudonymization, see Pseudonymization in the SAP Enterprise Threat Detection
Operations Guide.

Trigger Roles
Table 36:
Trigger Role Description
Acting A trigger that causes an event to occur and/or to be logged.

An audit policy is an example of a trigger. See example below.
Targeting A trigger that is the target of an action. See example below.
Example
Example of Trigger Roles
This is a simplified example that focuses only on the trigger roles of an event: In SAP HANA, audit_policy_1
is changed and audit_policy_2 states condition: when any audit policy is changed, write an audit log entry.
The actor SAP HANA writes a log entry that has the following semantics: An actor, SAP HANA, altered an audit
policy named audit_policy_1. The logging of this event was triggered by an audit policy named
audit_policy_2.
The event would have the following attributes for the trigger roles:
● Trigger Type Targeted: audit policy

● Trigger Name Targeted: audit_policy_1
● Trigger Type Acting: audit policy
● Trigger name Acting: audit_policy_2
8.5 Synchronizing User Context Information from an Identity

Management System
This procedure outlines how you can use SAP Identity Management to maintain user contexts in SAP Enterprise
Threat Detection. Note that you can also connect a different identity management system that uses ODBC.
Prerequisites
● You have created a user on SAP HANA with authorizations to update tables
sap.secmon.db::IDM.SystemData and sap.secmon.db::IDM.Header in the SAP_SEC_MON schema.
● You have configured the job sap.secmon.services.idm:IDMInterface.xsjob on SAP HANA.
For more information, see Starting Jobs for SAP Enterprise Threat Detection [page 18].
● You have development experience with SAP ID Management.
SAP Enterprise Threat Detection provides database tables for the import of data from SAP ID Management.
Which data you put in these tables requires custom development.
● Note that using an identity management system is an alternative to the transfer of user context data through
the master data transfer in report SECM: Push master data to ESP (SECM_MASTER_DATA_2_ESP). We

recommend to uncheck the options Send HR-/ Header Data and Send User System Data in this report. If you
have already transferred user data to SAP Enterprise Threat Detection with the master data, we recommend
to fill the following fields in the sap.secmon.db::IDM.SystemData: UserType, SAPName, and/or
SNCNameP. This allows you to compare the identy management users with the existing ones.
Context
SAP Identity Management (SAP ID Management) already contains information about users in your system
landscape, the persons the users represent, and the systems where these users are located. To keep the user
context information current, regularly synchronize this information with SAP Enterprise Threat Detection.
The following is an outline of the steps you need to configure SAP ID Management. The exact details can vary from
release to release.
For more information, see the documentation for SAP ID Management on SAP Help Portal at http://
help.sap.com/idm.
Procedure
1. In SAP ID Management, create a module that provides data via ODBC for the tables
sap.secmon.db::IDM.Header and sap.secmon.db::IDM.SystemData in the SAP_SEC_MON schema.
The following tables describe the data structure for user context and user-system assignment in SAP
Table 37: Data Structure of the User Context
Field Name Data Type Provisioning Comment Potential Attribute in SAP ID

Management
IDMId String Mandatory ID in SAP ID Management MSKEY, MSKEYVALUE
Type String Optional Example values: contractor, MX_FS_IDENTITY_TYPE

employee, external, techni
cal, …
Role String Optional Example values: developer, MX_FS_POSITION

sales representative, admin
istrator, …
ValidFrom UTC time Optional MX_VALIDFROM

stamp
ValidTo UTC time Optional MX_VALIDTO

stamp
PersonalNumber String Optional MX_FS_PERSONNEL_NUMBER

Field Name Data Type Provisioning Comment Potential Attribute in SAP ID
Management
SAPName String Recommended MSKEYVALUE
EMailAddress String Optional MX_MAIL_PRIMARY
TechnicalOperat String Mandatory This field describes the oper

ion ation on the specified user.
Shall the user be created,
changed or deleted?
Valid values: Insert, Modify,

Delete
TechnicalOperat UTC time Mandatory Operations are ordered ac

ionTS stamp cording to this timestamp. So
it determines the final state
when, for example, multiple
change operations on a single
user happen.
Status String Optional Do not provide this field.
Table 38: Data Structure of User-System Assignment
Field Name Data Type Provisioning Comment
IDMId String Mandatory Association to Header IDMId
SystemType String Mandatory For ABAP Systems: ABAP
For HANA XS: HANA
For JAVA AS: JAVA
System String Mandatory For ABAP Systems: <SID>/<client>, for example, CRM/001
For HANA XS: <SID>, for example, HDB
For JAVA AS:<SID>, for example, EPP
SystemUser String Mandatory Account name (= logon user name)
ValidFrom UTC time Optional

stamp
ValidTo UTC time Optional

stamp
Status String Optional Valid values: active, inactive

Field Name Data Type Provisioning Comment
UserType String Optional Valid values:
○ A (dialog user)
○ B (system user)
○ C (communication user)
○ S (service user)
○ L (reference user)
Alias String Optional Alias user name
UserGroup String Optional User group in the respective system.
SNCNameP String Recommended SNC printable name, for example, p:CN=USERNAME,

O=SAP-AG, C=EN
SNCNameH String Optional SNC hash value
TechnicalOperat String Mandatory This field describes the operation on the specified user/system
ion combination. Shall the user for this system be created, changed
or deleted?
Valid values: Insert, Modify, Delete
TechnicalOperat UTC time Mandatory Operations are ordered according to this timestamp. So it de
ionTS stamp termines the final state when e.g. multiple change operations
on a single user/system combination happen.
2. Configure the ODBC connection from SAP ID Management to the SAP Enterprise Threat Detection SAP HANA
system.
Configuring the connection requires the following information:

○ URL of SAP HANA.
For example: http://examplehost:30015
○ User ID and password of the technical user of SAP HANA, which you created for this synchronization.
○ The names of the database tables to write to:
○ sap.secmon.db::IDM.Header.
○ sap.secmon.db::IDM.SystemData
3. Create a job in SAP ID Management to push changes of the user data to SAP Enterprise Threat Detection.
Configure the job to run, for example, once per minute, to ensure that the user data in SAP Enterprise Threat
Detection is up-to-date.

8.6 Entering System Context Information
The log provider can transmit some data about a system when you first connect the system to SAP Enterprise
Threat Detection. Enter data not supplied by the log provider.
Prerequisites
● You have a user with administrator authorizations for SAP Enterprise Threat Detection.
● For SAP NetWeaver Application Server for ABAP, you have already performed an initial load of the system
context information from the log providing system.
Context
The system context information provides meta information about the system, such as the role of the system,
contact information for the owner of the system, its location, and how critical you consider security relevant
properties of the system. The business significance of the system is used to weigh the importance of alerts in
those systems and, for example, the evaluation of the Impact of Compromise of a system.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Systems.
The application displays a list of systems and an overview of systems by role.

2. Choose a system from the list.
3. On the System Information tab, enter the required data.
Under Location, you can select a location that has been enetred in the Locations application. In addition to
general information, contact information, and technical information about the system, you can rate the
system for its business significance. The values for business significance play a significant role in determining
the alert score of an alert.
For more information about alert scoring, see the SAP Enterprise Threat Detection Operations Guide.
4. Choose Save changes .
Related Information
Defining Locations [page 118]

8.7 Entering Subnet Context Information
The subnet context information provides meta information about your network, such as the subnet mask,
location, contact information, and how critical you consider security relevant properties of the subnet. SAP
Enterprise Threat Detection uses this information to enrich events, which include subnets.
Prerequisites
● You have defined any locations you want to use for your subnet context information.
For more information, see Defining Locations [page 118].
● To load many subnet locations at once, you must have created a comma separated value (*.csv) file.
For more information, see File Format for Uploading Subnet Context Information [page 117].
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Subnets.
The application displays a list of subnets and general information.
2. Choose Create Subnet.

3. Enter the network address and subnet mask and choose Create Subnet.
You can upload many subnets at once by selecting a comma separated value (*.csv) file and choosing
Upload File. Specify if the file contains a header.
Note
You cannot set the location with the file upload.
5. Choose Save Changes .
Related Information
Defining Locations [page 118]

8.7.1 File Format for Uploading Subnet Context Information
With a comma separated value (*.csv) file, you can enter the context information for many subnets at once.
The following table presents context information for subnets in order. The *.csv file can optionally have a header.
Table 39: Fields for Subnet Context Information
Field Data
Network Address IP address, 182.168.178.0
Subnet Mask 255.255.0.0
Description Free text field
Category Free text field
Technical Contact Name Name of a person
Technical Contact Telephone Number Telephone number, +1 510 555-1212
Technical Contact E-Mail Address E-mail address, [email protected]
Business Significance: Confidentiality How damaging would the impact be if confidentiality of the
subnet was compromised: VERY_HIGH, HIGH, MEDIUM,
LOW, N/A.
Business Significance: System Integrity How damaging would the impact be if the system integrity of
the subnet was compromised: VERY_HIGH, HIGH, MEDIUM,
LOW, N/A.
Business Significance: Data Integrity How damaging would the impact be if the data integrity of the
LOW, N/A.
Business Significance: Availability How damaging would the impact be if the availability of the
LOW, N/A.
Example
The following is an example of a line from a CSV file.
168.123.167.0;255.255.255.0;Subnet of the new site;Office;Kathy Liu;
0014155551212;[email protected];HIGH;LOW;LOW;MEDIUM

8.8 Defining Locations
Defining locations enables you to correlate geographical information with your subnet and system context.
Context
Latitude and longitude support signed degree format. For example, New York City is located at latitude 40.75 and
longitude -74.00. Correlation between locations is also possible without latitude and longitude information, for
example, for all logs from a specific building.
Procedure
1. From SAP Enterprise Threat Detection launchpad, choose Locations.
2. Choose Create.
3. Enter a location name and choose Create Location.
5. Choose Save .
Results
You can now use the location in the Location field of the subnet context information and the system context
information. The system locations are also visible on the Threat Situation user interface.
For more information, see Entering Subnet Context Information [page 116] and Entering System Context
Information [page 115].
8.9 Alert Publishing
SAP Enterprise Threat Detection can make alerts available to external systems. Alerts can be published as JSON
or via emails, and you can pull alerts using a REST API in JSON format.
Information about the pattern that produced the alert, the involved systems and users, the alert IDs and a link to
the alert in SAP Enterprise Threat Detection are included. You can configure a set of patterns for which alerts are
sent. This set of patterns is called a pattern filter and you define it in the Settings user interface of SAP Enterprise
Threat Detection. The alerts are sent once per minute.

8.9.1 Configuring Alert Publishing as JSON
To exchange information about alerts with external systems, you can publish alerts as JSON or in emails. To
enable alert publishing as JSON, you configure an HTTP destination. The alerts are sent by a background job.
Prerequisites
● You have access to the SAP HANA XS Administration Tool.

● Your user is assigned the following roles:
○ HTTPDestAdministrator
○ RuntimeConfAdministrator
Procedure
<protocol>://<host>:<port>/sap/hana/xs/admin
2. Navigate to the configuration of the HTTP destination alerts.xshttpdest. For example, search for it using
the search bar.
You cannot edit this HTTP destination because it did not originate in this system. Instead, you create an
extension that overwrites the original.
3. Choose Create an Extension.
4. Enter a host, a port and, optionally, a path prefix.
Results
You have enabled the publishing of alerts as JSON or Syslog Packaged JSON.
Next Steps
● Make further settings in the Settings user interface of SAP Enterprise Threat Detection under Manage Alert
Publishing. For more information, see the chapter on Managing Alert Publishing in the SAP Enterprise Threat
Detection Operations Guide.
● Alerts are sent with the help of a background job. Make sure that the job
sap.secmon.framework.pattern.publishalerts.jobs::alertPublishingJob is active. For more
information, see Starting Jobs for SAP Enterprise Threat Detection [page 18].

8.9.2 Configuring Alert Publishing Via Email
To exchange information about alerts with colleagues, you can publish alerts as JSON or in emails. To enable alert
publishing via email, you have to configure SMTP settings and configure the user parameter for the user who is to
receive the emails.
Prerequisites
● You have access to the SAP HANA XS Administration Tool and SAP HANA Studio or SAP HANA Web-Based
Development Workbench.
● You have an administration user for SAP HANA with the following roles:
○ SMTPDestAdministrator
○ RuntimeConfAdministrator
Procedure
<protocol>://<host>:<port>/sap/hana/xs/admin
2. Start the SMTP Configurations tool.
Choose the menu icon in the upper left-hand corner to display the list of XS Administration tools.
3. Specify the mail server host and the mail server port number to open a connection.
4. Specify the authentication settings required for access to the SMTP host.
5. Specify the security settings for the transport-channel.
6. Define the timeout setting for connections to the specified SMTP server.
7. Define the socket proxy settings.
8. Save your settings.
Results
You have enabled the publishing of alerts via email.
Next Steps
● Configure the user parameters of the users who are to receive alert emails. For more information, see the
chapter on Configure User Parameters for Alert Publishing via Email below.

● Make further settings in the Settings user interface of SAP Enterprise Threat Detection under Manage Alert
Publishing. For more information on these two steps, see the chapter on Managing Alert Publishing in the SAP
● Alerts are sent with the help of a background job. Make sure that the job
sap.secmon.framework.pattern.publishalerts.jobs::alertPublishingJob is active. For more
information, see Starting Jobs for SAP Enterprise Threat Detection [page 18].
8.9.2.1 Configure User Parameters for Alert Publishing Via

Email
To exchange information about alerts with other systems, you can publish alerts in emails. To enable alert
publishing via email, you have to configure SMTP settings and configure the user parameter for the user who
wants to receive the emails.
Prerequisites
● Your system administrator has created an SMTP configuration. For more information, see the SAP Enterprise
Threat Detection Implementation Guide under Additional System Configurations.
● You have a user with administrator authorizations.
Procedure
1. In SAP HANA Studio or the SAP HANA Web-Based Development Workbench, under Security, navigate to the
user you want to receive alert emails.
2. On the User Parameters tab, select EMAIL ADDRESS and enter the user's email address.
3. Create a new parameter SEND_ALERT_MAIL_NOTIFICATIONS with the value True.
4. To only send alerts from a sepcific set of patterns, create a new parameter SEND_ALERT_PATTERN_FILTER
and enter the ID of the pattern filter as the value. You can create a pattern filter in the Settings user interface
that is accessible from the launchpad of SAP Enterprise Threat Detection.
5. Enter the minimum severity of alerts to be included in the email with parameter
SEND_ALERT_MIN_SEVERITY. Note that the value entered here must be equal or greater than the minimum
severity that is specified in the Settings user interface. For example, if the minimum severity in the Settings
user interface is HIGH and you enter MEDIUM here, you will still only get alerts with severity HIGH and
VERY_HIGH in the emails.
These are the values:

○ LOW
○ MEDIUM
○ HIGH
○ VERY_HIGH

Next Steps
Make further settings in the Settings user interface of SAP Enterprise Threat Detection under Manage Alert
Publishing.
8.9.3 Alert Pulling Via JSON API
There is an API available that you can use to pull alerts from SAP Enterprise Threat Detection in JSON and LEEF
format. The information you can pull is the same as in the Alerts application in SAP Enterprise Threat Detection.
Context
If you have the sap.secmon.services::ResolveUserOnAlertService authorization, the API will return the
real user data. Otherwise, you will get the user pseudonyms.
You can pull alerts by specifying the alert IDs or the timestamp. Also, you can specify whether you want to include
the triggering events. You specify this with the following parameters:
Table 40:
Parameter Description Operators Values Example
$query Alert Number: unique eq, lt, gt,ge, le alert IDs, timestamps $query=AlertId eq 20
and increasing integer
$query=AlertCreation
number
Timestamp ge
AlertCreationTimes 2015-11-22T22:00:00.0
tamp: Timestamp in
0Z
UTC
$format format of alerts = JSON, LEEF $format=JSON
$includeEvents Defines if triggering = false, true (default is $includeEvents=false

events are included. false)
Default is exclude.
$batchSize Defines the number of = numbers $batchSize=20

alerts included.
$patternFilter ID of a pattern filter. A = <ID of pattern $patternFilter=20000

pattern filter is a set of filter>
patterns for which
alerts will be pulled.
You define a pattern fil
ter in the Settings user
interface.

Parameter Description Operators Values Example
$includeTestAlerts Defines whether alerts = true, false (default is $includeTestA

with status Test Result true) lerts=false
are included. Default is
to include them..
Procedure
1. Enter the following url in your browser: <protocol>://<host>:<port>/sap/secmon/services/

Alerts.xsjs.
2. Add the parameters to your query.
Example
The query <protocol>://<host>:<port>/sap/secmon/services/Alerts.xsjs?$query=AlertId eq
10923923 returns the information about the alert:
[{
"Version" : "1.0",
"AlertCreationTimestamp" : "2015-11-24T03:09:01.264Z",
"AlertId" : 10923923,
"AlertSeverity" : "HIGH",
"AlertStatus" : "OPEN",
"AlertSource" : { "SystemId" : "EC1" },
"AlertSystemIds" : ["EC1"],
"HostNames" : ["null"],
"PatternName" : "ABAP System Ping Health Check",
"PatternNameSpace" : "http://sap.com/secmon",
"PatternDescription" : "Checks if the ABAP system is reachable via system ping. An

alert is raised in case subsequent system ping attempts are failing.",
"MinTimestamp" : "2015-11-24T03:04:01.000Z",
"MaxTimestamp" : "2015-11-24T03:08:01.000Z",
"Text" : "Measurement 5 exceeded the threshold 2 for System ID = 'EC1'",
"Score" : 75,
"UiLink" : "http://.../hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?
alert=63B5292770D0294D8577AC46C7E272A8"

}]
8.10 Monitoring the Performance of the Log Learning Adapter
In SAP HANA smart data streamingStudio, you should review the framework adapter log file to make sure the
parser is not overwhelmed by events coming in and going out. If a problem occurs, you will get an out-of-memory
exception.
Context
In SAP HANA smart data streaming, monitor the stream QueueObserverIn of the transfer_log_event project.
This shows the internal queue sizes and memory consumption of the log learning adapter. The queue sizes should
always be 0 or near 0, and the memory consumption must not exceed the Java max heap size you have
configured.
When the Java max heap size is approached, you can change it or ou might need to increase your storage.
Procedure
1. In the Threading parameter of the adapter_config.xml, adjust the input and output threads.
○ If Input Queue Size goes up, increase the value of the Parsers parameter.
○ If Output Queue Size goes up, increase the value of the Publishers parameter.
The default value for both is -1, which means that the log learning adapter calculates the number of parser
and publisher threads. For the parser threads, the number of parser threads is equal to the number of logical
CPU cores divided by two. The number of publisher threads is derived from the number of parser threads:
there is one publisher thread per ten parser threads.
<Module type="transporter">
<InstanceName>MyRTAdapterTransporter</InstanceName>
<Name>RTAdapterTransporter</Name>
<Next>MyInStream_Publisher</Next>
<Parameters>
<RTParserAdapterParameters>
...
<Threading>
<Parsers>-1</Parsers>
<Publishers>-1</Publishers>
</Threading>
</RTParserAdapterParameters>
</Parameters>
</Module>
2. Stop and restart the log learning adapter.

8.11 Archiving Log Data
SAP Enterprise Threat Detection provides a basic archiving function for the long term storage of log data.
Prerequisites
● The transfer_log_event_2_archive project is running on your SAP HANA smart data streaming.
● You have a location in your network file system with sufficient memory to store the archive files.
Context
The transfer_log_event_2_archive project writes log data from your log providers to file as it passes
through SAP HANA smart data streaming. The project saves data in its original form, in normalized form, and the
normalized user assignments. This data is saved in separate files for each category. You can decide whether the
data is saved in specific file sizes or whether a file is saved after a fixed unit of time.
Procedure
1. On SAP HANA smart data streaming, import the project

sap.secmon.esp.esp_projects.transfer_log_event_2_archive.
a. In the SAP HANA smart data streaming Studio, open the SAP HANA smart data streaming Authoring
perspective.
b. In the Project Explorer, open transfer_log_event_2_archive transfer_log_event_2_archive
transfer_log_event_2_archive.ccr .
c. On the Clusters tab, choose Discover.
d. Select the host under which the transfer_log_event_2_archive project runs.
e. On the Bindings tab, configure the transfer_log_event_2_archive bindings.
Use the Discover pushbutton. Make the settings for each binding as shown in the following table.
Table 41: Binding Details
Parameter Description
Binding Type Input Binding

Cluster Same as the transfer_log_event_2_archive

project.
Remote stream Enter OriginalDataOut, NormalizedDataIn, or

NormalizedUserAssignmentOut.
Workspace Same as the transfer_log_event project.
Project transfer_log_event_2_archive
3. Configure the DataFile adapters for each binding.
By default, the adapters are configured for a directory in a UNIX file system. If you run SAP HANA smart data
streaming on Windows, configure the target directories for a Windows file system.
perspective.
b. In the Project Explorer, open transfer_log_event_2_archive stransfer_log_event_2_archive
transfer_log_event_2_archive.cclnotation .
c. Open the properties of the DataFile adapters and configure the parameters.
Table 42: Parameters of the DataFile Adapters
Parameter Names Default Value Description
TimeBasedRotateOn<adapter> FALSE Determines if the adapter saves val

ues time-based or size-based. By de
fault the adapter saves a file after it
reaches a given size.
TimeBasedRotateIntervalinSec 10 Disabled if
s<adapter> TimeBasedRotateOn<adapter> is
FALSE. Sets the number of second,
after which the adapter saves the ar
chive file.
MaxFileSizeInBytes<adapter> 50000000 Sets the maximum size in bytes a file

can have before the adapter saves
the archive file. Disabled if
TimeBasedRotateOn<adapter> is
TRUE
FilePrefix<adapter> '<adapter>' Sets the prefix of the archive file

name. The rest of the name include
an index and a time stamp.

FilePath<adapter> '/temp/esp/log/<adapter>' Set the path where the archive file is

saved.
d. Save your entries.
4. Compile the project.
5. Deploy the project to the cluster workspace.
8.12 Importing Archive Data
Import archived files from your network file system to perform historical forensic research.
Prerequisites
● The transfer_log_event_from_archive project is running on your SAP HANA smart data streaming.
● You have archived files of normalized events in a location in your network file system.
Context
The transfer_log_event_from_archive project reads archived log data. SAP HANA smart data streaming
passes these through the trasfer_log_event project, normalizing the data if needed. Finally the events are
stored in the database of SAP Enterprise Threat Detection.
Procedure
1. On SAP HANA smart data streaming, import the project

sap.secmon.esp.esp_projects.transfer_log_event_from_archive.

perspective.
b. In the Project Explorer, open transfer_log_event_from_archive transfer_log_event_from_archive
transfer_log_event_from_archive.ccr .
c. On the Clusters tab, choose Discover.
d. Select the host under which the transfer_log_event_from_archive project runs.
e. On the Bindings tab, configure the transfer_log_event_from_archive bindings.
Use the Discover pushbutton. Make the settings for each binding as shown in the following table.
Table 43: Binding Details
Binding Type Output Binding
Cluster Same as the transfer_log_event_from_archive

project.
Remote stream Enter , NormalizedDataOut.
Workspace Same as the transfer_log_event project.
Project transfer_log_event_from_archive
3. Configure the DataFile adapters for each binding.
By default, the adapters are configured for a directory in a UNIX file system. If you run SAP HANA smart data
streaming on Windows, configure the target directories for a Windows file system.
perspective.
b. In the Project Explorer, open transfer_log_event_from_archive stransfer_log_event_from_archive
transfer_log_event_from_archive.cclnotation .
c. Open the properties of the DataFile adapters and configure the parameters.
Table 44: Parameters of the DataFile Adapters
FilePrefixNormalizedEvents 'NormalizedEvents' Sets the prefix of the archive file

name. The rest of the name include
an index and a time stamp.
FilePathNormalizedEvents '/temp/esp/log/ Sets the path where the archive file is

NormalizedLogEvents' stored.
d. Save your entries.
4. Compile the project.

5. Deploy the project to the cluster workspace.

9 Securing SAP Enterprise Threat Detection
Fundamental Security Guides
SAP Enterprise Threat Detection is built from SAP HANA platform, SAP HANA smart data streaming, and SAP
NetWeaver Application Server (SAP NetWeaver AS). Therefore, the corresponding security guides also apply to
Table 45: Fundamental Security Guides

Product Guide Title Available at SAP Help Portal
SAP HANA platform SAP HANA Security Guide http://help.sap.com/hana_platform un

der Security Information
SAP HANA smart data streaming SAP HANA smart data streaming: Secur http://help.sap.com/hana_options_sds
ity Guide under Security Information
SAP NetWeaver Application Server SAP NetWeaver Application Server ABAP http://help.sap.com/nw_platform un
Security Guide der Security Information English
Security Guides for SAP NetWeaver
SAP NetWeaver Application Server Java
Functional Units Security Guides for
Security Guide
the Application Server
9.1 User and Role Management
SAP Enterprise Threat Detection depends on its host systems for user and role management.
The authorizations delivered with SAP Enterprise Threat Detection are listed in the following sections. Otherwise
refer to the relevant security guides for SAP HANA platform, SAP HANA Smart Data Streaming, and SAP
NetWeaver AS.
Note
In particular, because the user interface runs on SAP HANA platform, pay close attention to the guidelines in
the SAP HANA Security Guide.
For more information, see SAP HANA User and Role Management in the SAP HANA Security Guide.

130 PUBLIC Securing SAP Enterprise Threat Detection
9.2 Authorizations of the Log Provider for SAP NetWeaver
Application Server for ABAP
The log provider that SAP Enterprise Threat Detection offers for SAP NetWeaver AS for ABAP uses the
authorization concept provided by SAP NetWeaver Application Server for ABAP (SAP NetWeaver AS for ABAP).
The recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server for
ABAP Security Guide also apply to the log provider.
Standard Roles and Standard Authorization Objects
The tables below show the standard roles and authorization objects that are used by the log provider for SAP
NetWeaver Application Server for ABAP.
Table 46: Standard Roles

Role Description
SAP_BC_SEC_MON_ADMINISTRATOR
Administration role for the log provider. This role protects ac
cess to the reports SECM_CONFIGURATION and
SECM_LOG_2_ESP as well as the maintenance view for table
SECM_LOGS.
The role contains authorization objects S_SEC_MON with the

activity Administer and S_TABU_DIS, which by default grants
change, display and maintenance authorizations to all tables
in the table authorization group SECM.
Assign a copy of this role to the administrator of the log pro

vider.
SAP_BC_SEC_MON_EXTRACTOR
This role contains all authorizations required to read, convert,
and transfer logs to SAP HANA Smart Data Streaming.
Assign a copy of this role to the user that runs the batch job
for the log provider.
Table 47: Standard Authorization Objects

Authorization Object Field Value Description
S_SEC_MON ACTVT 16 Required to convert and

transmit logs to SAP HANA
70 Required to access the ad

ministration interfaces of the
log provider.

Securing SAP Enterprise Threat Detection PUBLIC 131
Authorization Object Field Value Description
SECM_LOG <SECM log type> By default, all logs defined by

the data element
SDTE_SECM_LOG_TYPE are
allowed. You can choose to al
low access to only specific
logs.
9.3 Authorizations of the Log Provider for SAP NetWeaver

Application Server for Java
The log provider that SAP Enterprise Threat Detection offers for SAP NetWeaver AS for Java uses the
authorization concept provided by SAP NetWeaver Application Server for Java (SAP NetWeaver AS for Java).
The recommendations and guidelines for authorizations as described in the SAP NetWeaver AS for Java Security
Guide also apply to the log provider.
SAP Enterprise Threat Detection does not deliver any roles or authorization objects for SAP NetWeaver AS for
Java. To configure the log provider, you need administrator authorizations for SAP NetWeaver Administrator.
9.4 Authorizations of SAP Enterprise Threat Detection in

SAP HANA
SAP Enterprise Threat Detection uses the authorization concept of SAP HANA.
The following table shows the application privileges delivered with SAP Enterprise Threat Detection.
Table 48: Application Privileges

Privilege Description Business Role
sap.secmon.services::Execute Provides basic access to the services Operator of SAP Enterprise Threat
that deliver data to the user interface of Detection
SAP Enterprise Threat Detection. With
this privilege, you cannot view any data
relevant to pattern configuration or to
resolve user pseudonyms.
sap.secmon.ui::Execute Provides basic access to the user inter

face of SAP Enterprise Threat Detection.
With this privilege, you cannot view any
user interfaces relevant to pattern con
figuration or to resolve user pseudo
nyms.

Privilege Description Business Role
sap.secmon.services::Admin Provides access to all services that de Administrative user of SAP Enterprise
liver data to the user interface of SAP Threat Detection
Enterprise Threat Detection. With this
privilege, you cannot view any data rele
vant to resolving user pseudonyms.
sap.secmon.ui::Admin Provides access to all user interfaces of

SAP Enterprise Threat Detection. With
this privilege, you cannot view any user
interfaces relevant to resolving user
pseudonyms.
sap.secmon.services::ResolveUse Provides access to services that deliver

User authorized to resolve user pseudo
r data to the user interfaces that resolve
nyms and determine the real person be
user pseudonyms in SAP Enterprise
hind the user in log entries.
Threat Detection.
sap.secom.ui::ResolveUser Provides access to user interfaces rele Caution

vant to resolving user pseudonyms in
Local data privacy requirements gov
ern who can legally view this informa
sap.secmon.services::ResolveUse Provides access to the service relevant tion within an organization.
rOnAlertService to resolving user interfaces for alert pub

lishing and queries using the REST API
for pulling alerts. With this privilege, you
cannot actually resolve pseudonyms
through the user interface.
In addition to the application privileges, a user of SAP Enterprise Threat Detection needs object privileges.
The following table shows the roles delivered with SAP Enterprise Threat Detection.
Caution
These roles are examples from which you can build your own roles. We reserve the right to update the roles we
deliver in future releases.
Table 49: Roles

Role Description Target User
sap.secmon.db::EtdAdmin Includes all authorizations of the role ● Administrator for configuration.

EtdUser and defines ALTER, SELECT,
● System user for running back
INSERT, UPDATE, DELETE, EXECUTE ac
ground jobs.
cess for tables under secmon schema
and has For more information, see Starting
sap.secmon.services::Admin and Jobs for SAP Enterprise Threat De
sap.secmon.ui::Admin application tection [page 18].
privileges.

Role Description Target User
sap.secmon.db::EtdUser Defines object privileges for tables and Operator or Manager

sap.secmon.services::Execute,
sap.secmon.ui::Execute,
sap.hana.uis.privileges::AppSit
eAccess:All, and
sap.hana.uis.privileges::Widget
Access:All application privileges. The
last two privileges are necessary to use
SAP Fiori launchpad.
sap.secmon.db::EtdDataCommitter Defines object privileges for log tables Service user in SAP HANA used by the
and user context tables. SAP HANA Smart Data Streaming in
stance to commit data.
sap.secmon.db::EtdResolveUser Defines object privileges for tables and ● User authorized to resolve user
sap.secmon.services::ResolveUse
pseudonyms and determine the real
r and sap.secmon.ui::ResolveUser.
person behind the user in log en
tries.
Caution
Local data privacy requirements
govern who can legally view this
information within an organiza
tion.
● System user for running the back

ground job for pseudonymization.
For more information, see Starting
Jobs for SAP Enterprise Threat De
tection [page 18].
9.5 Data and Network Security
SAP Enterprise Threat Detection pushes sensitive data from log providers through SAP HANA Smart Data
Streaming into SAP HANA platform. Protect this data to avoid information disclosure and conform to data
protection regulations.
Log Provider Data Flow
Log providers push data to SAP HANA Smart Data Streaming, which pushes data to SAP HANA platform. This
data can include personal data of users of the log providing systems as well as system information such as system
names and IP addresses that could be useful to an attacker. SAP Enterprise Threat Detection saves this data in
the SAP HANA platform. The following sequence diagram depicts this flow.

Figure 8: Data Flow for Log Providers
The data flow from log provider SAP NetWeaver Application Server to SAP HANA Smart Data Streaming runs over
a web service of SAP HANA Smart Data Streaming. Protect this data flow with transport layer security (TLS). The
data in the log provider is protected by the means provided by the log provider.
For more information about configuring TLS between log providers and SAP HANA Smart Data Streaming, see
Encrypting Communication Between Log Providers and the Web Service Provider [page 104].
The data flow from all other log providers, such as syslog, connects with the ports of the log learning adapter on
SAP HANA Smart Data Streaming. The log learning adapter provides the default ports as listed in the following
table.
Table 50: Ports of the Log Learning Adapter (Syslog)
Protocoll Default Port
TCP 10514
TLS 10443
UDP 5514
Check the Port element of the Parameters tag in the following file:
<HANA Installation path>/streaming/STREAMING-1_0/adapters/framework/instances/

rtparseradapter/adapter_config.xml
Recommendation
We recommend locating log providers, which use UDP, within your intranet network.
The data flow from SAP HANA Smart Data Streaming to SAP HANA runs over ODBC. Protect this data flow with
TLS.
For more information, see configuring TLS between SAP HANA Smart Data Streaming and SAP HANA platform,
see the security guides for your release of SAP HANA Smart Data Streaming and SAP HANA:
● http://help.sap.com/hana_options_sds for SAP HANA Smart Data Streaming on SAP Help Portal
Users with access to SAP HANA Smart Data Streaming projects for SAP Enterprise Threat Detection can also
view the data that passes through SAP HANA Smart Data Streaming.

Archiving
Optionally, you can use an SAP HANA Smart Data Streaming project to copy log data to file on the network file
system. This project is used for archiving. The archiving can be configured to save the raw data, normalized data,
and the normalized user assignment data. Limit access to the archive files according to local data protection laws
and the security policies of your organization.
For more information about archiving, see Archiving Log Data [page 125].
User Interface Data Flow
Users view event data from log providers in SAP HANA through the SAP UI5 applications provided by SAP
Enterprise Threat Detection. This data can include system information such as system names and IP addresses
that could be useful to an attacker. In specific use cases, this data can also include personal data of users of the
log providing systems.
Figure 9: Data Flow for the User Interface
The user of SAP Enterprise Threat Detection uses a web browser to access the SAP UI5 applications. These
applications in turn request the data from SAP HANA. SAP HANA returns the data to the application, which in turn
presents HTML to the web browser. Protect the access to the SAP UI5 application with TLS. The SAP UI5
application communicates internally with SAP HANA by means of a technical user. This technical user is
generated when you activate the connection during the installation of SAP Enterprise Threat Detection on SAP
HANA. All access to the tables of SAP Enterprise Threat Detection run under this technical user in the audit trail.
For more information about activating the connection, see Activating the SQL Connection for the Technical User
[page 17].
For more information about configuring TLS on SAP HANA, see the security guide for your SAP HANA release:
Configuring HTTPS (SSL) for Client Application Access in the SAP HANA Security Guide on SAP Help Portal.
The data is stored in SAP HANA. SAP Enterprise Threat Detection protects access to the application with
authorizations. In addition, SAP Enterprise Threat Detection also pseudonymizes user IDs in the event data,
replacing user IDs with an alias in the user interface. SAP Enterprise Threat Detection gathers user context
information during the initial setup of the system and stores the personal information of the person represented
by a user ID in each system connected by SAP Enterprise Threat Detection. SAP Enterprise Threat Detection also

correlates this information between systems and tracks the pseudonyms assigned to these users. SAP Enterprise
Threat Detection provides an application to reveal the identity of the person behind a pseudonym and the list of
systems and user ID known to SAP Enterprise Threat Detection. The example role EtdResolveUser contains the
authorizations used to protect access to this application. Your data protection policy or local regulations may
define what users should have access to this application. To further protect users whose identity has been
revealed, SAP Enterprise Threat Detection regenerates pseudonyms once a week. This measure prevents an
administrator from looking up a user identity once and then tracking the user over time by maintaining a separate
list of pseudonym-identity correlations.
Caution
The other example roles provided with SAP Enterprise Threat Detection contain authorizations to view the
table data in SAP Enterprise Threat Detection. Do not grant users with these roles, who should not have access
to personal information of other users, access to database management or development tools on SAP HANA,
such as SAP HANA studio.
For more information about the tables used to store user information, see User Context in the SAP Enterprise
Threat Detection Operations Guide.
For more information about pseudonymization, see Pseudonymization in the SAP Enterprise Threat Detection
Operations Guide.
Data Encryption
Tip
We recommend that you encrypt the data volumes of SAP HANA platform.
For more information, see the security guide for your SAP HANA release: Data Storage Security in SAP HANA
in the SAP HANA Security Guide on SAP Help Portal.

A Appendix
A.1 Recommendations When Upgrading SAP HANA Smart

Data Streaming and SAP Enterprise Threat Detection
In the unlikely even that you should have to upgrade your SAP HANA Smart Data Streaming during the installation
of SAP Enterprise Threat Detection, there are a few pitfalls you can avoid.
● Save a copy of you license file.

Find the file in Sybase/SYSAM-2_0/licenses/SYBASE.lic.
If the upgrade created a temporary license, you can restore your licenses from your backup.
● Save the parameters section of any *.ccr files.
When you copy over new versions of the projects, you can copy the values of these parameters back into the
relevant sections.
● If installing new versions of projects for SAP Enterprise Threat Detection, be sure to select the option to delete
files from disk when removing old projects from SAP HANA smart data streaming.
You cannot import new version of the projects unless you have completely removed the old versions.
● If after a restart the SAP HANA services have the status DEAD, trying reading the properties of the data
services in the SAP HANA smart data streaming studio. If that does not work, reinstall the services.
For more information, see Creating Data Services for SAP HANA [page 27].

138 PUBLIC Appendix
A.2 Example of Configuration Settings in SAP Enterprise
Threat Detection
The table below attempts to provide a roadmap for the different configuration settings in different files on
different systems.
Table 51: Relationships Between Configuration Settings

SAP ESP SAP SAP HANA
NetWeaver AS
.odbc.ini service.xml wsp.xml transfer_lo Running SAP for ABAP Pa
HANA Smart
g_event.ccr rameters
Data Streaming
transfer_ma projects
ster_data.c
cr
[HDB] area <Service <Parameter

must exist Name="HDB"..< name="ODBC
Parameter ×
çèØ`g 8ÐÕSÐê”Ô©�±`
Name="DSN"> Name">HDB</
HDB</Parame Parameter>
ter>
UID=ESP_COM <Parameter User

M_USER Name="User"> ESP_COMM_US
=ESP_COMM_U ER must exist
SER</Parame
ter>
PWD=Password <Parameter
Name="Pass
×
çÜØ`{ˇ �Ð‹SôêƒÈ©‡±`
word</Parame
ter>
<proto Web Service/

col>http</ REST Protocol
protocol> or (HTTP/HTTPS)
<proto
col>https</
protocol>
<rest Web Service/

Port>12345</ REST Port:
restPort> 12345, in case
there is no re-
routing

Appendix PUBLIC 139
SAP ESP SAP SAP HANA
NetWeaver AS
.odbc.ini service.xml wsp.xml transfer_lo Running SAP for ABAP Pa
HANA Smart
g_event.ccr rameters
Data Streaming
transfer_ma projects
ster_data.c
cr
Both projects ESP Work

must be de space: default
ployed in the
same work
space: default/
trans
fer_log_event
and default/
transfer_mas
ter_data
<DefaultClus Host Name:

-Ê�ëÚæyÃ)Ê¨
—™ TqQ… esp_Clus
name> ter_Host_name
esp_Clus
ter_Host_name
</Hostname>
<DefaultClus Cluster port:

ter><Port>1901 19011
1</Port>
User: abcde
(must exist on
OS level in the
esp server with
corresponding
authorizations
<webSocket en Enable SSL: x or

abled="true"> ‘‘
A.3 Document History
The following table provides an overview on the most important document changes.
Caution
Before you start the implementation, make sure that you have the latest version of this document that is
available on SAP Help Portal at http://help.sap.com/sapetd.

140 PUBLIC Appendix
Table 52: Document History
Version Date Description
1.0 2014-10-15 Initial release.
1.1 2015-03-16 Updated content for SP01. Moved sizing

information to Sizing Guide. New chap
ters for SAP HANA and other log provid
ers. Added chapter for additional config
urations.
1.2 2015-05-12 Updated content for SP01 patch 01.

Added new jobs for SAP HANA. Adjusted
installation for concurrent use of both
log learning and gateway log adapters.
Updated process for learning new logs
and adding content to the knowledge
base. Change SAP Note for log provider
for SAP NetWeaver Application Server
for ABAP.
1.3 2015-07-22 Updated content for SP02. Updated in

stallation for new SAP ESP release.
Added chapters for SAP NetWeaver
Application Server for Java and for SAP
Identity Management.
1.4 2015-12-10 Updated content for SP02 patch 01.

Corrections in file paths and delivery unit
for installation on SAP ESP. Added TCP
configuration for log learning adapter.
1.5 2016-02-26 Updated content for SP03. Added ar

chiving function. Updated system re
quirements for new SAP HANA version.
Added recommendations for upgrade.
New procedure on SAP HANA for SQL
connection for technical user. Updated
adapter installation on SAP ESP includ
ing project name changes. Updated
project compilated on SAP ESP. New
configuration for Java heap size. Addi
tional information for user change log
SAP NetWeaver Application Server for
ABAP. Updates for changes in data
model: semantic events and semantic
attributes. Added alert publishing.
Added performance monitoring.

Appendix PUBLIC 141
Version Date Description
1.6 2016-03-11 Updated system requirements for new

SAP ESP version.
1.7 2016-06-30 Updated content for SP04. Updated sys

tem requirements for SAP HANA.
Changes the straming component from
SAP ESP to SAP HANA Smart Data
Streaming. New procedure on SAP
HANA for SQL connection for technical
user. Updated adapter installation on
SAP HANA Smart Data Streaming. Up
dated project compilated on SAP HANA
Smart Data Streaming. Updated and
sections on SAP HANA jobs and the SAP
ESP Web Service Provider.
1.8 2016-12-19 Updated content for SP05.
1.9 2017-02-10 Updated content for SP05 PL01.
1.10 2017-03-01 Updated the section aout providing logs

from other systems with log learning. Mi
nor updates to the section about jobs for
1.11 2017-03-07 Minor corrections in chapter 2.4.1.
1.12 2017-03-20 Some corrections in section Configuring

and Deploying Projects to the Cluster
Workspace.
1.13 2017-09-17 Updated content for SP06.

142 PUBLIC Appendix
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).

Important Disclaimers and Legal Information PUBLIC 143
go.sap.com/registration/
contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

SAP Enterprise Threat Detection Implementation Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

SAP Enterprise Threat Detection Implementation Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Enterprise Threat Detection Implementation Guide

Uploaded by

Copyright:

Available Formats

PUBLIC

SAP Enterprise Threat Detection 1.0 SP 06