Enterprise Threat Monitor for SAP
Overview
Details
ETM uses machine learning to adapt to your organization's SAP usage patterns and to reduce noise when detecting threats. This allows SOC teams to spend significantly less time in reviewing the events.
With Enterprise Threat Monitor, you don't need to send raw SAP security logs to Splunk and build and maintain your own use cases. It just works.
Integrating SAP security events with Splunk
Enterprise Threat Monitor monitors SAP systems for threats such as:
- SAP debugging is used for bypassing transaction authorizations
- A user downloaded customer master data of a production system
- An SAP system is opened to changes
- An HR terminated employee's SAP account is used for connecting to an SAP system
- Failed logons of multiple SAP users from the same workstation
- An unauthorized user assigned a critical SAP role to another user
- Account sharing
ETM connects to SAP systems and analyzes different information sources for determining the threats. Analysis includes SAP security logs, system logs, SAP change documents, transport records, user master data changes, ESNC’s fraud related analysis results and many others.
ETM correlates these events via user behavior analysis and its SAP-specific attack signatures, including zero-day vulnerabilities:
Click for more information how you can integrate SAP and Splunk using Enterprise Threat Monitor.
Additional Information:
Below you can find information for configuring and running Enterprise Threat Monitor
Configuring the SAP system
Please click for instructions for activating SAP Security Monitoring on your landscape.
Implementing an Efficient Detection and Response process
Enterprise Threat Monitor uses the Efficient Security Response (ESR) methodology to build an efficient process for responding to threats and training the system so that your business activity is learned and noise is eliminated in a short time.
For more information about the ESR methodology you can refer to: Responding to SAP attacks
Protection against Zero-Days
You can refer to a case study of SAP specific 0-days using the link: Protecting SAP GRC
Protection, Detection and Response for SAP Systems
Enterprise Threat Monitor is the SAP real-time monitoring and threat detection component of ESNC Security Suite. Click to find out how ETM builds a safety net for SAP security vulnerabilities that ESNC Security Suite discovers, including vulnerabilities in custom ABAP code. You can also import your SAP security audit results to ETM.
Downloading the Threat Detection Engine for SAP
Please use this link to download Enterprise Threat Monitor components for connecting your SAP system to Splunk.
Contacting Us
Please don't hesitate to contact us if you require any assistance.
Release Notes
Version 3.1.92
- Over 100 new SAP specific threat monitoring cases added, including detection of malicious SAP transports.
- Work less: improved Adaptive Noise Reduction (ANR) eliminated over 98% of false positives at a recent real-world implementation.
- User Behavior Analytics (UBA) specific to SAP applications improved
- Update ETM agent to latest to receive the 2020 updates.