Messages from the multiple log sources that feed into SAP Enterprise Threat Detection are normalized, so that you can search across logs. This blog is the first in a series that explains the normalized data model, which consists of semantic events and associated semantic attributes.
Semantic events and attributes represent which software did what on behalf of which user, etc. In this blog we concentrate on the software.
Most software usually reports only its own actions, and reports on other software only to the extent that it is involved in the action. In this regard log messages resemble a first-person monologue, e.g., for each blocking action it performs a web filter might say:
"I blocked an HTTP request from an HTTP client to an HTTP server."
In graphic terms, you may want a global view. Maybe you have in mind something like Picture 1.
But, the situation represented in logs has more in common with Picture 2.
In accordance with this observation about logs, the semantic event model, which is shown in Figure 1, is actor/action centric. A software actor performs some action. Roles of other software involved in the action are assigned relative to the actor/action, reflecting the local view of the actor.
Take as an example an RFC call from the SAP system ERP/000 to the SAP system ERP/102 as shown in Figure 2. Both systems send business transaction logs and security audit logs to SAP Enterprise Threat Detection.
The RFC client, ERP/000, performs the action call.
The RFC server, ERP/102 performs the action run.
The respective semantic events from the business transaction log are:
Note that extractors in SAP Enterprise Threat Detection process the logs and create message-type codes that are mapped to the semantic events.
Event names are chosen to create a good sorting order and have 3 main elements: Box, Object, Action
Screen shot 1 shows how the software involved in the event is identified using semantic attributes.
The software type of the actor is identified by the attribute ServiceType. Other types are not explicitly identified, since they usually follow from the actor's type. The system that the software runs on is identified by SystemIdActor. For the call event, this is ERP/000, since it does the call. For the run event, it is ERP/102, since it runs the function module. Notice that the role of the software or host is the last word of the attribute name. You can think of everything in front of the role as being the attribute type, e.g., SystemId.
For the call event, the target of the call is identified by SystemIdTarget, and is ERP/102
For the run event, the initiator of the action is identified by SystemIdInitiator, and is ERP/000
There are actually three ways to identify the system or host playing a particular role, where <role> can be one of Actor, Initiator, Target, Reporter, or Intermediary. Intermediary is not used often, so is not explained here.
A system or host can be identified by:
Screen shot 2 shows NetworkHostnameInitiator which contains the terminal ID of the terminal that initiated the RFC call.
Screen shot 2 is a different view of the two business transaction events in screen shot 1. It also adds an event from the security audit log. The event source is distinguished by the EventLogType attribute. The security audit log only logs the server side of the call, the run event. On the other hand, it does specify that the run succeeded, whereas the business transaction log does not, since it exists primarily to record performance statistics.
An important point to note is that a message type from the security audit log is mapped to the same semantic event as a message type from the business transaction log, enabling both to be found with a search for one semantic event, thereby achieving the desired capability to search across logs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
6 | |
4 | |
4 | |
3 | |
3 | |
2 | |
2 | |
2 |