Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

SAP Enterprise Threat Detection enables companies to detect attacks or analyze the business impact of an known attack. It is about:

  • Security monitoring in real time – including historical data

  • Big data to actionable, high quality indicators

  • Market leading in-memory technology

  • Identify anomalies within your landscape

The focus of SAP Enterprise Threat Detection is to monitor SAP landscapes but is open to integrate also any non-SAP content. The solution provides techniques to receive security relevant data from the SAP system landscape and out-of-the-box rules to detect an external or insider attack.

But security has to be a common goal within a company, so integration is very important. There is not the ONE magic solution, which is able to protect the complete landscape (network, mobile, on-premise, cloud, social, dark web, virus scanner, applications, business processes, permissions, roles, ...). In large enterprise there is also not ONE team with a deep knowledge on all security aspects. But it is important to integrate the alerts for an security operation center to have an holistic view.


So how to integrate with SAP Enterprise Threat Detection?


Use case A: Integrate/consume other data sources

  1. Partners provide content/services to integrate non-SAP data in SAP Enterprise Threat Detection -> see first blogs on:

  2. Integrate non-SAP content

    1. Via SAP ETD  log learning (files and syslog) -> no coding

    2. Via SAP HANA Smart Data Streaming (SDS) which is part of SAP ETD -> coding required but extremely flexible + reuse of SDS standard components (ODBC, JDBC, File connector…)


Use case B: SAP ETD shares alerts with other systems (example: SIEM) ( --> implementation guide)

  1. SAP ETD sends automatically an alert when it occurs (alert publishing)

  2. The other solution asks regularly for new information (alert pulling)

Use case B is realized via HTTP(s) and the JSON Format.

Example JSON Format:

Example (?$query=AlertId eq 10923923)



"Version": "1.0",

"AlertCreationTimestamp": "2016-02-10T12:00:00.000Z",

"AlertId": 12086661,

"AlertSeverity": "HIGH",

"AlertStatus": "CRITICAL",

"AlertSource": {

"SystemIdActor": "ABC/000",

"NetworkHostnameInitiator": xx.xx.xx.xx,

"UserPseudonymActing": {

"Pseudonym": "ZIILS-5181"



"AlertSystemIds": [



"HostNames": [



"PatternName": "Blacklisted transactions",

"PatternNameSpace": "",

"PatternDescription": "A blacklisted transaction has been executed.",

"Text": "Measurement 3 exceeded the threshold 1 for (User Pseudonym, Acting/System ID, Actor/Network, Hostname, Initiator) = ('ZUVLS-5181'/'ABC/000'/'null')",

"Score": 75,

"UiLink": "http:///sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?",

"TriggeringEvents": [


"Id": "436F6D62F3D47F017D31E4C7DC2A0500",

"Timestamp": "2016-02-10T12:14:47.000Z",

"TechnicalLogEntryType": "STAD_EXEC",

"TechnicalTimestampOfInsertion": "2016-02-10T12:15:08.084Z",

"CorrelationId": "FA163E2CA3221ED5B3FDFAC1349F85BB",

"CorrelationSubId": "00000000000000000000000000000000",

"EventCode": "STADEntry",

"EventSemantic": "Executable, Run",

"EventLogType": "BusinessTransactionLog",

"EventSourceId": "ABC/000",

"EventSourceType": "ABAP",

"ParameterValueString": "SAPLWB_MANAGER",

"ResourceSize": "319497",

"ResourceType": "Bytes transferred",

"ResourceUnitsOfMeasure": "Bytes",

"ServiceTransactionName": "SE37",

"EventName": "ExecutableRun",

"EventNamespace": ""