You will notice that instead of a single delivery (DU) unit for installation, there are two additional ones. There is a content DU that is intended for delivering extra content after the initial release of the support package. For example, it could contain additional patterns as a result of a new SAP Security Note being published. The other DU contains sample data for test and demonstration purposes.
I regularly create new instances of ETD for testing, or for demonstrations or workshops. For some customers, the first step in a proof of concept is to get familiar with ETD. We have the same problem - getting realistic test data into ETD without setting up a landscape and playing through attack scenarios. So now there is the new DU with sample data for a scenario called In-House Threat.
By choosing a start date and then clicking on Generate, data and a sample workspace will be created.
In the workspace, graphs showing attack activities indicate how the attack progressed:
Failed logon attempts with SAP* user
Successful logon with SAP* user
Activities of SAP* user
Activities of changed user
Research on systems vulnerability
Access to customer master data
Forwarding customer master data
Maybe you would like to create your own workspace and attempt an analysis before looking the delivered "solution".
Detecting Malicious Domains
Another new feature is the ability to analyze domain calls in your system landscape. Indicators are generated if a domain is deemed to be potentially malicious, and these indicators can be used in your own attack detection patterns. What makes this particularly interesting is that it is the first use of supervised machine learning in ETD.
Relevant SAP Notes 2342436 - Release Note SAP Enterprise Threat Detection 1.0 SP05