There are a lot of things to like about the latest version of SAP Enterprise Threat Detection. In this blog I am going to introduce one of the more subtle improvements – semantic events.
Take a look at the screenshot and compare the two filter paths. Can you guess what each does?
If you are intimate with the Security Audit Log in AS ABAP, you will of course know that the Event ID AU2 indicates that a user has attempted a dialog logon and failed. If that log type is not so familiar to you, I suspect you would rather deal with the semantic event "User, logon, failure, dialog".
Usability is not the only difference though. In the screenshot, both paths found the same event because the failed logon took place in an ABAP system. By using the semantic event, Path2 is not restricted to events from ABAP systems. Therefore, many of the attack detection patterns delivered in SP02 are now based on semantic events to broaden their applicability.
Relevant SAP Notes
2139392 - Release Note SAP Enterprise Threat Detection 1.0 SP02