Utilizing user behavior analytics for classifying SAP security incidents efficiently

Enterprise Threat Monitor automatically analyzes SAP usage patterns and allows SOC teams to investigate and classify incidents efficiently. Let’s take a look at the following detected threat:

The finding shows that payroll information is accessed by HRMANAGER user and the event time and the workstation shows suspicious patterns.

Incident or non-incident? HRMANAGER is supposed to access HR data

At first sight it appears that this user activity is a legitimate behavior. Further analysis reveals that this may be someone who obtained the account name and password of the HRMANAGER user.

By utilizing user behavior analysis, incidents can be distinguished from non-incidents efficiently

Detecting Suspicious Logons

Enterprise Threat Monitor keeps track of workstations the users are using for accessing SAP systems. This allows building a baseline of user activity patterns based user location.

By correlating this information Enterprise Threat Monitor informs the security analyst if the originating activity is from an unidentified or suspicious workstation.

SAP logon anomaly – ETM detects suspicious logon time

Enterprise Threat Monitor continuously analyzes user activity and behavioral patterns based on user logon hours. When ETM detects an anomaly, it informs the analyst by showing an exclamation mark near the event time, giving the user a hint that something may be suspicious.

By clicking on the details the analyst receives information about the anomaly, based on user’s usual logon patterns.

The following heatmap shows the number of weeks which user showed activity during certain time slots. ETM warns that the user did not previously logon on a sunday evening, and this activity may be an incident:

In-depth analysis and classification of the incident

Enterprise Threat Monitor shows detailed information about the workstations HRMANAGER uses for accessing SAP systems. Furthermore, Enterprise Threat Monitor shows users which perform activity from the suspicious workstation.

The following information shows that the suspicious workstation is commonly used by a person from the sales team.

Security analyst can classify this as an incident and perform further analysis and forensics:


Detecting and classifying attacks is a time consuming task. Enterprise Threat Monitor builds the bridge between SAP specific knowledge and security analyst for accomplishing these tasks with high accuracy using an efficient process.