Microsoft Sentinel solution for SAP applications: security content reference
This article details the security content available for the Microsoft Sentinel Solution for SAP.
Important
While the Microsoft Sentinel solution for SAP applications is in GA, some specific components remain in PREVIEW. This article indicates the components that are in preview in the relevant sections below. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Available security content includes built-in workbooks and analytics rules. You can also add SAP-related watchlists to use in your search, detection rules, threat hunting, and response playbooks.
Content in this article is intended for your security team.
Built-in workbooks
Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the Templates tab.
| Workbook name | Description | Logs |
|---|---|---|
| SAP - Audit Log Browser | Displays data such as: - General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run -Severities of events occurring in your system - Authentication and authorization events occurring in your system |
Uses data from the following log: ABAPAuditLog_CL |
| SAP Audit Controls | Helps you check your SAP environment's security controls for compliance with your chosen control framework, using tools for you to do the following: - Assign analytics rules in your environment to specific security controls and control families - Monitor and categorize the incidents generated by the SAP solution-based analytics rules - Report on your compliance |
Uses data from the following tables: - SecurityAlert- SecurityIncident |
For more information, see Tutorial: Visualize and monitor your data and Deploy Microsoft Sentinel solution for SAP applications.
Built-in analytics rules
This section describes a selection of built-in analytics rules provided together with the Microsoft Sentinel solution for SAP applications. For the most recent updates, check the Microsoft Sentinel content hub for new and updated rules.
Monitor the configuration of static SAP security parameters (Preview)
To secure the SAP system, SAP has identified security-related parameters that need to be monitored for changes. With the "SAP - (Preview) Sensitive Static Parameter has Changed" rule, the Microsoft Sentinel solution for SAP applications tracks over 52 static security-related parameters in the SAP system, which are built into Microsoft Sentinel.
Note
For the Microsoft Sentinel solution for SAP applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. For more information, see Verify that the PAHI table is updated at regular intervals.
To understand parameter changes in the system, the Microsoft Sentinel solution for SAP applications uses the parameter history table, which records changes made to system parameters every hour.
The parameters are also reflected in the SAPSystemParameters watchlist. This watchlist allows users to add new parameters, disable existing parameters, and modify the values and severities per parameter and system role in production or nonproduction environments.
When a change is made to one of these parameters, Microsoft Sentinel checks to see if the change is security-related and if the value is set according to the recommended values. If the change is suspected as outside the safe zone, Microsoft Sentinel creates an incident detailing the change, and identifies who made the change.
Review the list of parameters that this rule monitors.
Monitor the SAP audit log
Many of the analytics rules in the Microsoft Sentinel solution for SAP applications use SAP audit log data. Some analytics rules look for specific events in the log, while others correlate indications from several logs to create high-fidelity alerts and incidents.
Use the following analytics rules to either monitor all audit log events on your SAP system or trigger alerts only when anomalies are detected:
| Rule name | Description |
|---|---|
| SAP - Missing configuration in the Dynamic Security Audit Log Monitor | By default, runs daily to provide configuration recommendations for the SAP audit log module. Use the rule template to create and customize a rule for your workspace. |
| SAP - Dynamic Deterministic Audit Log Monitor (PREVIEW) | By default, runs every 10 minutes and focuses on the SAP audit log events marked as Deterministic. Use the rule template to create and customize a rule for your workspace, such as for a lower false positive rate. This rule requires deterministic alert thresholds and user exclusion rules. |
| SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) | By default, runs hourly and focuses on SAP events marked as AnomaliesOnly, alerting on SAP audit log events when anomalies are detected. This rule applies extra machine learning algorithms to filter out background noise in an unsupervised manner. |
By default, most event types or SAP message IDs in the SAP audit log are sent to the anomaly based Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) analytics rule, while the easier to define event types are sent to the deterministic Dynamic Deterministic Audit Log Monitor (PREVIEW) analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions.
The SAP audit log monitoring rules are delivered as part of the Microsoft Sentinel for SAP solution security content, and allow for further fine tuning using the SAP_Dynamic_Audit_Log_Monitor_Configuration and SAP_User_Config watchlists.
For example, the following table lists several examples of how you can use the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist to configure the types of events that produce incidents, reducing the number of incidents generated.
| Option | Description |
|---|---|
| Set severities and disable unwanted events | By default, both the deterministic rules and the rules based on anomalies create alerts for events marked with medium and high severities. You might want to configure severities separately production and nonproduction environments. For example, you might set a debugging activity event as high severity in production systems, and turn off the same events entirely in nonproduction systems. |
| Exclude users by their SAP roles or SAP profiles | Microsoft Sentinel for SAP ingests the SAP user’s authorization profile, including direct and indirect role assignments, groups, and profiles, so that you can speak the SAP language in your SIEM. You might want to configure an SAP event to exclude users based on their SAP roles and profiles. In the watchlist, add the roles or profiles that group your RFC interface users in the RolesTagsToExclude column, next to the Generic table access by RFC event. This configuration triggers alerts only for users that are missing these roles. |
| Exclude users by their SOC tags | Use tags to create your own grouping, without relying on complicated SAP definitions or even without SAP authorization. This method is useful for SOC teams that want to create their own grouping for SAP users. For example, if you don't want specific service accounts to be alerted for Generic table access by RFC events, but can’t find an SAP role or an SAP profile that groups these users, use tags as follows: 1. Add the GenTableRFCReadOK tag next to the relevant event in the watchlist. 2. Go to the SAP_User_Config watchlist and assign the interface users the same tag. |
| Specify a frequency threshold per event type and system role | Works like a speed limit. For example, you might configure User Master Record Change events to only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limit—for example, 2 events in a 10-minute window—an incident is triggered. |
| Determinism or anomalies | If you know the event’s characteristics, use the deterministic capabilities. If you aren't sure how to correctly configure the event, allow the machine learning capabilities to decide to start, and then make subsequent updates as needed. |
| SOAR capabilities | Use Microsoft Sentinel to further orchestrate, automate, and respond to incidents created by SAP audit log dynamic alerts. For more information, see Automation in Microsoft Sentinel: Security orchestration, automation, and response (SOAR). |
For more information, see Available watchlists and Microsoft Sentinel for SAP News - Dynamic SAP Security Audit Log Monitor feature available now! (blog).
Initial access
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - Login from unexpected network | Identifies a sign-in from an unexpected network. Maintain networks in the SAP - Networks watchlist. |
Sign in to the backend system from an IP address that isn't assigned to one of the networks. Data sources: SAPcon - Audit Log |
Initial Access |
| SAP - SPNego Attack | Identifies SPNego Replay Attack. | Data sources: SAPcon - Audit Log | Impact, Lateral Movement |
| SAP - Dialog logon attempt from a privileged user | Identifies dialog sign-in attempts, with the AUM type, by privileged users in an SAP system. For more information, see the SAPUsersGetPrivileged. | Attempt to sign in from the same IP to several systems or clients within the scheduled time interval Data sources: SAPcon - Audit Log |
Impact, Lateral Movement |
| SAP - Brute force attacks | Identifies brute force attacks on the SAP system using RFC logons | Attempt to sign in from the same IP to several systems/clients within the scheduled time interval using RFC Data sources: SAPcon - Audit Log |
Credential Access |
| SAP - Multiple Logons from the same IP | Identifies the sign-in of several users from same IP address within a scheduled time interval. Sub-use case: Persistency |
Sign in using several users through the same IP address. Data sources: SAPcon - Audit Log |
Initial Access |
| SAP - Multiple Logons by User | Identifies sign-ins of the same user from several terminals within scheduled time interval. Available only via the Audit SAL method, for SAP versions 7.5 and higher. |
Sign in using the same user, using different IP addresses. Data sources: SAPcon - Audit Log |
Pre-Attack, Credential Access, Initial Access, Collection Sub-use case: Persistency |
| SAP - Informational - Lifecycle - SAP Notes were implemented in system | Identifies SAP Note implementation in the system. | Implement an SAP Note using SNOTE/TCI. Data sources: SAPcon - Change Requests |
- |
| SAP - (Preview) AS JAVA - Sensitive Privileged User Signed In | Identifies a sign-in from an unexpected network. Maintain privileged users in the SAP - Privileged Users watchlist. |
Sign in to the backend system using privileged users. Data sources: SAPJAVAFilesLog |
Initial Access |
| SAP - (Preview) AS JAVA - Sign-In from Unexpected Network | Identifies sign-ins from an unexpected network. Maintain privileged users in the SAP - Networks watchlist. |
Sign in to the backend system from an IP address that isn't assigned to one of the networks in the SAP - Networks watchlist Data sources: SAPJAVAFilesLog |
Initial Access, Defense Evasion |
Data exfiltration
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - FTP for non authorized servers | Identifies an FTP connection for a nonauthorized server. | Create a new FTP connection, such as by using the FTP_CONNECT Function Module. Data sources: SAPcon - Audit Log |
Discovery, Initial Access, Command and Control |
| SAP - Insecure FTP servers configuration | Identifies insecure FTP server configurations, such as when an FTP allowlist is empty or contains placeholders. | Don't maintain or maintain values that contain placeholders in the SAPFTP_SERVERS table, using the SAPFTP_SERVERS_V maintenance view. (SM30) Data sources: SAPcon - Audit Log |
Initial Access, Command and Control |
| SAP - Multiple Files Download | Identifies multiple file downloads for a user within a specific time-range. | Download multiple files using the SAPGui for Excel, lists, and so on. Data sources: SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Multiple Spool Executions | Identifies multiple spools for a user within a specific time-range. | Create and run multiple spool jobs of any type by a user. (SP01) Data sources: SAPcon - Spool Log, SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Multiple Spool Output Executions | Identifies multiple spools for a user within a specific time-range. | Create and run multiple spool jobs of any type by a user. (SP01) Data sources: SAPcon - Spool Output Log, SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Sensitive Tables Direct Access By RFC Logon | Identifies a generic table access by RFC sign in. Maintain tables in the SAP - Sensitive Tables watchlist. Relevant for production systems only. |
Open the table contents using SE11/SE16/SE16N. Data sources: SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Spool Takeover | Identifies a user printing a spool request that was created by someone else. | Create a spool request using one user, and then output it in using a different user. Data sources: SAPcon - Spool Log, SAPcon - Spool Output Log, SAPcon - Audit Log |
Collection, Exfiltration, Command and Control |
| SAP - Dynamic RFC Destination | Identifies the execution of RFC using dynamic destinations. Sub-use case: Attempts to bypass SAP security mechanisms |
Execute an ABAP report that uses dynamic destinations (cl_dynamic_destination). For example, DEMO_RFC_DYNAMIC_DEST. Data sources: SAPcon - Audit Log |
Collection, Exfiltration |
| SAP - Sensitive Tables Direct Access By Dialog Logon | Identifies generic table access via dialog sign-in. | Open table contents using SE11/SE16/SE16N. Data sources: SAPcon - Audit Log |
Discovery |
| SAP - (Preview) File Downloaded From a Malicious IP Address | Identifies download of a file from an SAP system using an IP address known to be malicious. Malicious IP addresses are obtained from threat intelligence services. | Download a file from a malicious IP. Data sources: SAP security Audit log, Threat Intelligence |
Exfiltration |
| SAP - (Preview) Data Exported from a Production System using a Transport | Identifies data export from a production system using a transport. Transports are used in development systems and are similar to pull requests. This alert rule triggers incidents with medium severity when a transport that includes data from any table is released from a production system. The rule creates a high severity incident when the export includes data from a sensitive table. | Release a transport from a production system. Data sources: SAP CR log, SAP - Sensitive Tables |
Exfiltration |
| SAP - (Preview) Sensitive Data Saved into a USB Drive | Identifies export of SAP data via files. The rule checks for data saved into a recently mounted USB drive in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to a sensitive table. | Export SAP data via files and save into a USB drive. Data sources: SAP Security Audit Log, DeviceFileEvents (Microsoft Defender for Endpoint), SAP - Sensitive Tables, SAP - Sensitive Transactions, SAP - Sensitive Programs |
Exfiltration |
| SAP - (Preview) Printing of Potentially Sensitive data | Identifies a request or actual printing of potentially sensitive data. Data is considered sensitive if the user obtains the data as part of a sensitive transaction, execution of a sensitive program, or direct access to a sensitive table. | Print or request to print sensitive data. Data sources: SAP Security Audit Log, SAP Spool logs, SAP - Sensitive Tables, SAP - Sensitive Programs |
Exfiltration |
| SAP - (Preview) High Volume of Potentially Sensitive Data Exported | Identifies export of a high volume of data via files in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to sensitive table. | Export high volume of data via files. Data sources: SAP Security Audit Log, SAP - Sensitive Tables, SAP - Sensitive Transactions, SAP - Sensitive Programs |
Exfiltration |
Persistency
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - Activation or Deactivation of ICF Service | Identifies activation or deactivation of ICF Services. | Activate a service using SICF. Data sources: SAPcon - Table Data Log |
Command and Control, Lateral Movement, Persistence |
| SAP - Function Module tested | Identifies the testing of a function module. | Test a function module using SE37 / SE80. Data sources: SAPcon - Audit Log |
Collection, Defense Evasion, Lateral Movement |
| SAP - (PREVIEW) HANA DB -User Admin actions | Identifies user administration actions. | Create, update, or delete a database user. Data Sources: Linux Agent - Syslog* |
Privilege Escalation |
| SAP - New ICF Service Handlers | Identifies creation of ICF Handlers. | Assign a new handler to a service using SICF. Data sources: SAPcon - Audit Log |
Command and Control, Lateral Movement, Persistence |
| SAP - New ICF Services | Identifies creation of ICF Services. | Create a service using SICF. Data sources: SAPcon - Table Data Log |
Command and Control, Lateral Movement, Persistence |
| SAP - Execution of Obsolete or Insecure Function Module | Identifies the execution of an obsolete or insecure ABAP function module. Maintain obsolete functions in the SAP - Obsolete Function Modules watchlist. Make sure to activate table logging changes for the EUFUNC table in the backend. (SE13)Relevant for production systems only. |
Run an obsolete or insecure function module directly using SE37. Data sources: SAPcon - Table Data Log |
Discovery, Command and Control |
| SAP - Execution of Obsolete/Insecure Program | Identifies the execution of an obsolete or insecure ABAP program. Maintain obsolete programs in the SAP - Obsolete Programs watchlist. Relevant for production systems only. |
Run a program directly using SE38/SA38/SE80, or by using a background job. Data sources: SAPcon - Audit Log |
Discovery, Command and Control |
| SAP - Multiple Password Changes by User | Identifies multiple password changes by user. | Change user password Data sources: SAPcon - Audit Log |
Credential Access |
| SAP - (Preview) AS JAVA - User Creates and Uses New User | Identifies the creation or manipulation of users by admins within the SAP AS Java environment. | Sign in to the backend system using users that you have created or manipulated. Data sources: SAPJAVAFilesLog |
Persistence |
Attempts to bypass SAP security mechanisms
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - Client Configuration Change | Identifies changes for client configuration such as the client role or the change recording mode. | Perform client configuration changes using the SCC4 transaction code. Data sources: SAPcon - Audit Log |
Defense Evasion, Exfiltration, Persistence |
| SAP - Data has Changed during Debugging Activity | Identifies changes for runtime data during a debugging activity. Sub-use case: Persistency |
1. Activate Debug ("/h"). 2. Select a field for change and update its value. Data sources: SAPcon - Audit Log |
Execution, Lateral Movement |
| SAP - Deactivation of Security Audit Log | Identifies deactivation of the Security Audit Log, | Disable security Audit Log using SM19/RSAU_CONFIG. Data sources: SAPcon - Audit Log |
Exfiltration, Defense Evasion, Persistence |
| SAP - Execution of a Sensitive ABAP Program | Identifies the direct execution of a sensitive ABAP program. Maintain ABAP Programs in the SAP - Sensitive ABAP Programs watchlist. |
Run a program directly using SE38/SA38/SE80. Data sources: SAPcon - Audit Log |
Exfiltration, Lateral Movement, Execution |
| SAP - Execution of a Sensitive Transaction Code | Identifies the execution of a sensitive Transaction Code. Maintain transaction codes in the SAP - Sensitive Transaction Codes watchlist. |
Run a sensitive transaction code. Data sources: SAPcon - Audit Log |
Discovery, Execution |
| SAP - Execution of Sensitive Function Module | Identifies the execution of a sensitive ABAP function module. Sub-use case: Persistency Relevant for production systems only. Maintain sensitive functions in the SAP - Sensitive Function Modules watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13) |
Run a sensitive function module directly using SE37. Data sources: SAPcon - Table Data Log |
Discovery, Command and Control |
| SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes | Identifies changes for HANA DB audit trail policies. | Create or update the existing audit policy in security definitions. Data sources: Linux Agent - Syslog |
Lateral Movement, Defense Evasion, Persistence |
| SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail | Identifies the deactivation of the HANA DB audit log. | Deactivate the audit log in the HANA DB security definition. Data sources: Linux Agent - Syslog |
Persistence, Lateral Movement, Defense Evasion |
| SAP - Unauthorized Remote Execution of a Sensitive Function Module | Detects unauthorized executions of sensitive FMs by comparing the activity with the user's authorization profile while disregarding recently changed authorizations. Maintain function modules in the SAP - Sensitive Function Modules watchlist. |
Run a function module using RFC. Data sources: SAPcon - Audit Log |
Execution, Lateral Movement, Discovery |
| SAP - System Configuration Change | Identifies changes for system configuration. | Adapt system change options or software component modification using the SE06 transaction code.Data sources: SAPcon - Audit Log |
Exfiltration, Defense Evasion, Persistence |
| SAP - Debugging Activities | Identifies all debugging related activities. Sub-use case: Persistency |
Activate Debug ("/h") in the system, debug an active process, add breakpoint to source code, and so on. Data sources: SAPcon - Audit Log |
Discovery |
| SAP - Security Audit Log Configuration Change | Identifies changes in the configuration of the Security Audit Log | Change any Security Audit Log Configuration using SM19/RSAU_CONFIG, such as the filters, status, recording mode, and so on. Data sources: SAPcon - Audit Log |
Persistence, Exfiltration, Defense Evasion |
| SAP - Transaction is unlocked | Identifies unlocking of a transaction. | Unlock a transaction code using SM01/SM01_DEV/SM01_CUS. Data sources: SAPcon - Audit Log |
Persistence, Execution |
| SAP - Dynamic ABAP Program | Identifies the execution of dynamic ABAP programming. For example, when ABAP code was dynamically created, changed, or deleted. Maintain excluded transaction codes in the SAP - Transactions for ABAP Generations watchlist. |
Create an ABAP Report that uses ABAP program generation commands, such as INSERT REPORT, and then run the report. Data sources: SAPcon - Audit Log |
Discovery, Command and Control, Impact |
Suspicious privileges operations
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - Change in Sensitive privileged user | Identifies changes of sensitive privileged users. Maintain privileged users in the SAP - Privileged Users watchlist. |
Change user details / authorizations using SU01. Data sources: SAPcon - Audit Log |
Privilege Escalation, Credential Access |
| SAP - (PREVIEW) HANA DB -Assign Admin Authorizations | Identifies admin privilege or role assignment. | Assign a user with any admin role or privileges. Data sources: Linux Agent - Syslog |
Privilege Escalation |
| SAP - Sensitive privileged user logged in | Identifies the Dialog sign-in of a sensitive privileged user. Maintain privileged users in the SAP - Privileged Users watchlist. |
Sign in to the backend system using SAP* or another privileged user. Data sources: SAPcon - Audit Log |
Initial Access, Credential Access |
| SAP - Sensitive privileged user makes a change in other user | Identifies changes of sensitive, privileged users in other users. | Change user details / authorizations using SU01. Data Sources: SAPcon - Audit Log |
Privilege Escalation, Credential Access |
| SAP - Sensitive Users Password Change and Login | Identifies password changes for privileged users. | Change the password for a privileged user and sign into the system. Maintain privileged users in the SAP - Privileged Users watchlist. Data sources: SAPcon - Audit Log |
Impact, Command and Control, Privilege Escalation |
| SAP - User Creates and uses new user | Identifies a user creating and using other users. Sub-use case: Persistency |
Create a user using SU01, and then sign in, using the newly created user and the same IP address. Data sources: SAPcon - Audit Log |
Discovery, Pre-Attack, Initial Access |
| SAP - User Unlocks and uses other users | Identifies a user being unlocked and used by other users. Sub-use case: Persistency |
Unlock a user using SU01, and then sign in using the unlocked user and the same IP address. Data sources: SAPcon - Audit Log, SAPcon - Change Documents Log |
Discovery, Pre-Attack, Initial Access, Lateral Movement |
| SAP - Assignment of a sensitive profile | Identifies new assignments of a sensitive profile to a user. Maintain sensitive profiles in the SAP - Sensitive Profiles watchlist. |
Assign a profile to a user using SU01. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Assignment of a sensitive role | Identifies new assignments for a sensitive role to a user. Maintain sensitive roles in the SAP - Sensitive Roles watchlist. |
Assign a role to a user using SU01 / PFCG. Data sources: SAPcon - Change Documents Log, Audit Log |
Privilege Escalation |
| SAP - (PREVIEW) Critical authorizations assignment - New Authorization Value | Identifies the assignment of a critical authorization object value to a new user. Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist. |
Assign a new authorization object or update an existing one in a role, using PFCG. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Critical authorizations assignment - New User Assignment | Identifies the assignment of a critical authorization object value to a new user. Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist. |
Assign a new user to a role that holds critical authorization values, using SU01/PFCG. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Sensitive Roles Changes | Identifies changes in sensitive roles. Maintain sensitive roles in the SAP - Sensitive Roles watchlist. |
Change a role using PFCG. Data sources: SAPcon - Change Documents Log, SAPcon – Audit Log |
Impact, Privilege Escalation, Persistence |
Available watchlists
The following table lists the watchlists available for the Microsoft Sentinel solution for SAP applications, and the fields in each watchlist.
These watchlists provide the configuration for the Microsoft Sentinel solution for SAP applications. The SAP watchlists are available in the Microsoft Sentinel GitHub repository.
| Watchlist name | Description and fields |
|---|---|
| SAP - Critical Authorization Objects | Critical Authorizations object, where assignments should be governed. - AuthorizationObject: An SAP authorization object, such as S_DEVELOP, S_TCODE, or Table TOBJ - AuthorizationField: An SAP authorization field, such as OBJTYP or TCD - AuthorizationValue: An SAP authorization field value, such as DEBUG - ActivityField : SAP activity field. For most cases, this value is ACTVT. For Authorizations objects without an Activity, or with only an Activity field, filled with NOT_IN_USE. - Activity: SAP activity, according to the authorization object, such as: 01: Create; 02: Change; 03: Display, and so on. - Description: A meaningful Critical Authorization Object description. |
| SAP - Excluded Networks | For internal maintenance of excluded networks, such as to ignore web dispatchers, terminal servers, and so on. -Network: A network IP address or range, such as 111.68.128.0/17. -Description: A meaningful network description. |
| SAP Excluded Users | System users who are signed in to the system and must be ignored. For example, alerts for multiple sign-ins by the same user. - User: SAP User -Description: A meaningful user description. |
| SAP - Networks | Internal and maintenance networks for identification of unauthorized logins. - Network: Network IP address or range, such as 111.68.128.0/17 - Description: A meaningful network description. |
| SAP - Privileged Users | Privileged users that are under extra restrictions. - User: the ABAP user, such as DDIC or SAP - Description: A meaningful user description. |
| SAP - Sensitive ABAP Programs | Sensitive ABAP programs (reports), where execution should be governed. - ABAPProgram: ABAP program or report, such as RSPFLDOC - Description: A meaningful program description. |
| SAP - Sensitive Function Module | Internal and maintenance networks for identification of unauthorized logins. - FunctionModule: An ABAP function module, such as RSAU_CLEAR_AUDIT_LOG - Description: A meaningful module description. |
| SAP - Sensitive Profiles | Sensitive profiles, where assignments should be governed. - Profile: SAP authorization profile, such as SAP_ALL or SAP_NEW - Description: A meaningful profile description. |
| SAP - Sensitive Tables | Sensitive tables, where access should be governed. - Table: ABAP Dictionary Table, such as USR02 or PA008 - Description: A meaningful table description. |
| SAP - Sensitive Roles | Sensitive roles, where assignment should be governed. - Role: SAP authorization role, such as SAP_BC_BASIS_ADMIN - Description: A meaningful role description. |
| SAP - Sensitive Transactions | Sensitive transactions where execution should be governed. - TransactionCode: SAP transaction code, such as RZ11 - Description: A meaningful code description. |
| SAP - Systems | Describes the landscape of SAP systems according to role, usage, and configuration. - SystemID: the SAP system ID (SYSID) - SystemRole: the SAP system role, one of the following values: Sandbox, Development, Quality Assurance, Training, Production - SystemUsage: The SAP system usage, one of the following values: ERP, BW, Solman, Gateway, Enterprise Portal - InterfaceAttributes: an optional dynamic parameter for use in playbooks. |
| SAPSystemParameters | Parameters to watch for suspicious configuration changes. This watchlist is prefilled with recommended values (according to SAP best practice), and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set EnableAlerts to false.- ParameterName: The name of the parameter. - Comment: The SAP standard parameter description. - EnableAlerts: Defines whether to enable alerts for this parameter. Values are true and false.- Option: Defines in which case to trigger an alert: If the parameter value is greater or equal ( GE), less or equal (LE), or equal (EQ)For example, if the login/fails_to_user_lock SAP parameter is set to LE (less or equal), and a value of 5, once Microsoft Sentinel detects a change to this specific parameter, it compares the newly reported value and the expected value. If the new value is 4, Microsoft Sentinel doesn't trigger an alert. If the new value is 6, Microsoft Sentinel triggers an alert.- ProductionSeverity: The incident severity for production systems. - ProductionValues: Permitted values for production systems. - NonProdSeverity: The incident severity for nonproduction systems. - NonProdValues: Permitted values for nonproduction systems. |
| SAP - Excluded Users | System users that are logged in and need to be ignored, such as for the Multiple logons by user alert. - User: SAP User - Description: A meaningful user description |
| SAP - Excluded Networks | Maintain internal, excluded networks for ignoring web dispatchers, terminal servers, and so on. - Network: Network IP address or range, such as 111.68.128.0/17 - Description: A meaningful network description |
| SAP - Obsolete Function Modules | Obsolete function modules, whose execution should be governed. - FunctionModule: ABAP Function Module, such as TH_SAPREL - Description: A meaningful function module description |
| SAP - Obsolete Programs | Obsolete ABAP programs (reports), whose execution should be governed. - ABAPProgram:ABAP Program, such as TH_ RSPFLDOC - Description: A meaningful ABAP program description |
| SAP - Transactions for ABAP Generations | Transactions for ABAP generations whose execution should be governed. - TransactionCode: Transaction Code, such as SE11. - Description: A meaningful Transaction Code description |
| SAP - FTP Servers | FTP Servers for identification of unauthorized connections. - Client: such as 100. - FTP_Server_Name: FTP server name, such as http://contoso.com/ -FTP_Server_Port:FTP server port, such as 22. - DescriptionA meaningful FTP Server description |
| SAP_Dynamic_Audit_Log_Monitor_Configuration | Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, nonproduction). This watchlist details all available SAP standard audit log message IDs. The watchlist can be extended to contain extra message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the SAP_User_Config watchlist. This watchlist is one of the core components used for configuring the built-in SAP analytics rules for monitoring the SAP audit log. For more information, see Monitor the SAP audit log. - MessageID: The SAP Message ID, or event type, such as AUD (User master record changes), or AUB (authorization changes). - DetailedDescription: A markdown enabled description to be shown on the incident pane. - ProductionSeverity: The desired severity for the incident to be created with for production systems High, Medium. Can be set as Disabled. - NonProdSeverity: The desired severity for the incident to be created with for nonproduction systems High, Medium. Can be set as Disabled. - ProductionThreshold The "Per hour" count of events to be considered as suspicious for production systems 60. - NonProdThreshold The "Per hour" count of events to be considered as suspicious for nonproduction systems 10. - RolesTagsToExclude: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list. - RuleType: Use Deterministic for the event type to be sent off to the SAP - Dynamic Deterministic Audit Log Monitor rule, or AnomaliesOnly to have this event covered by the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) rule. For more information, see Monitor the SAP audit log. - TeamsChannelID: an optional dynamic parameter for use in playbooks. - DestinationEmail: an optional dynamic parameter for use in playbooks. For the RolesTagsToExclude field: - If you list SAP roles or SAP profiles, this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the BASIC_BO_USERS ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.- Tagging an event type is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP BASIS team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the MassiveAuthChanges tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace SAPAuditLogConfigRecommend function produces a list of recommended tags to be assigned to users, such as Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist. |
| SAP_User_Config | Allows for fine tuning alerts by excluding /including users in specific contexts and is also used for configuring the built-in SAP analytics rules for monitoring the SAP audit log. For more information, see Monitor the SAP audit log. - SAPUser: The SAP user - Tags: Tags are used to identify users against certain activity. For example Adding the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV will prevent RFC related incidents to be created for this specific user Other active directory user identifiers - AD User Identifier - User On-Premises Sid - User Principal Name |
Available playbooks
Playbooks provided by Microsoft Sentinel solution for SAP applications help you automate SAP incident response workloads, improving the efficiency and effectiveness of security operations.
This section describes built-in analytics playbooks provided together with the Microsoft Sentinel solution for SAP applications.
| Playbook name | Parameters | Connections |
|---|---|---|
| SAP Incident Response - Lock user from Teams - Basic | - SAP-SOAP-User-Password - SAP-SOAP-Username - SOAPApiBasePath - DefaultEmail - TeamsChannel |
- Microsoft Sentinel - Microsoft Teams |
| SAP Incident Response - Lock user from Teams - Advanced | - SAP-SOAP-KeyVault-Credential-Name - DefaultAdminEmail - TeamsChannel |
- Microsoft Sentinel - Azure Monitor Logs - Office 365 Outlook - Microsoft Entra ID - Azure Key Vault - Microsoft Teams |
| SAP Incident Response - Reenable audit logging once deactivated | - SAP-SOAP-KeyVault-Credential-Name - DefaultAdminEmail - TeamsChannel |
- Microsoft Sentinel - Azure Key Vault - Azure Monitor Logs - Microsoft Teams |
The following sections describe sample uses cases for each of the provided playbooks, in a scenario where an incident warned you of suspicious activity in one of the SAP systems, where a user is trying to execute one of these highly sensitive transactions.
During the incident triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Microsoft Entra ID.
For more information, see Automate threat response with playbooks in Microsoft Sentinel
The process for deploying Standard logic apps generally is more complex than it is for Consumption logic apps. We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see Step-by-Step Installation Guide.
Tip
Watch the SAP playbooks folder in the GitHub repository for more playbooks as they become available. There's also a short introductory video (external link) there to help you get started.
Lock out a user from a single system
Build an automation rule to invoke the Lock user from Teams - Basic playbook whenever a sensitive transaction execution by an unauthorized user is detected. This playbook uses Teams' adaptive cards feature to request approval before unilaterally blocking the user.
For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals - You’re gonna hear me SOAR! Part 1 (SAP blog post).
The Lock user from Teams - Basic playbook is a Standard playbook, and Standard playbooks are generally more complex to deploy than Consumption playbooks.
We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see Step-by-Step Installation Guide and Supported logic app types.
Lock out a user from multiple systems
The Lock user from Teams - Advanced playbook accomplishes the same objective, but is designed for more complex scenarios, allowing a single playbook to be used for multiple SAP systems, each with its own SAP SID.
The Lock user from Teams - Advanced playbook seamlessly manages the connections to all of these systems, and their credentials, using the InterfaceAttributes optional dynamic parameter in the SAP - Systems watchlist and Azure Key Vault.
The Lock user from Teams - Advanced playbook also allows you to communicate to the parties in the approval process using Outlook actionable messages together with Teams, using the TeamsChannelID and DestinationEmail parameters in the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist.
For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals – Part 2 (SAP blog post).
Prevent deactivation of audit logging
You might also be concerned about the SAP audit log, which is one of your security data sources, being deactivated. We recommend that you build an automation rule based on the SAP - Deactivation of Security Audit Log analytics rule to invoke the Reenable audit logging once deactivated playbook to make sure the SAP audit log isn't deactivated.
The SAP - Deactivation of Security Audit Log playbook also uses Teams, informing security personnel after the fact. The severity of the offense and the urgency of its mitigation indicate that immediate action can be taken with no approval required.
Since the SAP - Deactivation of Security Audit Log playbook also uses Azure Key Vault to manage credentials, the playbook's configuration is similar to that of the Lock user from Teams - Advanced playbook. For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals – Part 3 (SAP blog post).
Related content
For more information, see Deploying Microsoft Sentinel solution for SAP applications.