Collect SAP HANA audit logs in Microsoft Sentinel

This article explains how to collect audit logs from your SAP HANA database.

Content in this article is intended for your security, infrastructure, and SAP BASIS teams.

Important

Microsoft Sentinel SAP HANA support is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

SAP HANA logs are sent over Syslog. Make sure that your Azure Monitor Agent is configured to collect Syslog files. For more information, see Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent.

Collect SAP HANA audit logs

  1. Make sure that the SAP HANA audit log trail is configured to use Syslog, as described in SAP Note 0002624117, which is accessible from the SAP Launchpad support site. For more information, see:

  2. Check your operating system Syslog files for any relevant HANA database events.

  3. Sign into your HANA database operating system as a user with sudo privileges.

  4. Install an agent on your machine and confirm that your machine is connected. For more information, see Install and manage Azure Monitor Agent.

  5. Configure your agent to collect Syslog data. For more information, see Collect Syslog events with Azure Monitor Agent.

    Tip

    Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities. Check them against your Syslog logs, and then remove any that aren't relevant.

Verify your configuration

Use the following steps in both Microsoft Sentinel and your SAP HANA database to verify that your system is configured as expected.

Microsoft Sentinel

In Microsoft Sentinel's Logs page, check to confirm that HANA database events are now shown in the ingested logs. For example, run the following query:

//generated function structure for custom log Syslog
// generated on 2024-05-07
let D_Syslog = datatable(TimeGenerated:datetime
,EventTime:datetime
,Facility:string
,HostName:string
,SeverityLevel:string
,ProcessID:int
,HostIP:string
,ProcessName:string
,Type:string
)['1000-01-01T00:00:00Z', '1000-01-01T00:00:00Z', 'initialString', 'initialString', 'initialString', 'initialString',1,'initialString', 'initialString', 'initialString'];

let T_Syslog = (Syslog | project
TimeGenerated = column_ifexists('TimeGenerated', '1000-01-01T00:00:00Z')
,EventTime = column_ifexists('EventTime', '1000-01-01T00:00:00Z')
,Facility = column_ifexists('Facility', 'initialString')
,HostName = column_ifexists('HostName', 'initialString')
,SeverityLevel = column_ifexists('SeverityLevel', 'initialString')
,ProcessID = column_ifexists('ProcessID', 1)
,HostIP = column_ifexists('HostIP', 'initialString')
,ProcessName = column_ifexists('ProcessName', 'initialString')
,Type = column_ifexists('Type', 'initialString')
);
T_Syslog | union isfuzzy= true (D_Syslog | where TimeGenerated != '1000-01-01T00:00:00Z')

SAP HANA

In your SAP HANA database, check your configured audit policies. For more information on the required SQL statements, see SAP Note 3016478.

Add analytics rules for SAP HANA in Microsoft Sentinel

Use the following built-in analytics rules to have Microsoft Sentinel start triggering alerts on related SAP HANA activity:

  • SAP - (PREVIEW) HANA DB -Assign Admin Authorizations
  • SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes
  • SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail
  • SAP - (PREVIEW) HANA DB -User Admin actions

For more information, see Microsoft Sentinel solution for SAP applications: security content reference.

Learn more about the Microsoft Sentinel solution for SAP applications: