Microsoft Sentinel SAP solution: security content reference (public preview)
Note
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
This article details the security content available for the Microsoft Sentinel SAP solution.
Available security content includes a built-in workbook and built-in analytics rules. You can also add SAP-related watchlists to use in your search, detection rules, threat hunting, and response playbooks.
Important
The Microsoft Sentinel SAP solution is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Built in workbooks
Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After deploying the SAP solution, SAP workbooks are found in the My workbooks tab.
| Workbook name | Description | Logs |
|---|---|---|
| SAP - Audit Log Browser | Displays data such as: General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run Severities of events occurring in your system Authentication and authorization events occurring in your system |
Uses data from the following log: ABAPAuditLog_CL |
| SAP - Suspicious Privileges Operations | Displays data such as: Sensitive and critical assignments Actions and changes made to sensitive, privileged users Changes made to roles |
Uses data from the following logs: ABAPAuditLog_CL ABAPChangeDocsLog_CL |
| SAP - Initial Access & Attempts to Bypass SAP Security Mechanisms | Displays data such as: Executions of sensitive programs, code, and function modules Configuration changes, including log deactivations Changes made in debug mode |
Uses data from the following logs: ABAPAuditLog_CL ABAPTableDataLog_CL Syslog |
| SAP - Persistency & Data Exfiltration | Displays data such as: Internet Communication Framework (ICF) services, including activations and deactivations and data about new services and service handlers Insecure operations, including both function modules and programs Direct access to sensitive tables |
Uses data from the following logs: ABAPAuditLog_CL ABAPTableDataLog_CL ABAPSpoolLog_CL ABAPSpoolOutputLog_CL Syslog |
For more information, see Tutorial: Visualize and monitor your data and Deploy SAP continuous threat monitoring (public preview).
Built-in analytics rules
The following tables list the built-in analytics rules that are included in the Microsoft Sentinel SAP solution, deployed from the Microsoft Sentinel Solutions marketplace.
Built-in SAP analytics rules for initial access
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - High - Login from unexpected network | Identifies a sign-in from an unexpected network. Maintain networks in the SAP - Networks watchlist. |
Sign in to the backend system from an IP address that is not assigned to one of the networks. Data sources: SAPcon - Audit Log |
Initial Access |
| SAP - High - SPNego Attack | Identifies SPNego Replay Attack. | Data sources: SAPcon - Audit Log | Impact, Lateral Movement |
| SAP - Medium - Brute force attacks | Identifies brute force attacks on the SAP system, according to failed sign-in attempts for the backend system. | Attempt to sign in from the same IP address to several systems/clients within the scheduled time interval. Data sources: SAPcon - Audit Log |
Credential Access |
| SAP - Medium - Multiple Logons from the same IP | Identifies the sign-in of several users from same IP address within a scheduled time interval. Sub-use case: Persistency |
Sign in using several users through the same IP address. Data sources: SAPcon - Audit Log |
Initial Access |
| SAP - Medium - Multiple Logons by User | Identifies sign-ins of the same user from several terminals within scheduled time interval. Available only via the Audit SAL method, for SAP versions 7.5 and higher. |
Sign in using the same user, using different IP addresses. Data sources: SAPcon - Audit Log |
PreAttack, Credential Access, Initial Access, Collection Sub-use case: Persistency |
| SAP - Informational - Lifecycle - SAP Notes were implemented in system | Identifies SAP Note implementation in the system. | Implement an SAP Note using SNOTE/TCI. Data sources: SAPcon - Change Requests |
- |
Built-in SAP analytics rules for data exfiltration
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - Medium - FTP for non authorized servers | Identifies an FTP connection for a non-authorized server. | Create a new FTP connection, such as by using the FTP_CONNECT Function Module. Data sources: SAPcon - Audit Log |
Discovery, Initial Access, Command and Control |
| SAP - Medium - Insecure FTP servers configuration | Identifies insecure FTP server configurations, such as when an FTP allowlist is empty or contains placeholders. | Do not maintain or maintain values that contain placeholders in the SAPFTP_SERVERS table, using the SAPFTP_SERVERS_V maintenance view. (SM30) Data sources: SAPcon - Audit Log |
Initial Access, Command and Control |
| SAP - Medium - Multiple Files Download | Identifies multiple file downloads for a user within a specific time-range. | Download multiple files using the SAPGui for Excel, lists, and so on. Data sources: SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Medium - Multiple Spool Executions | Identifies multiple spools for a user within a specific time-range. | Create and run multiple spool jobs of any type by a user. (SP01) Data sources: SAPcon - Spool Log, SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Medium - Multiple Spool Output Executions | Identifies multiple spools for a user within a specific time-range. | Create and run multiple spool jobs of any type by a user. (SP01) Data sources: SAPcon - Spool Output Log, SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Medium - Sensitive Tables Direct Access By RFC Logon | Identifies a generic table access by RFC sign in. Maintain tables in the SAP - Sensitive Tables watchlist. Note: Relevant for production systems only. |
Open the table contents using SE11/SE16/SE16N. Data sources: SAPcon - Audit Log |
Collection, Exfiltration, Credential Access |
| SAP - Medium - Spool Takeover | Identifies a user printing a spool request that was created by someone else. | Create a spool request using one user, and then output it in using a different user. Data sources: SAPcon - Spool Log, SAPcon - Spool Output Log, SAPcon - Audit Log |
Collection, Exfiltration, Command and Control |
| SAP - Low - Dynamic RFC Destination | Identifies the execution of RFC using dynamic destinations. Sub-use case: Attempts to bypass SAP security mechanisms |
Execute an ABAP report that uses dynamic destinations (cl_dynamic_destination). For example, DEMO_RFC_DYNAMIC_DEST. Data sources: SAPcon - Audit Log |
Collection, Exfiltration |
| SAP - Low - Sensitive Tables Direct Access By Dialog Logon | Identifies generic table access via dialog sign-in. | Open table contents using SE11/SE16/SE16N. Data sources: SAPcon - Audit Log |
Discovery |
Built-in SAP analytics rules for persistency
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - High - Activation or Deactivation of ICF Service | Identifies activation or deactivation of ICF Services. | Activate a service using SICF. Data sources: SAPcon - Table Data Log |
Command and Control, Lateral Movement, Persistence |
| SAP - High - Function Module tested | Identifies the testing of a function module. | Test a function module using SE37 / SE80. Data sources: SAPcon - Audit Log |
Collection, Defense Evasion, Lateral Movement |
| SAP - High - HANA DB - User Admin actions | Identifies user administration actions. | Create, update, or delete a database user. Data Sources: Linux Agent - Syslog* |
Privilege Escalation |
| SAP - High - New ICF Service Handlers | Identifies creation of ICF Handlers. | Assign a new handler to a service using SICF. Data sources: SAPcon - Audit Log |
Command and Control, Lateral Movement, Persistence |
| SAP - High - New ICF Services | Identifies creation of ICF Services. | Create a service using SICF. Data sources: SAPcon - Table Data Log |
Command and Control, Lateral Movement, Persistence |
| SAP - Medium - Execution of Obsolete or Insecure Function Module | Identifies the execution of an obsolete or insecure ABAP function module. Maintain obsolete functions in the SAP - Obsolete Function Modules watchlist. Make sure to activate table logging changes for the EUFUNC table in the backend. (SE13)Note: Relevant for production systems only. |
Run an obsolete or insecure function module directly using SE37. Data sources: SAPcon - Table Data Log |
Discovery, Command and Control |
| SAP - Medium - Execution of Obsolete/Insecure Program | Identifies the execution of an obsolete or insecure ABAP program. Maintain obsolete programs in the SAP - Obsolete Programs watchlist. Note: Relevant for production systems only. |
Run a program directly using SE38/SA38/SE80, or by using a background job. Data sources: SAPcon - Audit Log |
Discovery, Command and Control |
| SAP - Low - Multiple Password Changes by User | Identifies multiple password changes by user. | Change user password Data sources: SAPcon - Audit Log |
Credential Access |
Built-in SAP analytics rules for attempts to bypass SAP security mechanisms
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - High - Client Configuration Change | Identifies changes for client configuration such as the client role or the change recording mode. | Perform client configuration changes using the SCC4 transaction code. Data sources: SAPcon - Audit Log |
Defense Evasion, Exfiltration, Persistence |
| SAP - High - Data has Changed during Debugging Activity | Identifies changes for runtime data during a debugging activity. Sub-use case: Persistency |
1. Activate Debug ("/h"). 2. Select a field for change and update its value. Data sources: SAPcon - Audit Log |
Execution, Lateral Movement |
| SAP - High - Deactivation of Security Audit Log | Identifies deactivation of the Security Audit Log, | Disable security Audit Log using SM19/RSAU_CONFIG. Data sources: SAPcon - Audit Log |
Exfiltration, Defense Evasion, Persistence |
| SAP - High - Execution of a Sensitive ABAP Program | Identifies the direct execution of a sensitive ABAP program. Maintain ABAP Programs in the SAP - Sensitive ABAP Programs watchlist. |
Run a program directly using SE38/SA38/SE80. Data sources: SAPcon - Audit Log |
Exfiltration, Lateral Movement, Execution |
| SAP - High - Execution of a Sensitive Transaction Code | Identifies the execution of a sensitive Transaction Code. Maintain transaction codes in the SAP - Sensitive Transaction Codes watchlist. |
Run a sensitive transaction code. Data sources: SAPcon - Audit Log |
Discovery, Execution |
| SAP - High - Execution of Sensitive Function Module | Identifies the execution of a sensitive ABAP function module. Sub-use case: Persistency Note: Relevant for production systems only. Maintain sensitive functions in the SAP - Sensitive Function Modules watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13) |
Run a sensitive function module directly using SE37. Data sources: SAPcon - Table Data Log |
Discovery, Command and Control |
| SAP - High - HANA DB - Audit Trail Policy Changes | Identifies changes for HANA DB audit trail policies. | Create or update the existing audit policy in security definitions. Data sources: Linux Agent - Syslog |
Lateral Movement, Defense Evasion, Persistence |
| SAP - High - HANA DB - Deactivation of Audit Trail | Identifies the deactivation of the HANA DB audit log. | Deactivate the audit log in the HANA DB security definition. Data sources: Linux Agent - Syslog |
Persistence, Lateral Movement, Defense Evasion |
| SAP - High - RFC Execution of a Sensitive Function Module | Sensitive function models to be used in relevant detections. Maintain function modules in the SAP - Sensitive Function Modules watchlist. |
Run a function module using RFC. Data sources: SAPcon - Audit Log |
Execution, Lateral Movement, Discovery |
| SAP - High - System Configuration Change | Identifies changes for system configuration. | Adapt system change options or software component modification using the SE06 transaction code.Data sources: SAPcon - Audit Log |
Exfiltration, Defense Evasion, Persistence |
| SAP - Medium - Debugging Activities | Identifies all debugging related activities. Sub-use case: Persistency |
Activate Debug ("/h") in the system, debug an active process, add breakpoint to source code, and so on. Data sources: SAPcon - Audit Log |
Discovery |
| SAP - Medium - Security Audit Log Configuration Change | Identifies changes in the configuration of the Security Audit Log | Change any Security Audit Log Configuration using SM19/RSAU_CONFIG, such as the filters, status, recording mode, and so on. Data sources: SAPcon - Audit Log |
Persistence, Exfiltration, Defense Evasion |
| SAP - Medium - Transaction is unlocked | Identifies unlocking of a transaction. | Unlock a transaction code using SM01/SM01_DEV/SM01_CUS. Data sources: SAPcon - Audit Log |
Persistence, Execution |
| SAP - Low - Dynamic ABAP Program | Identifies the execution of dynamic ABAP programming. For example, when ABAP code was dynamically created, changed, or deleted. Maintain excluded transaction codes in the SAP - Transactions for ABAP Generations watchlist. |
Create an ABAP Report that uses ABAP program generation commands, such as INSERT REPORT, and then run the report. Data sources: SAPcon - Audit Log |
Discovery, Command and Control, Impact |
Built-in SAP analytics rules for suspicious privileges operations
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| SAP - High - Change in Sensitive privileged user | Identifies changes of sensitive privileged users. Maintain privileged users in the SAP - Privileged Users watchlist. |
Change user details / authorizations using SU01. Data sources: SAPcon - Audit Log |
Privilege Escalation, Credential Access |
| SAP - High - HANA DB - Assign Admin Authorizations | Identifies admin privilege or role assignment. | Assign a user with any admin role or privileges. Data sources: Linux Agent - Syslog |
Privilege Escalation |
| SAP - High - Sensitive privileged user logged in | Identifies the Dialog sign-in of a sensitive privileged user. Maintain privileged users in the SAP - Privileged Users watchlist. |
Sign in to the backend system using SAP* or another privileged user. Data sources: SAPcon - Audit Log |
Initial Access, Credential Access |
| SAP - High - Sensitive privileged user makes a change in other user | Identifies changes of sensitive, privileged users in other users. | Change user details / authorizations using SU01. Data Sources: SAPcon - Audit Log |
Privilege Escalation, Credential Access |
| SAP - High - Sensitive Users Password Change and Login | Identifies password changes for privileged users. | Change the password for a privileged user and sign into the system. Maintain privileged users in the SAP - Privileged Users watchlist. Data sources: SAPcon - Audit Log |
Impact, Command and Control, Privilege Escalation |
| SAP - High - User Creates and uses new user | Identifies a user creating and using other users. Sub-use case: Persistency |
Create a user using SU01, and then sign in, using the newly created user and the same IP address. Data sources: SAPcon - Audit Log |
Discovery, PreAttack, Initial Access |
| SAP - High - User Unlocks and uses other users | Identifies a user being unlocked and used by other users. Sub-use case: Persistency |
Unlock a user using SU01, and then sign in using the unlocked user and the same IP address. Data sources: SAPcon - Audit Log, SAPcon - Change Documents Log |
Discovery, PreAttack, Initial Access, Lateral Movement |
| SAP - Medium - Assignment of a sensitive profile | Identifies new assignments of a sensitive profile to a user. Maintain sensitive profiles in the SAP - Sensitive Profiles watchlist. |
Assign a profile to a user using SU01. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Medium - Assignment of a sensitive role | Identifies new assignments for a sensitive role to a user. Maintain sensitive roles in the SAP - Sensitive Roles watchlist. |
Assign a role to a user using SU01 / PFCG. Data sources: SAPcon - Change Documents Log, Audit Log |
Privilege Escalation |
| SAP - Medium - Critical authorizations assignment - New Authorization Value | Identifies the assignment of a critical authorization object value to a new user. Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist. |
Assign a new authorization object or update an existing one in a role, using PFCG. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Medium - Critical authorizations assignment - New User Assignment | Identifies the assignment of a critical authorization object value to a new user. Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist. |
Assign a new user to a role that holds critical authorization values, using SU01/PFCG. Data sources: SAPcon - Change Documents Log |
Privilege Escalation |
| SAP - Medium - Sensitive Roles Changes | Identifies changes in sensitive roles. Maintain sensitive roles in the SAP - Sensitive Roles watchlist. |
Change a role using PFCG. Data sources: SAPcon - Change Documents Log, SAPcon – Audit Log |
Impact, Privilege Escalation, Persistence |
Available watchlists
The following table lists the watchlists available for the Microsoft Sentinel SAP solution, and the fields in each watchlist.
These watchlists provide the configuration for the Microsoft Sentinel SAP Continuous Threat Monitoring solution. The SAP watchlists are available in the Microsoft Sentinel GitHub repository.
| Watchlist name | Description and fields |
|---|---|
| SAP - Critical Authorization Objects | Critical Authorizations object, where assignments should be governed. - AuthorizationObject: An SAP authorization object, such as S_DEVELOP, S_TCODE, or Table TOBJ - AuthorizationField: An SAP authorization field, such as OBJTYP or TCD - AuthorizationValue: An SAP authorization field value, such as DEBUG - ActivityField : SAP activity field. For most cases, this value will be ACTVT. For Authorizations objects without an Activity, or with only an Activity field, filled with NOT_IN_USE. - Activity: SAP activity, according to the authorization object, such as: 01: Create; 02: Change; 03: Display, and so on. - Description: A meaningful Critical Authorization Object description. |
| SAP - Excluded Networks | For internal maintenance of excluded networks, such as to ignore web dispatchers, terminal servers, and so on. -Network: A network IP address or range, such as 111.68.128.0/17. -Description: A meaningful network description. |
| SAP Excluded Users | System users who are signed in to the system and must be ignored. For example, alerts for multiple sign-ins by the same user. - User: SAP User -Description: A meaningful user description. |
| SAP - Networks | Internal and maintenance networks for identification of unauthorized logins. - Network: Network IP address or range, such as 111.68.128.0/17 - Description: A meaningful network description. |
| SAP - Privileged Users | Privileged users that are under extra restrictions. - User: the ABAP user, such as DDIC or SAP - Description: A meaningful user description. |
| SAP - Sensitive ABAP Programs | Sensitive ABAP programs (reports), where execution should be governed. - ABAPProgram: ABAP program or report, such as RSPFLDOC - Description: A meaningful program description. |
| SAP - Sensitive Function Module | Internal and maintenance networks for identification of unauthorized logins. - FunctionModule: An ABAP function module, such as RSAU_CLEAR_AUDIT_LOG - Description: A meaningful module description. |
| SAP - Sensitive Profiles | Sensitive profiles, where assignments should be governed. - Profile: SAP authorization profile, such as SAP_ALL or SAP_NEW - Description: A meaningful profile description. |
| SAP - Sensitive Tables | Sensitive tables, where access should be governed. - Table: ABAP Dictionary Table, such as USR02 or PA008 - Description: A meaningful table description. |
| SAP - Sensitive Roles | Sensitive roles, where assignment should be governed. - Role: SAP authorization role, such as SAP_BC_BASIS_ADMIN - Description: A meaningful role description. |
| SAP - Sensitive Transactions | Sensitive transactions where execution should be governed. - TransactionCode: SAP transaction code, such as RZ11 - Description: A meaningful code description. |
| SAP - Systems | Describes the landscape of SAP systems according to role and usage. - SystemID: the SAP system ID (SYSID) - SystemRole: the SAP system role, one of the following values: Sandbox, Development, Quality Assurance, Training, Production - SystemUsage: The SAP system usage, one of the following values: ERP, BW, Solman, Gateway, Enterprise Portal |
| SAP - Excluded Users | System users that are logged in and need to be ignored, such as for the Multiple logons by user alert. - User: SAP User - Description: A meaningful user description |
| SAP - Excluded Networks | Maintain internal, excluded networks for ignoring web dispatchers, terminal servers, and so on. - Network: Network IP address or range, such as 111.68.128.0/17 - Description: A meaningful network description |
| SAP - Obsolete Function Modules | Obsolete function modules, whose execution should be governed. - FunctionModule: ABAP Function Module, such as TH_SAPREL - Description: A meaningful function module description |
| SAP - Obsolete Programs | Obsolete ABAP programs (reports), whose execution should be governed. - ABAPProgram:ABAP Program, such as TH_ RSPFLDOC - Description: A meaningful ABAP program description |
| SAP - Transactions for ABAP Generations | Transactions for ABAP generations whose execution should be governed. - TransactionCode:Transaction Code, such as SE11. - Description: A meaningful Transaction Code description |
| SAP - FTP Servers | FTP Servers for identification of unauthorized connections. - Client:such as 100. - FTP_Server_Name: FTP server name, such as http://contoso.com/ -FTP_Server_Port:FTP server port, such as 22. - DescriptionA meaningful FTP Server description |
Next steps
For more information, see:
- Deploy the Microsoft Sentinel solution for SAP
- Microsoft Sentinel SAP solution logs reference
- Deploy the Microsoft Sentinel SAP data connector with SNC
- Expert configuration options, on-premises deployment, and SAPControl log sources
- Microsoft Sentinel SAP solution detailed SAP requirements
- Troubleshooting your Microsoft Sentinel SAP solution deployment