Azure Sentinel SAP solution: security content reference (public preview)

This article details the security content available for the Azure Sentinel SAP solution.

Available security content includes a built-in workbook and built-in analytics rules. You can also add SAP-related watchlists to use in your search, detection rules, threat hunting, and response playbooks.

Important

The Azure Sentinel SAP solution is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Built in workbooks

Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After deploying the SAP solution, SAP workbooks are found in the My workbooks tab.

Workbook name Description Logs
SAP - Audit Log Browser Displays data such as:

General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run

Severities of events occurring in your system

Authentication and authorization events occurring in your system
Uses data from the following log:

ABAPAuditLog_CL
SAP - Suspicious Privileges Operations Displays data such as:

Sensitive and critical assignments

Actions and changes made to sensitive, privileged users

Changes made to roles
Uses data from the following logs:

ABAPAuditLog_CL

ABAPChangeDocsLog_CL
SAP - Initial Access & Attempts to Bypass SAP Security Mechanisms Displays data such as:

Executions of sensitive programs, code, and function modules

Configuration changes, including log deactivations

Changes made in debug mode
Uses data from the following logs:

ABAPAuditLog_CL

ABAPTableDataLog_CL

Syslog
SAP - Persistency & Data Exfiltration Displays data such as:

Internet Communication Framework (ICF) services, including activations and deactivations and data about new services and service handlers

Insecure operations, including both function modules and programs

Direct access to sensitive tables
Uses data from the following logs:

ABAPAuditLog_CL

ABAPTableDataLog_CL

ABAPSpoolLog_CL

ABAPSpoolOutputLog_CL

Syslog

For more information, see Tutorial: Visualize and monitor your data and Deploy SAP continuous threat monitoring (public preview).

Built-in analytics rules

The following tables list the built-in analytics rules that are included in the Azure Sentinel SAP solution, deployed from the Azure Sentinel Solutions marketplace.

Built-in SAP analytics rules for initial access

Rule name Description Source action Tactics
SAP - High - Login from unexpected network Identifies a sign-in from an unexpected network.

Maintain networks in the SAP - Networks watchlist.
Sign in to the backend system from an IP address that is not assigned to one of the networks.

Data sources: SAPcon - Audit Log
Initial Access
SAP - High - SPNego Attack Identifies SPNego Replay Attack. Data sources: SAPcon - Audit Log Impact, Lateral Movement
SAP - Medium - Brute force attacks Identifies brute force attacks on the SAP system, according to failed sign-in attempts for the backend system. Attempt to sign in from the same IP address to several systems/clients within the scheduled time interval.

Data sources: SAPcon - Audit Log
Credential Access
SAP - Medium - Multiple Logons from the same IP Identifies the sign-in of several users from same IP address within a scheduled time interval.

Sub-use case: Persistency
Sign in using several users through the same IP address.

Data sources: SAPcon - Audit Log
Initial Access
SAP - Medium - Multiple Logons by User Identifies sign-ins of the same user from several terminals within scheduled time interval.

Available only via the Audit SAL method, for SAP versions 7.5 and higher.
Sign in using the same user, using different IP addresses.

Data sources: SAPcon - Audit Log
PreAttack, Credential Access, Initial Access, Collection

Sub-use case: Persistency
SAP - Informational - Lifecycle - SAP Notes were implemented in system Identifies SAP Note implementation in the system. Implement an SAP Note using SNOTE/TCI.

Data sources: SAPcon - Change Requests
-

Built-in SAP analytics rules for data exfiltration

Rule name Description Source action Tactics
SAP - Medium - FTP for non authorized servers Identifies an FTP connection for a non-authorized server. Create a new FTP connection, such as by using the FTP_CONNECT Function Module.

Data sources: SAPcon - Audit Log
Discovery, Initial Access, Command and Control
SAP - Medium - Insecure FTP servers configuration Identifies insecure FTP server configurations, such as when an FTP allowlist is empty or contains placeholders. Do not maintain or maintain values that contain placeholders in the SAPFTP_SERVERS table, using the SAPFTP_SERVERS_V maintenance view. (SM30)

Data sources: SAPcon - Audit Log
Initial Access, Command and Control
SAP - Medium - Multiple Files Download Identifies multiple file downloads for a user within a specific time-range. Download multiple files using the SAPGui for Excel, lists, and so on.

Data sources: SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Medium - Multiple Spool Executions Identifies multiple spools for a user within a specific time-range. Create and run multiple spool jobs of any type by a user. (SP01)

Data sources: SAPcon - Spool Log, SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Medium - Multiple Spool Output Executions Identifies multiple spools for a user within a specific time-range. Create and run multiple spool jobs of any type by a user. (SP01)

Data sources: SAPcon - Spool Output Log, SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Medium - Sensitive Tables Direct Access By RFC Logon Identifies a generic table access by RFC sign in.

Maintain tables in the SAP - Sensitive Tables watchlist.

Note: Relevant for production systems only.
Open the table contents using SE11/SE16/SE16N.

Data sources: SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Medium - Spool Takeover Identifies a user printing a spool request that was created by someone else. Create a spool request using one user, and then output it in using a different user.

Data sources: SAPcon - Spool Log, SAPcon - Spool Output Log, SAPcon - Audit Log
Collection, Exfiltration, Command and Control
SAP - Low - Dynamic RFC Destination Identifies the execution of RFC using dynamic destinations.

Sub-use case: Attempts to bypass SAP security mechanisms
Execute an ABAP report that uses dynamic destinations (cl_dynamic_destination). For example, DEMO_RFC_DYNAMIC_DEST.

Data sources: SAPcon - Audit Log
Collection, Exfiltration
SAP - Low - Sensitive Tables Direct Access By Dialog Logon Identifies generic table access via dialog sign-in. Open table contents using SE11/SE16/SE16N.

Data sources: SAPcon - Audit Log
Discovery

Built-in SAP analytics rules for persistency

Rule name Description Source action Tactics
SAP - High - Activation or Deactivation of ICF Service Identifies activation or deactivation of ICF Services. Activate a service using SICF.

Data sources: SAPcon - Table Data Log
Command and Control, Lateral Movement, Persistence
SAP - High - Function Module tested Identifies the testing of a function module. Test a function module using SE37 / SE80.

Data sources: SAPcon - Audit Log
Collection, Defense Evasion, Lateral Movement
SAP - High - HANA DB - User Admin actions Identifies user administration actions. Create, update, or delete a database user.

Data Sources: Linux Agent - Syslog*
Privilege Escalation
SAP - High - New ICF Service Handlers Identifies creation of ICF Handlers. Assign a new handler to a service using SICF.

Data sources: SAPcon - Audit Log
Command and Control, Lateral Movement, Persistence
SAP - High - New ICF Services Identifies creation of ICF Services. Create a service using SICF.

Data sources: SAPcon - Table Data Log
Command and Control, Lateral Movement, Persistence
SAP - Medium - Execution of Obsolete or Insecure Function Module Identifies the execution of an obsolete or insecure ABAP function module.

Maintain obsolete functions in the SAP - Obsolete Function Modules watchlist. Make sure to activate table logging changes for the EUFUNC table in the backend. (SE13)

Note: Relevant for production systems only.
Run an obsolete or insecure function module directly using SE37.

Data sources: SAPcon - Table Data Log
Discovery, Command and Control
SAP - Medium - Execution of Obsolete/Insecure Program Identifies the execution of an obsolete or insecure ABAP program.

Maintain obsolete programs in the SAP - Obsolete Programs watchlist.

Note: Relevant for production systems only.
Run a program directly using SE38/SA38/SE80, or by using a background job.

Data sources: SAPcon - Audit Log
Discovery, Command and Control
SAP - Low - Multiple Password Changes by User Identifies multiple password changes by user. Change user password

Data sources: SAPcon - Audit Log
Credential Access

Built-in SAP analytics rules for attempts to bypass SAP security mechanisms

Rule name Description Source action Tactics
SAP - High - Client Configuration Change Identifies changes for client configuration such as the client role or the change recording mode. Perform client configuration changes using the SCC4 transaction code.

Data sources: SAPcon - Audit Log
Defense Evasion, Exfiltration, Persistence
SAP - High - Data has Changed during Debugging Activity Identifies changes for runtime data during a debugging activity.

Sub-use case: Persistency
1. Activate Debug ("/h").
2. Select a field for change and update its value.

Data sources: SAPcon - Audit Log
Execution, Lateral Movement
SAP - High - Deactivation of Security Audit Log Identifies deactivation of the Security Audit Log, Disable security Audit Log using SM19/RSAU_CONFIG.

Data sources: SAPcon - Audit Log
Exfiltration, Defense Evasion, Persistence
SAP - High - Execution of a Sensitive ABAP Program Identifies the direct execution of a sensitive ABAP program.

Maintain ABAP Programs in the SAP - Sensitive ABAP Programs watchlist.
Run a program directly using SE38/SA38/SE80.

Data sources: SAPcon - Audit Log
Exfiltration, Lateral Movement, Execution
SAP - High - Execution of a Sensitive Transaction Code Identifies the execution of a sensitive Transaction Code.

Maintain transaction codes in the SAP - Sensitive Transaction Codes watchlist.
Run a sensitive transaction code.

Data sources: SAPcon - Audit Log
Discovery, Execution
SAP - High - Execution of Sensitive Function Module Identifies the execution of a sensitive ABAP function module.

Sub-use case: Persistency

Note: Relevant for production systems only.

Maintain sensitive functions in the SAP - Sensitive Function Modules watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13)
Run a sensitive function module directly using SE37.

Data sources: SAPcon - Table Data Log
Discovery, Command and Control
SAP - High - HANA DB - Audit Trail Policy Changes Identifies changes for HANA DB audit trail policies. Create or update the existing audit policy in security definitions.

Data sources: Linux Agent - Syslog
Lateral Movement, Defense Evasion, Persistence
SAP - High - HANA DB - Deactivation of Audit Trail Identifies the deactivation of the HANA DB audit log. Deactivate the audit log in the HANA DB security definition.

Data sources: Linux Agent - Syslog
Persistence, Lateral Movement, Defense Evasion
SAP - High - RFC Execution of a Sensitive Function Module Sensitive function models to be used in relevant detections.

Maintain function modules in the SAP - Sensitive Function Modules watchlist.
Run a function module using RFC.

Data sources: SAPcon - Audit Log
Execution, Lateral Movement, Discovery
SAP - High - System Configuration Change Identifies changes for system configuration. Adapt system change options or software component modification using the SE06 transaction code.

Data sources: SAPcon - Audit Log
Exfiltration, Defense Evasion, Persistence
SAP - Medium - Debugging Activities Identifies all debugging related activities.

Sub-use case: Persistency
Activate Debug ("/h") in the system, debug an active process, add breakpoint to source code, and so on.

Data sources: SAPcon - Audit Log
Discovery
SAP - Medium - Security Audit Log Configuration Change Identifies changes in the configuration of the Security Audit Log Change any Security Audit Log Configuration using SM19/RSAU_CONFIG, such as the filters, status, recording mode, and so on.

Data sources: SAPcon - Audit Log
Persistence, Exfiltration, Defense Evasion
SAP - Medium - Transaction is unlocked Identifies unlocking of a transaction. Unlock a transaction code using SM01/SM01_DEV/SM01_CUS.

Data sources: SAPcon - Audit Log
Persistence, Execution
SAP - Low - Dynamic ABAP Program Identifies the execution of dynamic ABAP programming. For example, when ABAP code was dynamically created, changed, or deleted.

Maintain excluded transaction codes in the SAP - Transactions for ABAP Generations watchlist.
Create an ABAP Report that uses ABAP program generation commands, such as INSERT REPORT, and then run the report.

Data sources: SAPcon - Audit Log
Discovery, Command and Control, Impact

Built-in SAP analytics rules for suspicious privileges operations

Rule name Description Source action Tactics
SAP - High - Change in Sensitive privileged user Identifies changes of sensitive privileged users.

Maintain privileged users in the SAP - Privileged Users watchlist.
Change user details / authorizations using SU01.

Data sources: SAPcon - Audit Log
Privilege Escalation, Credential Access
SAP - High - HANA DB - Assign Admin Authorizations Identifies admin privilege or role assignment. Assign a user with any admin role or privileges.

Data sources: Linux Agent - Syslog
Privilege Escalation
SAP - High - Sensitive privileged user logged in Identifies the Dialog sign-in of a sensitive privileged user.

Maintain privileged users in the SAP - Privileged Users watchlist.
Sign in to the backend system using SAP* or another privileged user.

Data sources: SAPcon - Audit Log
Initial Access, Credential Access
SAP - High - Sensitive privileged user makes a change in other user Identifies changes of sensitive, privileged users in other users. Change user details / authorizations using SU01.

Data Sources: SAPcon - Audit Log
Privilege Escalation, Credential Access
SAP - High - Sensitive Users Password Change and Login Identifies password changes for privileged users. Change the password for a privileged user and sign into the system.
Maintain privileged users in the SAP - Privileged Users watchlist.

Data sources: SAPcon - Audit Log
Impact, Command and Control, Privilege Escalation
SAP - High - User Creates and uses new user Identifies a user creating and using other users.

Sub-use case: Persistency
Create a user using SU01, and then sign in, using the newly created user and the same IP address.

Data sources: SAPcon - Audit Log
Discovery, PreAttack, Initial Access
SAP - High - User Unlocks and uses other users Identifies a user being unlocked and used by other users.

Sub-use case: Persistency
Unlock a user using SU01, and then sign in using the unlocked user and the same IP address.

Data sources: SAPcon - Audit Log, SAPcon - Change Documents Log
Discovery, PreAttack, Initial Access, Lateral Movement
SAP - Medium - Assignment of a sensitive profile Identifies new assignments of a sensitive profile to a user.

Maintain sensitive profiles in the SAP - Sensitive Profiles watchlist.
Assign a profile to a user using SU01.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Medium - Assignment of a sensitive role Identifies new assignments for a sensitive role to a user.

Maintain sensitive roles in the SAP - Sensitive Roles watchlist.
Assign a role to a user using SU01 / PFCG.

Data sources: SAPcon - Change Documents Log, Audit Log
Privilege Escalation
SAP - Medium - Critical authorizations assignment - New Authorization Value Identifies the assignment of a critical authorization object value to a new user.

Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist.
Assign a new authorization object or update an existing one in a role, using PFCG.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Medium - Critical authorizations assignment - New User Assignment Identifies the assignment of a critical authorization object value to a new user.

Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist.
Assign a new user to a role that holds critical authorization values, using SU01/PFCG.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Medium - Sensitive Roles Changes Identifies changes in sensitive roles.

Maintain sensitive roles in the SAP - Sensitive Roles watchlist.
Change a role using PFCG.

Data sources: SAPcon - Change Documents Log, SAPcon – Audit Log
Impact, Privilege Escalation, Persistence

Available watchlists

The following table lists the watchlists available for the Azure Sentinel SAP solution, and the fields in each watchlist.

These watchlists provide the configuration for the Azure Sentinel SAP Continuous Threat Monitoring solution, and are accessible in the Azure Sentinel GitHub repository at https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Analytics/Watchlists.

Watchlist name Description and fields
SAP - Critical Authorization Objects Critical Authorizations object, where assignments should be governed.

- AuthorizationObject: An SAP authorization object, such as S_DEVELOP, S_TCODE, or Table TOBJ
- AuthorizationField: An SAP authorization field, such as OBJTYP or TCD
- AuthorizationValue: An SAP authorization field value, such as DEBUG
- ActivityField : SAP activity field. For most cases, this value will be ACTVT. For Authorizations objects without an Activity, or with only an Activity field, filled with NOT_IN_USE.
- Activity: SAP activity, according to the authorization object, such as: 01: Create; 02: Change; 03: Display, and so on.
- Description: A meaningful Critical Authorization Object description.
SAP - Excluded Networks For internal maintenance of excluded networks, such as to ignore web dispatchers, terminal servers, and so on.

-Network: A network IP address or range, such as 111.68.128.0/17.
-Description: A meaningful network description.
SAP Excluded Users System users who are signed in to the system and must be ignored. For example, alerts for multiple sign-ins by the same user.

- User: SAP User
-Description: A meaningful user description.
SAP - Networks Internal and maintenance networks for identification of unauthorized logins.

- Network: Network IP address or range, such as 111.68.128.0/17
- Description: A meaningful network description.
SAP - Privileged Users Privileged users that are under extra restrictions.

- User: the ABAP user, such as DDIC or SAP
- Description: A meaningful user description.
SAP - Sensitive ABAP Programs Sensitive ABAP programs (reports), where execution should be governed.

- ABAPProgram: ABAP program or report, such as RSPFLDOC
- Description: A meaningful program description.
SAP - Sensitive Function Module Internal and maintenance networks for identification of unauthorized logins.

- FunctionModule: An ABAP function module, such as RSAU_CLEAR_AUDIT_LOG
- Description: A meaningful module description.
SAP - Sensitive Profiles Sensitive profiles, where assignments should be governed.

- Profile: SAP authorization profile, such as SAP_ALL or SAP_NEW
- Description: A meaningful profile description.
SAP - Sensitive Tables Sensitive tables, where access should be governed.

- Table: ABAP Dictionary Table, such as USR02 or PA008
- Description: A meaningful table description.
SAP - Sensitive Roles Sensitive roles, where assignment should be governed.

- Role: SAP authorization role, such as SAP_BC_BASIS_ADMIN
- Description: A meaningful role description.
SAP - Sensitive Transactions Sensitive transactions where execution should be governed.

- TransactionCode: SAP transaction code, such as RZ11
- Description: A meaningful code description.
SAP - Systems Describes the landscape of SAP systems according to role and usage.

- SystemID: the SAP system ID (SYSID)
- SystemRole: the SAP system role, one of the following values: Sandbox, Development, Quality Assurance, Training, Production
- SystemUsage: The SAP system usage, one of the following values: ERP, BW, Solman, Gateway, Enterprise Portal
SAP - Excluded Users System users that are logged in and need to be ignored, such as for the Multiple logons by user alert.

- User: SAP User
- Description: A meaningful user description
SAP - Excluded Networks Maintain internal, excluded networks for ignoring web dispatchers, terminal servers, and so on.

- Network: Network IP address or range, such as 111.68.128.0/17
- Description: A meaningful network description
SAP - Obsolete Function Modules Obsolete function modules, whose execution should be governed.

- FunctionModule: ABAP Function Module, such as TH_SAPREL
- Description: A meaningful function module description
SAP - Obsolete Programs Obsolete ABAP programs (reports), whose execution should be governed.

- ABAPProgram:ABAP Program, such as TH_ RSPFLDOC
- Description: A meaningful ABAP program description
SAP - Transactions for ABAP Generations Transactions for ABAP generations whose execution should be governed.

- TransactionCode:Transaction Code, such as SE11.
- Description: A meaningful Transaction Code description
SAP - FTP Servers FTP Servers for identification of unauthorized connections.

- Client:such as 100.
- FTP_Server_Name: FTP server name, such as http://contoso.com/
-FTP_Server_Port:FTP server port, such as 22.
- DescriptionA meaningful FTP Server description

Next steps

For more information, see: