Enterprise Resource Planning Blog Posts by Members
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin-Pankraz
SAP Champion
SAP Champion
653

Find your way to our central blog series entry here.

Dear community,

Following the product release blog by SAP regarding the integration of SAP LogServ and Microsoft Sentinel, I am going to share some details on customizing the solution to your needs.

The SAP LogServ service in SAP RISE, private cloud edition, gets you access to all the logs produced by the underlying services managed by SAP ECS. Microsoft Sentinel without LogServ is limited to the application layer only. LogServ holds the promise to get a glimpse into the inner workings of RISE to…

  • Satisfy your auditing needs, and
  • Integration with the SIEM solution Microsoft Sentinel.

However, ALL logs are a bit much for many of you and the security value varies a lot. This blog gets you started to make cost conscious decisions while not compromising too much on threat protection insights. The most discussed log in my conversations so far was SAP HANA database.

 

Which logs should I choose?

That needs to be answered based on your needs, what is available, and what you want to achieve. Some just want all logs to store beyond the 365 days covered by LogServ, others only want the HANA DB log, and some want a specific subset across gateways, network, and database. For an up-to-date list always check with SAP.

Here is my opinionated subset that serves as an intro to the topic with no ambition for completeness. Otherwise, this becomes a master thesis kind of thing😉

 

LogServ source

In Scope of your shared responsibility

Threat Protection value

Chattiness

(volume  indication in t-shirt sizes)

Comment

OS (Linux + Windows)

No

Medium

L

Without integration into your EDR less relevant

Database (HANA, ASE, DB2, etc.)

Yes

High

M

Audit relevant

Web Application Firewall

No

Medium

XL

Only http connection info and routing without context

Load Balancer

No

Low

L

Layer 4 /TCP/IP) communication only without context

Network, Flow Logs

No

Medium

XXXL

Useful to trace back lateral movement on a compromise

SAP Cloud Connector

Yes

High

M

Audit log holds all info on connections from SAP BTP

SAP Web Dispatcher

No

Medium

L

Only http connection info and routing with IPs from last hop rather than original client.

ICM

No

Medium

L

Same challenge as with Web Dispatcher.

SAP Gateway (OData)

Yes

Low

M

Mostly exceptions on OData requests. SAP Cloud Connector audit log covers this with higher value.

 

 

 

 

 

For the latest list of LogServ source folder names etc. consult with SAP and their documentation.

Be aware, for AS ABAP and AS JAVA security audit log integration you still require the agentless Sentinel Solution for SAP. See the overview diagram in SAP’s blog for more details on the LogServ Addon in combination with the Sentinel for SAP.

 

How do I select those logs?

SAP published a native solution to Microsoft Sentinel. By using the Microsoft platform, you may configure the ingestion rule on the Data Collection Rule instance in Azure.

Once you have deployed the LogServ connector on Sentinel, you can browse the same Azure resource group to identify your generated Data Collection rule. It will read something like “-SAPLogServDCR-”. Tailor the existing Kusto Query Language (KQL) transformation to your needs (step 4). The default one takes all logs.

MartinPankraz_0-1748009301824.png

 

Consider the kql snippet below to filter the log by types. In my sample the data collection rule only accepts HANA db, Linux OS, and DNS.

let fromUnixTime = (t: real) {
    datetime(1970-01-01) + t * 1sec
};
source
| extend TimeGenerated = fromUnixTime(_time)
| extend Raw = _raw
| extend UnixTimestamp =_time
| where clz_dir in ("hana", "linux", "dns")
| project-away  _raw, _time

You have full control over your selections and target Log Analytics tables. For instance, you might point one set of LogServ data to cheap auxiliary table plans for auditing requirements. I like this image from Microsoft Learn to explain the different table types. By design the LogServ connector comes with a built-in table on Analytics plan. It is called SAPLogServ_CL.

MartinPankraz_1-1748009301836.png

 

Weigh retention time, real time needs, and storage cost. See this blog for additional details.

 

Final Words

That’s a wrap 🌯. Today you saw how a single line of KQL (Kusto Query Language) makes all the difference between drinking from the SAP RISE logs firehose that is SAP LogServ and selectively choosing SAP logs that mean something to your use case.

Get started with your deployment from here. Stay tune for more detections and security content.

What use cases and detections are you implementing with LogServ and Microsoft Sentinel? Let me know in the comments or reach out directly.

Cheers Martin