Find your way to our central blog series entry here.
Dear community,
Following the product release blog by SAP regarding the integration of SAP LogServ and Microsoft Sentinel, I am going to share some details on customizing the solution to your needs.
The SAP LogServ service in SAP RISE, private cloud edition, gets you access to all the logs produced by the underlying services managed by SAP ECS. Microsoft Sentinel without LogServ is limited to the application layer only. LogServ holds the promise to get a glimpse into the inner workings of RISE to…
However, ALL logs are a bit much for many of you and the security value varies a lot. This blog gets you started to make cost conscious decisions while not compromising too much on threat protection insights. The most discussed log in my conversations so far was SAP HANA database.
That needs to be answered based on your needs, what is available, and what you want to achieve. Some just want all logs to store beyond the 365 days covered by LogServ, others only want the HANA DB log, and some want a specific subset across gateways, network, and database. For an up-to-date list always check with SAP.
Here is my opinionated subset that serves as an intro to the topic with no ambition for completeness. Otherwise, this becomes a master thesis kind of thing😉
LogServ source | In Scope of your shared responsibility | Threat Protection value | Chattiness (volume indication in t-shirt sizes) | Comment |
OS (Linux + Windows) | No | Medium | L | Without integration into your EDR less relevant |
Database (HANA, ASE, DB2, etc.) | Yes | High | M | Audit relevant |
Web Application Firewall | No | Medium | XL | Only http connection info and routing without context |
Load Balancer | No | Low | L | Layer 4 /TCP/IP) communication only without context |
Network, Flow Logs | No | Medium | XXXL | Useful to trace back lateral movement on a compromise |
SAP Cloud Connector | Yes | High | M | Audit log holds all info on connections from SAP BTP |
SAP Web Dispatcher | No | Medium | L | Only http connection info and routing with IPs from last hop rather than original client. |
ICM | No | Medium | L | Same challenge as with Web Dispatcher. |
SAP Gateway (OData) | Yes | Low | M | Mostly exceptions on OData requests. SAP Cloud Connector audit log covers this with higher value. |
… |
|
|
|
|
For the latest list of LogServ source folder names etc. consult with SAP and their documentation.
Be aware, for AS ABAP and AS JAVA security audit log integration you still require the agentless Sentinel Solution for SAP. See the overview diagram in SAP’s blog for more details on the LogServ Addon in combination with the Sentinel for SAP.
SAP published a native solution to Microsoft Sentinel. By using the Microsoft platform, you may configure the ingestion rule on the Data Collection Rule instance in Azure.
Once you have deployed the LogServ connector on Sentinel, you can browse the same Azure resource group to identify your generated Data Collection rule. It will read something like “-SAPLogServDCR-”. Tailor the existing Kusto Query Language (KQL) transformation to your needs (step 4). The default one takes all logs.
Consider the kql snippet below to filter the log by types. In my sample the data collection rule only accepts HANA db, Linux OS, and DNS.
let fromUnixTime = (t: real) {
datetime(1970-01-01) + t * 1sec
};
source
| extend TimeGenerated = fromUnixTime(_time)
| extend Raw = _raw
| extend UnixTimestamp =_time
| where clz_dir in ("hana", "linux", "dns")
| project-away _raw, _time
You have full control over your selections and target Log Analytics tables. For instance, you might point one set of LogServ data to cheap auxiliary table plans for auditing requirements. I like this image from Microsoft Learn to explain the different table types. By design the LogServ connector comes with a built-in table on Analytics plan. It is called SAPLogServ_CL.
Weigh retention time, real time needs, and storage cost. See this blog for additional details.
That’s a wrap 🌯. Today you saw how a single line of KQL (Kusto Query Language) makes all the difference between drinking from the SAP RISE logs firehose that is SAP LogServ and selectively choosing SAP logs that mean something to your use case.
Get started with your deployment from here. Stay tune for more detections and security content.
What use cases and detections are you implementing with LogServ and Microsoft Sentinel? Let me know in the comments or reach out directly.
Cheers Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
4 | |
4 | |
4 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 |