Microsoft Sentinel solution for SAP® applications data reference
Important
Some components of the Microsoft Sentinel Threat Monitoring for SAP solution are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Some logs, noted below, are not sent to Microsoft Sentinel by default, but you can manually add them as needed. For more information, see Define the SAP logs that are sent to Microsoft Sentinel.
This article describes the functions, logs, and tables available as part of the Microsoft Sentinel solution for SAP® applications and its data connector. It is intended for advanced SAP users.
Functions available from the SAP solution
This section describes the functions that are available in your workspace after you've deployed the Microsoft Sentinel solution for SAP® applications. Find these functions in the Microsoft Sentinel Logs page to use in your KQL queries, listed under Workspace functions.
Users are strongly encouraged to use the functions as the subjects of their analysis whenever possible, instead of the underlying logs or tables. These functions are intended to serve as the principal user interface to the data. They form the basis for all the built-in analytics rules and workbooks available to you out of the box. This allows for changes to be made to the data infrastructure beneath the functions, without breaking user-created content.
- SAPUsersAssignments
- SAPUsersGetPrivileged
- SAPUsersAuthorizations
- SAPConnectorHealth
- SAPConnectorOverview
- SAPUsersEmail
- SAPAuditLogConfiguration
- SAPAuditLogAnomalies
- SAPAuditLogConfigRecommend
- SAPSystems
- SAPUsersGetVIP
- SAPUsersHeader
SAPUsersAssignments
The SAPUsersAssignments function gathers data from multiple SAP data sources and creates a user-centric view of the current user master data, including the roles and profiles currently assigned.
This function summarizes the user assignments to roles and profiles, and returns the following data:
Field | Description | Data Source/Notes |
---|---|---|
User | SAP user ID | SAL only |
SMTP address | USR21 (SMTP_ADDR) | |
UserType | User type | USR02 (USTYP) |
Timezone | Time zone | USR02 (TZONE) |
LockedStatus | Lock status | USR02 (UFLAG) |
LastSeenDate | Last seen date | USR02 (TRDAT) |
LastSeenTime | Last seen time | USR02 (LTIME) |
UserGroupAuth | User group in user master maintenance | USR02 (CLASS) |
Profiles | Set of profiles (default maximum set size = 50) | ["Profile 1", "Profile 2",...,"profile 50"] |
DirectRoles | Set of Directly assigned roles (default max set size = 50) | ["Role 1", "Role 2",...,"”"Role 50"] |
ChildRoles | Set of indirectly assigned roles (default max set size = 50) | ["Role 1", "Role 2",...,"”"Role 50"] |
Client | Client ID | |
SystemID | System ID | As defined in the connector |
SAPUsersGetPrivileged
The SAPUsersGetPrivileged function returns a list of privileged users per client and system ID.
Users are considered privileged when they are listed in the SAP - Privileged Users watchlist, have been assigned to a profile listed in SAP - Sensitive Profiles watchlist, or have been added to a role listed in SAP - Sensitive Roles watchlist.
Parameters:
- TimeAgo
- Optional
- Default value: Seven days
- Determines that the function seeks User master data from the time defined by the
TimeAgo
value until the time defined by thenow()
value.
The SAPUsersGetPrivileged function returns the following data:
Field | Description |
---|---|
User | SAP user ID |
Client | Client ID |
SystemID | System ID |
SAPUsersAuthorizations
The SAPUsersAuthorizations function brings together data from several tables to produce a user-centric view of the current roles and authorizations assigned. Only users with active role and authorization assignments are returned.
Parameters:
- TimeAgo
- Optional
- Default value: Seven days
- Determines that the function seeks User master data from the time defined by the
TimeAgo
value until the time defined by thenow()
value.
The SAPUsersAuthorizations function returns the following data:
Field | Description | Notes |
---|---|---|
User | SAP user ID | |
Roles | Set of roles (default max set size = 50) | ["Role 1", "Role 2",...,"Role 50"] |
AuthorizationsDetails | Set of authorizations (default max set size = 100) | {{AuthorizationsDeatils1} ,{AuthorizationsDeatils2} , ..., {AuthorizationsDeatils100}} |
Client | Client ID | |
SystemID | System ID |
SAPConnectorHealth
The SAPConnectorHealth function reflects the status of the agent's and the underlying SAP system's connectivity. Based on the heartbeat log SAP_HeartBeat_CL and other health indicators, it returns the following data:
Field | Description |
---|---|
Agent | Agent ID in agent's configuration (automatically generated) |
SystemID | SAP System ID |
Status | Overall connectivity status |
Details | Connectivity details |
ExtendedDetails | Connectivity extended details |
LastSeen | Timestamp of latest activity |
StatusCode | Code reflecting the system's status |
SAPConnectorOverview
The SAPConnectorOverview function shows row counts of each SAP table per System ID. It returns a list of data records per system ID, and their time generated.
Parameters:
- TimeAgo
- Optional
- Default value: Seven days
- Determines that the function seeks User master data from the time defined by the
TimeAgo
value until the time defined by thenow()
value.
Field | Description |
---|---|
TimeGenerated | A datetime value of the timestamp of the record's generation |
SystemID_s | A string representing the SAP System ID |
Use the following Kusto query to perform a daily trend analysis:
SAPConnectorOverview(7d)
| summarize count() by bin(TimeGenerated, 1d), SystemID_s
SAPUsersEmail
The SAPUsersEmail function allows for a performance oriented lookup of an SAP user's email address per SAP system and client, normally used to associate it with an active directory account. Using data extracted from SAP tables USR21 (User Name/Address Key Assignment) and ADR6 (E-Mail Addresses), the SAPUsersEmail function looks for an Email address. In case one is not found, the user ID is returned instead of an Email address. This behavior ensures that SAP service accounts (such as DDIC), that often are not associated with an email addresses, will be logged as pseudo AD accounts, enabling some UEBA features, aiding in the investigation of incidents and hunting activities.
Field | Description |
---|---|
ClientID | The SAP Client ID |
SystemID | The SAP System ID |
User | The SAP User ID |
The Email address of the SAP User |
SAPSystems
The SAPSystems function is used to centrally present the per-system configuration made using the 'SAP - Systems' watchlist.
Parameters:
- SelectedSystems
- Optional
- Default value: "All Systems"
- Used to filter specific SAP systems
- SelectedSystemRoles
- Optional
- Default value: "All System Roles"
- Determines the roles of the SAP Systems to be looked at (as defined in the "SAP - Systems" watchlist)
Field | Description | Data Source/Notes |
---|---|---|
SearchKey | Search Key | Indexed field for SAP System ID |
SystemRole | The SAP System's Role | Production, UAT |
SystemUsage | The main usage of the SAP system | ERP, CRM |
SystemID | The SAP System ID |
SAPAuditLogConfiguration
The SAPAuditLogConfiguration function returns the local configuration of the SAP audit log alerting of the Sentinel workspace, to be used for the different SAP audit log related alerts. It joins the data in the 'SAP Dynamic Audit Log Monitor Configuration' and 'SAP - Systems' watchlists to provide a per-system configuration at a per-system-role effort.
Parameters:
- SelectedSystems
- Optional
- Default value: "All Systems"
- Used to filter specific SAP systems to look at.
- SelectedSystemRoles
- Optional
- Default value: "All System Roles"
- Determines the roles of the SAP Systems to be looked at (as defined in the "SAP - Systems" watchlist).
- SelectedSeverities
- Optional
- Default value: ["High", "Medium"]
- Used to determine events to be looked at in terms of their severities. Severities per SAP audit log message ID and system role are defined in the "SAP_Dynamic_Audit_Log_Monitor_Configuration" watchlist.
- SelectedRuleTypes
- Optional
- Default value: "All RuleTypes"
- Determines what events are relevant for detecting the anomalies on. Rule types per SAP audit log message ID and system role are defined in the "SAP_Dynamic_Audit_Log_Monitor_Configuration" watchlist.
Field | Description | Data Source/Notes |
---|---|---|
CategoryName | SAP given event category | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
DestinationEmail | Email address of the Assigned Team | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
DetailedDescription | A markdown formatted text to be displayed on alerts | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
MessageID | The SAP audit log message ID | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
MessageText | A sample message text | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
RolesTagsToExclude | an ABAP Role, Profile or free text tag | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
RuleType | Anomaly or deterministic | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
Tactics | The MITRE ATTA&CK tactic | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
TeamsChannelID | Teams Channel | 'SAP Dynamic Audit Log Monitor Configuration' watchlist |
SystemID | The SAP System ID | 'SAP - Systems' watchlist |
SystemRole | The SAP System's Role | 'SAP - Systems' watchlist |
SystemUsage | The main usage of the SAP system | 'SAP - Systems' watchlist |
IsProd | Production system flag | 'SAP - Systems' watchlist |
Severity | The derived severity | Severity per system usage |
Threshold | The derived threshold | Event count per system Usage |
BagOfDetails | Bag of Details | A dictionary detailing the event definition |
SAPAuditLogAnomalies
The SAPAuditLogAnomalies uses Sentinel's underlying Kusto database's built-in machine learning capabilities to help detect anomalous events observed on the SAP audit log. Developed for the “SAP - (Experimental) Dynamic Anomaly based Audit Log Monitor Alerts” alert rule, this function was initially designed to alert on recent anomalies but it can also help to highlight historical anomalies (see examples below).
Parameters:
- LearningTime
- Optional
- Default Value: 14 days
- Determines the timespan used for the model learning
- DetectingTime
- Optional
- Default value: One hour
- Determines the timespan to be looked at for detecting anomalies. Calling this function with DetectingTime = 0h will highlight anomalies across the entire LearningTime timespan
- SelectedSystems
- Optional
- Default value: "All Systems"
- Used to filter specific SAP systems to look at.
- SelectedSystemRoles
- Optional
- Default value: "All System Roles"
- Determines the roles of the SAP Systems to be looked at (as defined in the "SAP - Systems" watchlist).
- SelectedSeverities
- Optional
- Default value: ["High", "Medium"]
- Used to determine events to be looked at in terms of their severities. Severities per SAP audit log message ID and system role are defined in the "SAP_Dynamic_Audit_Log_Monitor_Configuration" watchlist.
- SelectedPrefixMask
- Optional
- Default value: 24
- Used to determine the subnet mask level used for learning and detecting.
- SelectedRuleTypes
- Optional
- Default value: "AnomaliesOnly"
- Determines what events are relevant for detecting the anomalies on. Rule types per SAP audit log message ID and system role are defined in the "SAP_Dynamic_Audit_Log_Monitor_Configuration" watchlist.
Logic
The function learns the slice of the history defined by the different input parameters, at the user, network attributes, system, seasonality, and activity levels. It then judges events occurring within the last DetectingTime timespan according to what it has learned, applying thresholds and other configurable exclusion criteria obtained from the SAP audit log configuration watchlist. Once a sliding window of user activity was deemed anomalous, a second query returns the entire user activity as evidence supporting the decision.
Additional notes
As with any machine learning solution, this function performs better with time. Further adjustments can be made using local configuration. It is advisable to restrict the size of the learned database to be under 100 million records using the many available input parameters.
Example: looking for anomalies for events of high severity that occurred within the past hour on production systems for event types which are marked as "AnomaliesOnly" in the "SAP_Dynamic_Audit_Log_Monitor_Configuration"
SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=1h, SelectedSystemRoles= dynamic(["Production"]),
SelectedSeverities= dynamic(["High"]), SelectedRuleTypes= dynamic(["AnomaliesOnly"]))
Example: Looking for all anomalies in the last 14 days in system "BIP"
SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=0h, SelectedSystems= dynamic(["BIP"]))
Field | Description |
---|---|
Multiple fields from SAPAuditLog | Key fields from the SAP Audit log |
Multiple fields from SAPAuditLogConfiguration | Key fields from the Sentinel for SAP audit log configuration |
DiscoveredOn | The rounded hour on which the anomaly was observed on |
EventCount | Number of events counted per row returned |
AnomalCount | Number of events observed within relevant sliding window |
MinTime | Time of first event observed |
MaxTime | Time of last event observed |
Score | the anomaly scores as produced by the anomaly model |
See Built-in SAP analytics rules for monitoring the SAP audit log for more information.
SAPAuditLogConfigRecommend
The SAPAuditLogConfigRecommend is a helper function designed to offer recommendations for the configuration of the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) analytics rule. Learn how to configure the rules.
SAPUsersGetVIP
The Microsoft Sentinel solution for SAP® applications uses a concept of central user tagging and explicit exclusions, designed to help you lower false positives with minimal effort. Use the SAPUsersGetVIP function to exclude users from triggering alerts by specifying SAP user roles, SAP user functions, or tags that represent those users. For more information, see Handle false positives in Microsoft Sentinel.
Tags specified as input for the SAPUsersGetVIP function exclude all users with a tag listed in the SAP_User_Config watchlist. The same functionality is extended to work with wildcards, allowing you to assign a single tag to a group of users with the same naming syntax.
Tag users in the SAP_User_Config watchlist as follows:
Add multiple tags to each user in the SAP_User_Config watchlist, as needed to cover various scenarios. Each alert rule has its own relevant tags, if any, and you can add custom tags as needed.
Use an asterisk (*) as a wildcard to include users with a specific naming syntax template.
Add the SAPUsersGetVIP function in your analytics rules to request the lists of users you've defined to be excluded from alerts. In the function call, add an array with the tags, SAP roles, and SAP profiles that you'd like to exclude.
For example, use the following KQL query in your analytics rule to exclude any users configured with the RunObsoleteProgOK tag in the SAP_User_Config watchlist, or any users with the sample SAP_BASIS_ADMIN_ROLE role or the sample SAP_ADMIN_PROFILE profile.
When copying this sample function call, replace SAP_BASIS_ADMIN_ROLE role and SAP_ADMIN_PROFILE profile with your own SAP roles or profiles as needed.
// Execution of Obsolete/Insecure Program
let ObsoletePrograms = _GetWatchlist("SAP - Obsolete Programs");
// here you can exclude system users which are OK to run obsolete/ sensitive programs
// by adding those users in the SAP_User_Config watchlist with a tag of 'RunObsoleteProgOK'
// can also specify SAP roles or SAP profiles that group the users you would like to exclude
let excludeUsersTagsRolesProfiles= dynamic(["RunObsoleteProgOK","SAP_BASIS_ADMIN_ROLE", "SAP_ADMIN_PROFILE"]);
let excludedUsers= SAPUsersGetVIP(SearchForTags= excludeUsersTagsRolesProfiles)| summarize by User2Exclude=SAPUser;
// Query logic
SAPAuditLog
| where MessageID == 'AUW'
| where ABAPProgramName in (ObsoletePrograms) // The program is obsolete
| join kind=leftantisemi excludedUsers on $left.User == $right.User2Exclude
The SAPUsersGetVIP function is commonly used in Deterministic and Anomalous Audit Log Monitor alerts. Associate a tag with an SAP audit log message ID, or extend the rule template to a custom rule that matches your organization's needs.
Tip
We recommend that contacting your SAP system admin to understand which SAP users, roles, and profiles to include in your SAP_User_Config watchlist.
Parameters:
Name | Description | Default value |
---|---|---|
SearchForTags (Optional) | When SearchForTags equals All Tags , all users are returned along with their tags. Otherwise, only users bearing the tags, SAP roles, or SAP profiles specified in SearchForTags are returned. TagsIntersect shows the tags that are found, and IntersectionSize holds the number of tags that are found. |
dynamic('All Tags') |
SpecialFocusTags (Optional) | Returns all users bearing the tags specified in SpecialFocusTags , and marked those with specialFocusTagged = true . |
Do not return any in-focus users |
Source | Field | Description | Notes |
---|---|---|---|
The SAP_User_Config watchlist | SearchKey | Search Key | |
The SAP_User_Config watchlist | SAPUser | The SAP User | OSS, DDIC |
The SAP_User_Config watchlist | Tags | String of tags assigned to user | RunObsoleteProgOK |
The SAP_User_Config watchlist | User's Microsoft Entra Object ID | Microsoft Entra Object ID | |
The SAP_User_Config watchlist | User Identifier | AD User Identifier | |
The SAP_User_Config watchlist | User on-premises Sid | ||
The SAP_User_Config watchlist | User Principal Name | ||
The SAP_User_Config watchlist | TagsList | A list of tags assigned to user | ChangeUserMasterDataOK;RunObsoleteProgOK |
Logic | TagsIntersect | A set of tags that matched SearchForTags | ["ChangeUserMasterDataOK","RunObsoleteProgOK"] |
Logic | SpecialFocusTagged | Special focus indication | True, False |
Logic | IntersectionSize | The number of intersected Tags |
SAPUsersHeader
The SAPUsersHeader function is designed to provide a high-level view of the SAP user. It uses data extracted from both the SAP user master data tables and recent activity on the SAP audit log to gather Email and IP addresses. It then returns last known email and IP addresses along with primary email and IP addresses. Parameters: SelectedSystemRoles:dynamic = dynamic(["All System Roles"]) SelectedSystems:dynamic = dynamic(["All Systems"]) SelectedUsers:dynamic = dynamic(["All Users"]) SelectedUser:string = "All Users"
- SelectedSystems
- Optional
- Default value: "All Systems"
- Used to filter specific SAP systems to look at.
- SelectedSystemRoles
- Optional
- Default value: "All System Roles"
- Determines the roles of the SAP Systems to be looked at (as defined in the "SAP - Systems" watchlist).
- SelectedUsers
- Optional
- Default value: "All Users"
- Can input lists of users.
- SelectedUser
- Optional
- Default value: "All Users"
- Accepts a single user only
Additional notes
For performance considerations, only a few days of audit activity are considered. For a full history of user activity, run a custom KQL query against the SAPAuditLog function.
Source | Field | Description | Notes |
---|---|---|---|
User | The SAP user | ||
SAP tables ADR6 and USR21 | Taken from user's master data | OSS, DDIC | |
SAP table USR02 | UserType | string of tags assigned to user | RunObsoleteProgOK |
SAP table USR02 | Timezone | Microsoft Entra Object ID | |
SAP table USR02 | LockedStatus | AD User Identifier | |
SAP audit log | LastSeen | A timestamp | last audit event observed for the user |
SAP audit log | LastSeenDaysAgo | days passed since LastSeen | |
SAP audit log | PrimaryIP | Most frequently used IP address | ChangeUserMasterDataOK;RunObsoleteProgOK |
SAP audit log | LastKnownIP | Most recently used IP address | ["ChangeUserMasterDataOK","RunObsoleteProgOK"] |
SAP audit log | PrimaryEmail | Most frequently used Email address | True, False |
SAP audit log | KnownIPs | List of known IP addresses | sorted by most frequent first |
SAP audit log | KnownEmails | List of known Email addresses | sorted by most frequent first |
Client | The SAP Client ID | ||
SystemID | The SAP system ID | ||
SystemRole | The SAP System's Role | Production, UAT | |
SystemUsage | The main usage of the SAP system | ERP, CRM |
Logs produced by the data connector agent
This section describes the SAP logs available from the Microsoft Sentinel solution for SAP® applications data connector, including the table names in Microsoft Sentinel, the log purposes, and detailed log schemas. Schema field descriptions are based on the field descriptions in the relevant SAP documentation.
For best results, use the Microsoft Sentinel functions listed below to visualize, access, and query the data.
- ABAP Application log
- ABAP Change Documents log
- ABAP CR log
- ABAP DB table data log (PREVIEW)
- ABAP Gateway log (PREVIEW)
- ABAP ICM log (PREVIEW)
- ABAP Job log
- ABAP Security Audit log
- ABAP Spool log
- APAB Spool Output log
- ABAP SysLog
- ABAP Workflow log
- ABAP WorkProcess log
- HANA DB Audit Trail
- JAVA files
- SAP Heartbeat Log
ABAP Application log
Microsoft Sentinel function for querying this log: SAPAppLog
Related SAP documentation: SAP Help Portal
Log purpose: Records the progress of an application execution so that you can reconstruct it later as needed.
Available by using RFC based on standard SAP table and standard services of XBP interface. This log is generated per client.
ABAPAppLog_CL log schema
Field | Description |
---|---|
AppLogDateTime | Application log date time |
CallbackProgram | Callback program |
CallbackRoutine | Callback routine |
CallbackType | Callback type |
ClientID | ABAP client ID (MANDT) |
ContextDDIC | Context DDIC structure |
ExternalID | External log ID |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
InternalMessageSerial | Application log message serial |
LevelofDetail | Level of detail |
LogHandle | Application log handle |
LogNumber | Log number |
MessageClass | Message class |
MessageNumber | Message number |
MessageText | Message text |
MessageType | Message type |
Object | Application log object |
OperationMode | Operation mode |
ProblemClass | Problem class |
ProgramName | Program name |
SortCriterion | Sort criterion |
StandardText | Standard text |
SubObject | Application log sub object |
SystemID | System ID |
SystemNumber | System number |
TransactionCode | Transaction code |
User | User |
UserChange | User change |
ABAP Change Documents log
Microsoft Sentinel function for querying this log: SAPChangeDocsLog
Related SAP documentation: SAP Help Portal
Log purpose: Records:
SAP NetWeaver Application Server (AS) ABAP log changes to business data objects in change documents.
Other entities in the SAP system, such as user data, roles, addresses.
Available by using RFC based on standard SAP tables. This log is generated per client.
ABAPChangeDocsLog_CL log schema
Field | Description |
---|---|
ActualChangeNum | Actual change number |
ChangedTableKey | Changed table key |
ChangeNumber | Change number |
ClientID | ABAP client ID (MANDT) |
CreatedfromPlannedChange | Created from planned change, in the following syntax: (‘X’ , ‘ ‘) |
CurrencyKeyNew | Currency key: new value |
CurrencyKeyOld | Currency key: old value |
FieldName | Field name |
FlagText | Flag text |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
Language | Language |
ObjectClass | Object class, such as BELEG , BPAR , PFCG , IDENTITY |
ObjectID | Object ID |
PlannedChangeNum | Planned change number |
SystemID | System ID |
SystemNumber | System number |
TableName | Table name |
TransactionCode | Transaction code |
TypeofChange_Header | Header type of change, including: U = Change; I = Insert; E = Delete Single Docu; D = Delete; J = Insert Single Docu |
TypeofChange_Item | Item type of change, including: U = Change; I = Insert; E = Delete Single Docu; D = Delete; J = Insert Single Docu |
UOMNew | Unit of measure: new value |
UOMOld | Unit of measure: old value |
User | User |
ValueNew | Field content: new value |
ValueOld | Field content: old value |
Version | Version |
ABAP CR log
Microsoft Sentinel function for querying this log: SAPCRLog
Related SAP documentation: SAP Help Portal
Log purpose: Includes the Change & Transport System (CTS) logs, including the directory objects and customizations where changes were made.
Available by using RFC based on standard tables and standard SAP services. This log is generated with data across all clients.
Note
In addition to application logging, change documents, and table recording, all changes that you make to your production system using the Change & Transport System are documented in the CTS and TMS logs.
ABAPCRLog_CL log schema
Field | Description |
---|---|
Category | Category (Workbench, Customizing) |
ClientID | ABAP client ID (MANDT) |
Description | Description |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
ObjectName | Object name |
ObjectType | Object type |
Owner | Owner |
Request | Change request |
Status | Status |
SystemID | System ID |
SystemNumber | System number |
TableKey | Table key |
TableName | Table name |
ViewName | View name |
ABAP DB table data log (PREVIEW)
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPTableDataLog
Related SAP documentation: SAP Help Portal
Log purpose: Provides logging for those tables that are critical or susceptible to audits.
Available by using RFC with a custom service. This log is generated with data across all clients.
ABAPTableDataLog_CL log schema
Field | Description |
---|---|
DBLogID | DB log ID |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
Language | Language |
LogKey | Log key |
NewValue | Field new value |
OldValue | Field old value |
OperationTypeSQL | Operation type, Insert , Update , Delete |
Program | Program name |
SystemID | System ID |
SystemNumber | System number |
TableField | Table field |
TableName | Table name |
TransactionCode | Transaction code |
UserName | User |
VersionNumber | Version number |
ABAP Gateway log (PREVIEW)
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPOS_GW
Related SAP documentation: SAP Help Portal
Log purpose: Monitors Gateway activities. Available by the SAP Control Web Service. This log is generated with data across all clients.
ABAPOS_GW_CL log schema
Field | Description |
---|---|
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
MessageText | Message text |
Severity | Message severity: Debug , Info , Warning , Error |
SystemID | System ID |
SystemNumber | System number |
ABAP ICM log (PREVIEW)
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPOS_ICM
Related SAP documentation: SAP Help Portal
Log purpose: Records inbound and outbound requests and compiles statistics of the HTTP requests.
Available by the SAP Control Web Service. This log is generated with data across all clients.
ABAPOS_ICM_CL log schema
Field | Description |
---|---|
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
MessageText | Message text |
Severity | Message severity, including: Debug , Info , Warning , Error |
SystemID | System ID |
SystemNumber | System number |
ABAP Job log
Microsoft Sentinel function for querying this log: SAPJobLog
Related SAP documentation: SAP Help Portal
Log purpose: Combines all background processing job logs (SM37).
Available by using RFC based on standard SAP table and standard services of XBP interfaces. This log is generated with data across all clients.
ABAPJobLog_CL log schema
Field | Description |
---|---|
ABAPProgram | ABAP program |
BgdEventParameters | Background event parameters |
BgdProcessingEvent | Background processing event |
ClientID | ABAP client ID (MANDT) |
DynproNumber | Dynpro number |
GUIStatus | GUI status |
Host | Host |
Instance | ABAP instance (HOST_SYSID_SYSNR), in the following syntax: <HOST>_<SYSID>_<SYSNR> |
JobClassification | Job classification |
JobCount | Job count |
JobGroup | Job group |
JobName | Job name |
JobPriority | Job priority |
MessageClass | Message class |
MessageNumber | Message number |
MessageText | Message text |
MessageType | Message type |
ReleaseUser | Job release user |
SchedulingDateTime | Scheduling date time |
StartDateTime | Start date time |
SystemID | System ID |
SystemNumber | System number |
TargetServer | Target server |
User | User |
UserReleaseInstance | ABAP instance - user release |
WorkProcessID | Work process ID |
WorkProcessNumber | Work process Number |
ABAP Security Audit log
Microsoft Sentinel function for querying this log: SAPAuditLog
Related SAP documentation: SAP Help Portal
Log purpose: Records the following data:
- Security-related changes to the SAP system environment, such as changes to main user records
- Information that provides a higher level of data, such as successful and unsuccessful sign-in attempts
- Information that enables the reconstruction of a series of events, such as successful or unsuccessful transaction starts
Available by using RFC XAL/SAL interfaces. SAL is available starting from version Basis 7.50. This log is generated with data across all clients.
ABAPAuditLog_CL log schema
Field | Description |
---|---|
ABAPProgramName | Program name, SAL only |
AlertSeverity | Alert severity |
AlertSeverityText | Alert severity text, SAL only |
AlertValue | Alert value |
AuditClassID | Audit class ID, SAL only |
ClientID | ABAP client ID (MANDT) |
Computer | User machine, SAL only |
User email | |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
MessageClass | Message class |
MessageContainerID | Message container ID, XAL Only |
MessageID | Message ID, such as ‘AU1’,’AU2’… |
MessageText | Message text |
MonitoringObjectName | MTE Monitor object name, XAL only |
MonitorShortName | MTE Monitor short name, XAL only |
SAPProcesType | System Log: SAP process type, SAL only |
B* - Background Processing | |
D* - Dialog Processing | |
U* - Update Tasks | |
SAPWPName | System Log: Work process number, SAL only |
SystemID | System ID |
SystemNumber | System number |
TerminalIPv6 | User machine IP, SAL only |
TransactionCode | Transaction code, SAL only |
User | User |
Variable1 | Message variable 1 |
Variable2 | Message variable 2 |
Variable3 | Message variable 3 |
Variable4 | Message variable 4 |
ABAP Spool log
Microsoft Sentinel function for querying this log: SAPSpoolLog
Related SAP documentation: SAP Help Portal
Log purpose: Serves as the main log for SAP Printing with the history of spool requests. (SP01).
Available by using RFC based on standard SAP table. This log is generated with data across all clients.
ABAPSpoolLog_CL log schema
Field | Description |
---|---|
ArchiveStatus | Archive status |
ArchiveType | Archive type |
ArchivingDevice | Archiving device |
AutoRereoute | Auto reroute |
ClientID | ABAP client ID (MANDT) |
CountryKey | Country key |
DeleteSpoolRequestAuto | Delete spool request auto |
DelFlag | Deletion flag |
Department | Department |
DocumentType | Document type |
ExternalMode | External mode |
FormatType | Format type |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
NumofCopies | Number of copies |
OutputDevice | Output device |
PrinterLongName | Printer long name |
PrintImmediately | Print immediately |
PrintOSCoverPage | Print OSCover page |
PrintSAPCoverPage | Print SAPCover page |
Priority | Priority |
RecipientofSpoolRequest | Recipient of spool request |
SpoolErrorStatus | Spool error status |
SpoolRequestCompleted | Spool request completed |
SpoolRequestisALogForAnotherRequest | Spool request is a log for another request |
SpoolRequestName | Spool request name |
SpoolRequestNumber | Spool request number |
SpoolRequestSuffix1 | Spool request suffix1 |
SpoolRequestSuffix2 | Spool request suffix2 |
SpoolRequestTitle | Spool request title |
SystemID | System ID |
SystemNumber | System number |
TelecommunicationsPartner | Telecommunications partner |
TelecommunicationsPartnerE | Telecommunications partner E |
TemSeGeneralcounter | Temse counter |
TemseNumAddProtectionRule | Temse number add protection rule |
TemseNumChangeProtectionRule | Temse number change protection rule |
TemseNumDeleteProtectionRule | Temse number delete protection rule |
TemSeObjectName | Temse object name |
TemSeObjectPart | TemSe object part |
TemseReadProtectionRule | Temse read protection rule |
User | User |
ValueAuthCheck | Value auth check |
APAB Spool Output log
Microsoft Sentinel function for querying this log: SAPSpoolOutputLog
Related SAP documentation: SAP Help Portal
Log purpose: Serves as the main log for SAP Printing with the history of spool output requests. (SP02).
Available by using RFC with a custom service based on standard tables. This log is generated with data across all clients.
ABAPSpoolOutputLog_CL log schema
Field | Description |
---|---|
AppServer | Application server |
ClientID | ABAP client ID (MANDT) |
Comment | Comment |
CopyCount | Copy count |
CopyCounter | Copy counter |
Department | Department |
ErrorSpoolRequestNumber | Error request number |
FormatType | Format type |
Host | Host |
HostName | Host name |
HostSpoolerID | Host spooler ID |
Instance | ABAP instance |
LastPage | Last page |
NumofCopies | Number of copies |
OutputDevice | Output device |
OutputRequestNumber | Output request number |
OutputRequestStatus | Output request status |
PhysicalFormatType | Physical format type |
PrinterLongName | Printer long name |
PrintRequestSize | Print request size |
Priority | Priority |
ReasonforOutputRequest | Reason for output request |
RecipientofSpoolRequest | Recipient of spool request |
SpoolNumberofOutputReqProcessed | Number of output requests - processed |
SpoolNumberofOutputReqWithErrors | Number of output requests - with errors |
SpoolNumberofOutputReqWithProblems | Number of output requests - with problems |
SpoolRequestNumber | Spool request number |
StartPage | Start page |
SystemID | System ID |
SystemNumber | System number |
TelecommunicationsPartner | Telecommunications partner |
TemSeGeneralcounter | Temse counter |
Title | Title |
User | User |
ABAP Syslog
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPOS_Syslog
Related SAP documentation: SAP Help Portal
Log purpose: Records all SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP system errors, warnings, user locks because of failed sign-in attempts from known users, and process messages.
Available by the SAP Control Web Service. This log is generated with data across all clients.
ABAPOS_Syslog_CL log schema
Field | Description |
---|---|
ClientID | ABAP client ID (MANDT) |
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
MessageNumber | Message number |
MessageText | Message text |
Severity | Message severity, one of the following values: Debug , Info , Warning , Error |
SystemID | System ID |
SystemNumber | System number |
TransacationCode | Transaction code |
Type | SAP process type |
User | User |
ABAP Workflow log
Microsoft Sentinel function for querying this log: SAPWorkflowLog
Related SAP documentation: SAP Help Portal
Log purpose: The SAP Business Workflow (WebFlow Engine) enables you to define business processes that aren't yet mapped in the SAP system.
For example, unmapped business processes may be simple release or approval procedures, or more complex business processes such as creating base material and then coordinating the associated departments.
Available by using RFC based on standard SAP tables. This log is generated per client.
ABAPWorkflowLog_CL log schema
Field | Description |
---|---|
ActualAgent | Actual agent |
Address | Address |
ApplicationArea | Application area |
CallbackFunction | Callback function |
ClientID | ABAP client ID (MANDT) |
CreationDateTime | Creation date time |
Creator | Creator |
CreatorAddress | Creator address |
ErrorType | Error type |
ExceptionforMethod | Exception for method |
Host | Host |
Instance | ABAP instance (HOST_SYSID_SYSNR), in the following syntax: <HOST>_<SYSID>_<SYSNR> |
Language | Language |
LogCounter | Log counter |
MessageNumber | Message number |
MessageType | Message type |
MethodUser | Method user |
Priority | Priority |
SimpleContainer | Simple container, packed as a list of Key-Value entities for the work item |
Status | Status |
SuperWI | Super WI |
SystemID | System ID |
SystemNumber | System number |
TaskID | Task ID |
TasksClassification | Task classifications |
TaskText | Task text |
TopTaskID | Top task ID |
UserCreated | User created |
WIText | Work item text |
WIType | Work item type |
WorkflowAction | Workflow action |
WorkItemID | Work item ID |
ABAP WorkProcess log
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPOS_WP
Related SAP documentation: SAP Help Portal
Log purpose: Combines all work process logs. (default:
dev_*
).Available by the SAP Control Web Service. This log is generated with data across all clients.
ABAPOS_WP_CL log schema
Field | Description |
---|---|
Host | Host |
Instance | ABAP instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
MessageText | Message text |
Severity | Message severity: Debug , Info , Warning , Error |
SystemID | System ID |
SystemNumber | System number |
WPNumber | Work process number |
HANA DB Audit Trail
To have this log sent to Microsoft Sentinel, you must deploy a Microsoft Management Agent to gather Syslog data from the machine running HANA DB.
Microsoft Sentinel function for querying this log: SAPSyslog
Related SAP documentation: General | Audit Trail
Log purpose: Records user actions, or attempted actions in the SAP HANA database. For example, enables you to log and monitor read access to sensitive data.
Available by the Sentinel Linux Agent for Syslog. This log is generated with data across all clients.
Syslog log schema
Field | Description |
---|---|
Computer | Host name |
HostIP | Host IP |
HostName | Host name |
ProcessID | Process ID |
ProcessName | Process name: HDB* |
SeverityLevel | Alert |
SourceSystem | Source system OS, Linux |
SyslogMessage | Message, an unparsed audit trail message |
JAVA files
To have this log sent to Microsoft Sentinel, you must add it manually to the systemconfig.ini file.
Microsoft Sentinel function for querying this log: SAPJAVAFilesLogs
Related SAP documentation: General | Java Security Audit Log
Log purpose: Combines all Java files-based logs, including the Security Audit Log, and System (cluster and server process), Performance, and Gateway logs. Also includes Developer Traces and Default Trace logs.
Available by the SAP Control Web Service. This log is generated with data across all clients.
JavaFilesLogsCL log schema
Field | Description |
---|---|
Application | Java application |
ClientID | Client ID |
CSNComponent | CSN component, such as BC-XI-IBD |
DCComponent | DC component, such as com.sap.xi.util.misc |
DSRCounter | DSR counter |
DSRRootContentID | DSR context GUID |
DSRTransaction | DSR transaction GUID |
Host | Host |
Instance | Java instance, in the following syntax: <HOST>_<SYSID>_<SYSNR> |
Location | Java class |
LogName | Java logName, such as: Available , defaulttrace , dev* , security , and so on |
MessageText | Message text |
MNo | Message number |
Pid | Process ID |
Program | Program name |
Session | Session |
Severity | Message severity, including: Debug ,Info ,Warning ,Error |
Solution | Solution |
SystemID | System ID |
SystemNumber | System number |
ThreadName | Thread name |
Thrown | Exception thrown |
TimeZone | Timezone |
User | User |
SAP Heartbeat Log
Microsoft Sentinel function for querying this log: SAPConnectorHealth
Log purpose: Provides heartbeat and other health information on the connectivity between the agents and the different SAP systems.
Automatically created for any agents of the Microsoft Sentinel for SAP data connector.
SAP_HeartBeat_CL log schema
Field | Description |
---|---|
TimeGenerated | Time of log posting event |
agent_id_s | Agent ID in agent's configuration (automatically generated) |
agent_ver_s | Agent version |
host_s | The agent's host name |
system_id_s | Netweaver ABAP System ID / Netweaver SAPControl Host (preview) / Java SAPControl host (preview) |
push_timestamp_d | Timestamp of the extraction, according to the agent's time zone |
agent_timezone_s | Agent's time zone |
Tables retrieved directly from SAP systems
This section lists the data tables that are retrieved directly from the SAP system and ingested into Microsoft Sentinel exactly as they are.
To have the data from these tables ingested into Microsoft Sentinel, configure the relevant settings in the systemconfig.ini file. For more information, see Configuring User Master data collection.
The data retrieved from these tables provides a clear view of the authorization structure, group membership, and user profiles. It also allows you to track the process of authorization grants and revokes, and identify and govern the risks associated with those processes.
The tables listed below are required to enable functions that identify privileged users, map users to roles, groups, and authorizations.
For best results, refer to these tables using the name in the Sentinel function name column below:
Table name | Table description | Sentinel function name |
---|---|---|
USR01 | User master record (runtime data) | SAP_USR01 |
USR02 | Logon data (kernel-side use) | SAP_USR02 |
UST04 | User masters Maps users to profiles |
SAP_UST04 |
AGR_USERS | Assignment of roles to users | SAP_AGR_USERS |
AGR_1251 | Authorization data for the activity group | SAP_AGR_1251 |
USGRP_USER | Assignment of users to user groups | SAP_USGRP_USER |
USR21 | User name/Address key assignment | SAP_USR21 |
ADR6 | Email addresses (business address services) | SAP_ADR6 |
USRSTAMP | Time stamp for all changes to the user | SAP_USRSTAMP |
ADCP | Person/Address assignment (business address services) | SAP_ADCP |
USR05 | User master parameter ID | SAP_USR05 |
AGR_PROF | Profile name for role | SAP_AGR_PROF |
AGR_FLAGS | Role attributes | SAP_AGR_FLAGS |
DEVACCESS | Table for development user | SAP_DEVACCESS |
AGR_DEFINE | Role definition | SAP_AGR_DEFINE |
AGR_AGRS | Roles in composite roles | SAP_AGR_AGRS |
PAHI | History of the system, database, and SAP parameters | SAP_PAHI |
SNCSYSACL (PREVIEW) | SNC Access Control List (ACL): Systems | SAP_SNCSYSACL |
USRACL (PREVIEW) | SNC Access Control List (ACL): User | SAP_USRACL |
Next steps
For more information, see:
- Deploy the Microsoft Sentinel solution for SAP® applications
- Microsoft Sentinel solution for SAP® applications detailed SAP requirements
- Deploy the Microsoft Sentinel for SAP data connector with SNC
- Expert configuration options, on-premises deployment, and SAPControl log sources
- Microsoft Sentinel solution for SAP® applications: built-in security content
- Monitor the health of your SAP system
- Troubleshooting your Microsoft Sentinel solution for SAP® applications deployment