Microsoft Sentinel solution for SAP applications: security content reference

This article details the security content available for the Microsoft Sentinel Solution for SAP.

Important

While the Microsoft Sentinel solution for SAP applications is in GA, some specific components remain in PREVIEW. This article indicates the components that are in preview in the relevant sections below. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Available security content includes built-in workbooks and analytics rules. You can also add SAP-related watchlists to use in your search, detection rules, threat hunting, and response playbooks.

Content in this article is intended for your security team.

Built-in workbooks

Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the Templates tab.

Workbook name Description Logs
SAP - Audit Log Browser Displays data such as:

- General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run
-Severities of events occurring in your system
- Authentication and authorization events occurring in your system
Uses data from the following log:

ABAPAuditLog_CL
SAP Audit Controls Helps you check your SAP environment's security controls for compliance with your chosen control framework, using tools for you to do the following:

- Assign analytics rules in your environment to specific security controls and control families
- Monitor and categorize the incidents generated by the SAP solution-based analytics rules
- Report on your compliance
Uses data from the following tables:

- SecurityAlert
- SecurityIncident

For more information, see Tutorial: Visualize and monitor your data and Deploy Microsoft Sentinel solution for SAP applications.

Built-in analytics rules

This section describes a selection of built-in analytics rules provided together with the Microsoft Sentinel solution for SAP applications. For the most recent updates, check the Microsoft Sentinel content hub for new and updated rules.

Monitor the configuration of static SAP security parameters (Preview)

To secure the SAP system, SAP has identified security-related parameters that need to be monitored for changes. With the "SAP - (Preview) Sensitive Static Parameter has Changed" rule, the Microsoft Sentinel solution for SAP applications tracks over 52 static security-related parameters in the SAP system, which are built into Microsoft Sentinel.

Note

For the Microsoft Sentinel solution for SAP applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. For more information, see Verify that the PAHI table is updated at regular intervals.

To understand parameter changes in the system, the Microsoft Sentinel solution for SAP applications uses the parameter history table, which records changes made to system parameters every hour.

The parameters are also reflected in the SAPSystemParameters watchlist. This watchlist allows users to add new parameters, disable existing parameters, and modify the values and severities per parameter and system role in production or nonproduction environments.

When a change is made to one of these parameters, Microsoft Sentinel checks to see if the change is security-related and if the value is set according to the recommended values. If the change is suspected as outside the safe zone, Microsoft Sentinel creates an incident detailing the change, and identifies who made the change.

Review the list of parameters that this rule monitors.

Monitor the SAP audit log

Many of the analytics rules in the Microsoft Sentinel solution for SAP applications use SAP audit log data. Some analytics rules look for specific events in the log, while others correlate indications from several logs to create high-fidelity alerts and incidents.

Use the following analytics rules to either monitor all audit log events on your SAP system or trigger alerts only when anomalies are detected:

Rule name Description
SAP - Missing configuration in the Dynamic Security Audit Log Monitor By default, runs daily to provide configuration recommendations for the SAP audit log module. Use the rule template to create and customize a rule for your workspace.
SAP - Dynamic Deterministic Audit Log Monitor (PREVIEW) By default, runs every 10 minutes and focuses on the SAP audit log events marked as Deterministic. Use the rule template to create and customize a rule for your workspace, such as for a lower false positive rate.

This rule requires deterministic alert thresholds and user exclusion rules.
SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) By default, runs hourly and focuses on SAP events marked as AnomaliesOnly, alerting on SAP audit log events when anomalies are detected.

This rule applies extra machine learning algorithms to filter out background noise in an unsupervised manner.

By default, most event types or SAP message IDs in the SAP audit log are sent to the anomaly based Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) analytics rule, while the easier to define event types are sent to the deterministic Dynamic Deterministic Audit Log Monitor (PREVIEW) analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions.

The SAP audit log monitoring rules are delivered as part of the Microsoft Sentinel for SAP solution security content, and allow for further fine tuning using the SAP_Dynamic_Audit_Log_Monitor_Configuration and SAP_User_Config watchlists.

For example, the following table lists several examples of how you can use the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist to configure the types of events that produce incidents, reducing the number of incidents generated.

Option Description
Set severities and disable unwanted events By default, both the deterministic rules and the rules based on anomalies create alerts for events marked with medium and high severities.

You might want to configure severities separately production and nonproduction environments. For example, you might set a debugging activity event as high severity in production systems, and turn off the same events entirely in nonproduction systems.
Exclude users by their SAP roles or SAP profiles Microsoft Sentinel for SAP ingests the SAP user's authorization profile, including direct and indirect role assignments, groups, and profiles, so that you can speak the SAP language in your SIEM.

You might want to configure an SAP event to exclude users based on their SAP roles and profiles. In the watchlist, add the roles or profiles that group your RFC interface users in the RolesTagsToExclude column, next to the Generic table access by RFC event. This configuration triggers alerts only for users that are missing these roles.
Exclude users by their SOC tags Use tags to create your own grouping, without relying on complicated SAP definitions or even without SAP authorization. This method is useful for SOC teams that want to create their own grouping for SAP users.

For example, if you don't want specific service accounts to be alerted for Generic table access by RFC events, but can’t find an SAP role or an SAP profile that groups these users, use tags as follows:
1. Add the GenTableRFCReadOK tag next to the relevant event in the watchlist.
2. Go to the SAP_User_Config watchlist and assign the interface users the same tag.
Specify a frequency threshold per event type and system role Works like a speed limit. For example, you might configure User Master Record Change events to only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limit—for example, 2 events in a 10-minute window—an incident is triggered.
Determinism or anomalies If you know the event's characteristics, use the deterministic capabilities. If you aren't sure how to correctly configure the event, allow the machine learning capabilities to decide to start, and then make subsequent updates as needed.
SOAR capabilities Use Microsoft Sentinel to further orchestrate, automate, and respond to incidents created by SAP audit log dynamic alerts. For more information, see Automation in Microsoft Sentinel: Security orchestration, automation, and response (SOAR).

For more information, see Available watchlists and Microsoft Sentinel for SAP News - Dynamic SAP Security Audit Log Monitor feature available now! (blog).

Initial access

Rule name Description Source action Tactics
SAP - Login from unexpected network Identifies a sign-in from an unexpected network.

Maintain networks in the SAP - Networks watchlist.
Sign in to the backend system from an IP address that isn't assigned to one of the networks.

Data sources: SAPcon - Audit Log
Initial Access
SAP - SPNego Attack Identifies SPNego Replay Attack. Data sources: SAPcon - Audit Log Impact, Lateral Movement
SAP - Dialog logon attempt from a privileged user Identifies dialog sign-in attempts, with the AUM type, by privileged users in an SAP system. For more information, see the SAPUsersGetPrivileged. Attempt to sign in from the same IP to several systems or clients within the scheduled time interval

Data sources: SAPcon - Audit Log
Impact, Lateral Movement
SAP - Brute force attacks Identifies brute force attacks on the SAP system using RFC logons Attempt to sign in from the same IP to several systems/clients within the scheduled time interval using RFC

Data sources: SAPcon - Audit Log
Credential Access
SAP - Multiple Logons from the same IP Identifies the sign-in of several users from same IP address within a scheduled time interval.

Sub-use case: Persistency
Sign in using several users through the same IP address.

Data sources: SAPcon - Audit Log
Initial Access
SAP - Multiple Logons by User Identifies sign-ins of the same user from several terminals within scheduled time interval.

Available only via the Audit SAL method, for SAP versions 7.5 and higher.
Sign in using the same user, using different IP addresses.

Data sources: SAPcon - Audit Log
Pre-Attack, Credential Access, Initial Access, Collection

Sub-use case: Persistency
SAP - Informational - Lifecycle - SAP Notes were implemented in system Identifies SAP Note implementation in the system. Implement an SAP Note using SNOTE/TCI.

Data sources: SAPcon - Change Requests
-
SAP - (Preview) AS JAVA - Sensitive Privileged User Signed In Identifies a sign-in from an unexpected network.

Maintain privileged users in the SAP - Privileged Users watchlist.
Sign in to the backend system using privileged users.

Data sources: SAPJAVAFilesLog
Initial Access
SAP - (Preview) AS JAVA - Sign-In from Unexpected Network Identifies sign-ins from an unexpected network.

Maintain privileged users in the SAP - Networks watchlist.
Sign in to the backend system from an IP address that isn't assigned to one of the networks in the SAP - Networks watchlist

Data sources: SAPJAVAFilesLog
Initial Access, Defense Evasion

Data exfiltration

Rule name Description Source action Tactics
SAP - FTP for non authorized servers Identifies an FTP connection for a nonauthorized server. Create a new FTP connection, such as by using the FTP_CONNECT Function Module.

Data sources: SAPcon - Audit Log
Discovery, Initial Access, Command and Control
SAP - Insecure FTP servers configuration Identifies insecure FTP server configurations, such as when an FTP allowlist is empty or contains placeholders. Don't maintain or maintain values that contain placeholders in the SAPFTP_SERVERS table, using the SAPFTP_SERVERS_V maintenance view. (SM30)

Data sources: SAPcon - Audit Log
Initial Access, Command and Control
SAP - Multiple Files Download Identifies multiple file downloads for a user within a specific time-range. Download multiple files using the SAPGui for Excel, lists, and so on.

Data sources: SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Multiple Spool Executions Identifies multiple spools for a user within a specific time-range. Create and run multiple spool jobs of any type by a user. (SP01)

Data sources: SAPcon - Spool Log, SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Multiple Spool Output Executions Identifies multiple spools for a user within a specific time-range. Create and run multiple spool jobs of any type by a user. (SP01)

Data sources: SAPcon - Spool Output Log, SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Sensitive Tables Direct Access By RFC Logon Identifies a generic table access by RFC sign in.

Maintain tables in the SAP - Sensitive Tables watchlist.

Relevant for production systems only.
Open the table contents using SE11/SE16/SE16N.

Data sources: SAPcon - Audit Log
Collection, Exfiltration, Credential Access
SAP - Spool Takeover Identifies a user printing a spool request that was created by someone else. Create a spool request using one user, and then output it in using a different user.

Data sources: SAPcon - Spool Log, SAPcon - Spool Output Log, SAPcon - Audit Log
Collection, Exfiltration, Command and Control
SAP - Dynamic RFC Destination Identifies the execution of RFC using dynamic destinations.

Sub-use case: Attempts to bypass SAP security mechanisms
Execute an ABAP report that uses dynamic destinations (cl_dynamic_destination). For example, DEMO_RFC_DYNAMIC_DEST.

Data sources: SAPcon - Audit Log
Collection, Exfiltration
SAP - Sensitive Tables Direct Access By Dialog Logon Identifies generic table access via dialog sign-in. Open table contents using SE11/SE16/SE16N.

Data sources: SAPcon - Audit Log
Discovery
SAP - (Preview) File Downloaded From a Malicious IP Address Identifies download of a file from an SAP system using an IP address known to be malicious. Malicious IP addresses are obtained from threat intelligence services. Download a file from a malicious IP.

Data sources: SAP security Audit log, Threat Intelligence
Exfiltration
SAP - (Preview) Data Exported from a Production System using a Transport Identifies data export from a production system using a transport. Transports are used in development systems and are similar to pull requests. This alert rule triggers incidents with medium severity when a transport that includes data from any table is released from a production system. The rule creates a high severity incident when the export includes data from a sensitive table. Release a transport from a production system.

Data sources: SAP CR log, SAP - Sensitive Tables
Exfiltration
SAP - (Preview) Sensitive Data Saved into a USB Drive Identifies export of SAP data via files. The rule checks for data saved into a recently mounted USB drive in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to a sensitive table. Export SAP data via files and save into a USB drive.

Data sources: SAP Security Audit Log, DeviceFileEvents (Microsoft Defender for Endpoint), SAP - Sensitive Tables, SAP - Sensitive Transactions, SAP - Sensitive Programs
Exfiltration
SAP - (Preview) Printing of Potentially Sensitive data Identifies a request or actual printing of potentially sensitive data. Data is considered sensitive if the user obtains the data as part of a sensitive transaction, execution of a sensitive program, or direct access to a sensitive table. Print or request to print sensitive data.

Data sources: SAP Security Audit Log, SAP Spool logs, SAP - Sensitive Tables, SAP - Sensitive Programs
Exfiltration
SAP - (Preview) High Volume of Potentially Sensitive Data Exported Identifies export of a high volume of data via files in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to sensitive table. Export high volume of data via files.

Data sources: SAP Security Audit Log, SAP - Sensitive Tables, SAP - Sensitive Transactions, SAP - Sensitive Programs
Exfiltration

Persistency

Rule name Description Source action Tactics
SAP - Activation or Deactivation of ICF Service Identifies activation or deactivation of ICF Services. Activate a service using SICF.

Data sources: SAPcon - Table Data Log
Command and Control, Lateral Movement, Persistence
SAP - Function Module tested Identifies the testing of a function module. Test a function module using SE37 / SE80.

Data sources: SAPcon - Audit Log
Collection, Defense Evasion, Lateral Movement
SAP - (PREVIEW) HANA DB -User Admin actions Identifies user administration actions. Create, update, or delete a database user.

Data Sources: Linux Agent - Syslog*
Privilege Escalation
SAP - New ICF Service Handlers Identifies creation of ICF Handlers. Assign a new handler to a service using SICF.

Data sources: SAPcon - Audit Log
Command and Control, Lateral Movement, Persistence
SAP - New ICF Services Identifies creation of ICF Services. Create a service using SICF.

Data sources: SAPcon - Table Data Log
Command and Control, Lateral Movement, Persistence
SAP - Execution of Obsolete or Insecure Function Module Identifies the execution of an obsolete or insecure ABAP function module.

Maintain obsolete functions in the SAP - Obsolete Function Modules watchlist. Make sure to activate table logging changes for the EUFUNC table in the backend. (SE13)

Relevant for production systems only.
Run an obsolete or insecure function module directly using SE37.

Data sources: SAPcon - Table Data Log
Discovery, Command and Control
SAP - Execution of Obsolete/Insecure Program Identifies the execution of an obsolete or insecure ABAP program.

Maintain obsolete programs in the SAP - Obsolete Programs watchlist.

Relevant for production systems only.
Run a program directly using SE38/SA38/SE80, or by using a background job.

Data sources: SAPcon - Audit Log
Discovery, Command and Control
SAP - Multiple Password Changes by User Identifies multiple password changes by user. Change user password

Data sources: SAPcon - Audit Log
Credential Access
SAP - (Preview) AS JAVA - User Creates and Uses New User Identifies the creation or manipulation of users by admins within the SAP AS Java environment. Sign in to the backend system using users that you have created or manipulated.

Data sources: SAPJAVAFilesLog
Persistence

Attempts to bypass SAP security mechanisms

Rule name Description Source action Tactics
SAP - Client Configuration Change Identifies changes for client configuration such as the client role or the change recording mode. Perform client configuration changes using the SCC4 transaction code.

Data sources: SAPcon - Audit Log
Defense Evasion, Exfiltration, Persistence
SAP - Data has Changed during Debugging Activity Identifies changes for runtime data during a debugging activity.

Sub-use case: Persistency
1. Activate Debug ("/h").
2. Select a field for change and update its value.

Data sources: SAPcon - Audit Log
Execution, Lateral Movement
SAP - Deactivation of Security Audit Log Identifies deactivation of the Security Audit Log, Disable security Audit Log using SM19/RSAU_CONFIG.

Data sources: SAPcon - Audit Log
Exfiltration, Defense Evasion, Persistence
SAP - Execution of a Sensitive ABAP Program Identifies the direct execution of a sensitive ABAP program.

Maintain ABAP Programs in the SAP - Sensitive ABAP Programs watchlist.
Run a program directly using SE38/SA38/SE80.

Data sources: SAPcon - Audit Log
Exfiltration, Lateral Movement, Execution
SAP - Execution of a Sensitive Transaction Code Identifies the execution of a sensitive Transaction Code.

Maintain transaction codes in the SAP - Sensitive Transaction Codes watchlist.
Run a sensitive transaction code.

Data sources: SAPcon - Audit Log
Discovery, Execution
SAP - Execution of Sensitive Function Module Identifies the execution of a sensitive ABAP function module.

Sub-use case: Persistency

Relevant for production systems only.

Maintain sensitive functions in the SAP - Sensitive Function Modules watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13)
Run a sensitive function module directly using SE37.

Data sources: SAPcon - Table Data Log
Discovery, Command and Control
SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes Identifies changes for HANA DB audit trail policies. Create or update the existing audit policy in security definitions.

Data sources: Linux Agent - Syslog
Lateral Movement, Defense Evasion, Persistence
SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail Identifies the deactivation of the HANA DB audit log. Deactivate the audit log in the HANA DB security definition.

Data sources: Linux Agent - Syslog
Persistence, Lateral Movement, Defense Evasion
SAP - Unauthorized Remote Execution of a Sensitive Function Module Detects unauthorized executions of sensitive FMs by comparing the activity with the user's authorization profile while disregarding recently changed authorizations.

Maintain function modules in the SAP - Sensitive Function Modules watchlist.
Run a function module using RFC.

Data sources: SAPcon - Audit Log
Execution, Lateral Movement, Discovery
SAP - System Configuration Change Identifies changes for system configuration. Adapt system change options or software component modification using the SE06 transaction code.

Data sources: SAPcon - Audit Log
Exfiltration, Defense Evasion, Persistence
SAP - Debugging Activities Identifies all debugging related activities.

Sub-use case: Persistency
Activate Debug ("/h") in the system, debug an active process, add breakpoint to source code, and so on.

Data sources: SAPcon - Audit Log
Discovery
SAP - Security Audit Log Configuration Change Identifies changes in the configuration of the Security Audit Log Change any Security Audit Log Configuration using SM19/RSAU_CONFIG, such as the filters, status, recording mode, and so on.

Data sources: SAPcon - Audit Log
Persistence, Exfiltration, Defense Evasion
SAP - Transaction is unlocked Identifies unlocking of a transaction. Unlock a transaction code using SM01/SM01_DEV/SM01_CUS.

Data sources: SAPcon - Audit Log
Persistence, Execution
SAP - Dynamic ABAP Program Identifies the execution of dynamic ABAP programming. For example, when ABAP code was dynamically created, changed, or deleted.

Maintain excluded transaction codes in the SAP - Transactions for ABAP Generations watchlist.
Create an ABAP Report that uses ABAP program generation commands, such as INSERT REPORT, and then run the report.

Data sources: SAPcon - Audit Log
Discovery, Command and Control, Impact

Suspicious privileges operations

Rule name Description Source action Tactics
SAP - Change in Sensitive privileged user Identifies changes of sensitive privileged users.

Maintain privileged users in the SAP - Privileged Users watchlist.
Change user details / authorizations using SU01.

Data sources: SAPcon - Audit Log
Privilege Escalation, Credential Access
SAP - (PREVIEW) HANA DB -Assign Admin Authorizations Identifies admin privilege or role assignment. Assign a user with any admin role or privileges.

Data sources: Linux Agent - Syslog
Privilege Escalation
SAP - Sensitive privileged user logged in Identifies the Dialog sign-in of a sensitive privileged user.

Maintain privileged users in the SAP - Privileged Users watchlist.
Sign in to the backend system using SAP* or another privileged user.

Data sources: SAPcon - Audit Log
Initial Access, Credential Access
SAP - Sensitive privileged user makes a change in other user Identifies changes of sensitive, privileged users in other users. Change user details / authorizations using SU01.

Data Sources: SAPcon - Audit Log
Privilege Escalation, Credential Access
SAP - Sensitive Users Password Change and Login Identifies password changes for privileged users. Change the password for a privileged user and sign into the system.
Maintain privileged users in the SAP - Privileged Users watchlist.

Data sources: SAPcon - Audit Log
Impact, Command and Control, Privilege Escalation
SAP - User Creates and uses new user Identifies a user creating and using other users.

Sub-use case: Persistency
Create a user using SU01, and then sign in, using the newly created user and the same IP address.

Data sources: SAPcon - Audit Log
Discovery, Pre-Attack, Initial Access
SAP - User Unlocks and uses other users Identifies a user being unlocked and used by other users.

Sub-use case: Persistency
Unlock a user using SU01, and then sign in using the unlocked user and the same IP address.

Data sources: SAPcon - Audit Log, SAPcon - Change Documents Log
Discovery, Pre-Attack, Initial Access, Lateral Movement
SAP - Assignment of a sensitive profile Identifies new assignments of a sensitive profile to a user.

Maintain sensitive profiles in the SAP - Sensitive Profiles watchlist.
Assign a profile to a user using SU01.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Assignment of a sensitive role Identifies new assignments for a sensitive role to a user.

Maintain sensitive roles in the SAP - Sensitive Roles watchlist.
Assign a role to a user using SU01 / PFCG.

Data sources: SAPcon - Change Documents Log, Audit Log
Privilege Escalation
SAP - (PREVIEW) Critical authorizations assignment - New Authorization Value Identifies the assignment of a critical authorization object value to a new user.

Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist.
Assign a new authorization object or update an existing one in a role, using PFCG.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Critical authorizations assignment - New User Assignment Identifies the assignment of a critical authorization object value to a new user.

Maintain critical authorization objects in the SAP - Critical Authorization Objects watchlist.
Assign a new user to a role that holds critical authorization values, using SU01/PFCG.

Data sources: SAPcon - Change Documents Log
Privilege Escalation
SAP - Sensitive Roles Changes Identifies changes in sensitive roles.

Maintain sensitive roles in the SAP - Sensitive Roles watchlist.
Change a role using PFCG.

Data sources: SAPcon - Change Documents Log, SAPcon – Audit Log
Impact, Privilege Escalation, Persistence

Available watchlists

The following table lists the watchlists available for the Microsoft Sentinel solution for SAP applications, and the fields in each watchlist.

These watchlists provide the configuration for the Microsoft Sentinel solution for SAP applications. The SAP watchlists are available in the Microsoft Sentinel GitHub repository.

Watchlist name Description and fields
SAP - Critical Authorization Objects Critical Authorizations object, where assignments should be governed.

- AuthorizationObject: An SAP authorization object, such as S_DEVELOP, S_TCODE, or Table TOBJ
- AuthorizationField: An SAP authorization field, such as OBJTYP or TCD
- AuthorizationValue: An SAP authorization field value, such as DEBUG
- ActivityField : SAP activity field. For most cases, this value is ACTVT. For Authorizations objects without an Activity, or with only an Activity field, filled with NOT_IN_USE.
- Activity: SAP activity, according to the authorization object, such as: 01: Create; 02: Change; 03: Display, and so on.
- Description: A meaningful Critical Authorization Object description.
SAP - Excluded Networks For internal maintenance of excluded networks, such as to ignore web dispatchers, terminal servers, and so on.

-Network: A network IP address or range, such as 111.68.128.0/17.
-Description: A meaningful network description.
SAP Excluded Users System users who are signed in to the system and must be ignored. For example, alerts for multiple sign-ins by the same user.

- User: SAP User
-Description: A meaningful user description.
SAP - Networks Internal and maintenance networks for identification of unauthorized logins.

- Network: Network IP address or range, such as 111.68.128.0/17
- Description: A meaningful network description.
SAP - Privileged Users Privileged users that are under extra restrictions.

- User: the ABAP user, such as DDIC or SAP
- Description: A meaningful user description.
SAP - Sensitive ABAP Programs Sensitive ABAP programs (reports), where execution should be governed.

- ABAPProgram: ABAP program or report, such as RSPFLDOC
- Description: A meaningful program description.
SAP - Sensitive Function Module Internal and maintenance networks for identification of unauthorized logins.

- FunctionModule: An ABAP function module, such as RSAU_CLEAR_AUDIT_LOG
- Description: A meaningful module description.
SAP - Sensitive Profiles Sensitive profiles, where assignments should be governed.

- Profile: SAP authorization profile, such as SAP_ALL or SAP_NEW
- Description: A meaningful profile description.
SAP - Sensitive Tables Sensitive tables, where access should be governed.

- Table: ABAP Dictionary Table, such as USR02 or PA008
- Description: A meaningful table description.
SAP - Sensitive Roles Sensitive roles, where assignment should be governed.

- Role: SAP authorization role, such as SAP_BC_BASIS_ADMIN
- Description: A meaningful role description.
SAP - Sensitive Transactions Sensitive transactions where execution should be governed.

- TransactionCode: SAP transaction code, such as RZ11
- Description: A meaningful code description.
SAP - Systems Describes the landscape of SAP systems according to role, usage, and configuration.

- SystemID: the SAP system ID (SYSID)
- SystemRole: the SAP system role, one of the following values: Sandbox, Development, Quality Assurance, Training, Production
- SystemUsage: The SAP system usage, one of the following values: ERP, BW, Solman, Gateway, Enterprise Portal
- InterfaceAttributes: an optional dynamic parameter for use in playbooks.
SAPSystemParameters Parameters to watch for suspicious configuration changes. This watchlist is prefilled with recommended values (according to SAP best practice), and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set EnableAlerts to false.

- ParameterName: The name of the parameter.
- Comment: The SAP standard parameter description.
- EnableAlerts: Defines whether to enable alerts for this parameter. Values are true and false.
- Option: Defines in which case to trigger an alert: If the parameter value is greater or equal (GE), less or equal (LE), or equal (EQ)
For example, if the login/fails_to_user_lock SAP parameter is set to LE (less or equal), and a value of 5, once Microsoft Sentinel detects a change to this specific parameter, it compares the newly reported value and the expected value. If the new value is 4, Microsoft Sentinel doesn't trigger an alert. If the new value is 6, Microsoft Sentinel triggers an alert.
- ProductionSeverity: The incident severity for production systems.
- ProductionValues: Permitted values for production systems.
- NonProdSeverity: The incident severity for nonproduction systems.
- NonProdValues: Permitted values for nonproduction systems.
SAP - Excluded Users System users that are logged in and need to be ignored, such as for the Multiple logons by user alert.

- User: SAP User
- Description: A meaningful user description
SAP - Excluded Networks Maintain internal, excluded networks for ignoring web dispatchers, terminal servers, and so on.

- Network: Network IP address or range, such as 111.68.128.0/17
- Description: A meaningful network description
SAP - Obsolete Function Modules Obsolete function modules, whose execution should be governed.

- FunctionModule: ABAP Function Module, such as TH_SAPREL
- Description: A meaningful function module description
SAP - Obsolete Programs Obsolete ABAP programs (reports), whose execution should be governed.

- ABAPProgram:ABAP Program, such as TH_ RSPFLDOC
- Description: A meaningful ABAP program description
SAP - Transactions for ABAP Generations Transactions for ABAP generations whose execution should be governed.

- TransactionCode: Transaction Code, such as SE11.
- Description: A meaningful Transaction Code description
SAP - FTP Servers FTP Servers for identification of unauthorized connections.

- Client: such as 100.
- FTP_Server_Name: FTP server name, such as http://contoso.com/
-FTP_Server_Port:FTP server port, such as 22.
- DescriptionA meaningful FTP Server description
SAP_Dynamic_Audit_Log_Monitor_Configuration Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, nonproduction). This watchlist details all available SAP standard audit log message IDs. The watchlist can be extended to contain extra message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the SAP_User_Config watchlist. This watchlist is one of the core components used for configuring the built-in SAP analytics rules for monitoring the SAP audit log. For more information, see Monitor the SAP audit log.

- MessageID: The SAP Message ID, or event type, such as AUD (User master record changes), or AUB (authorization changes).
- DetailedDescription: A markdown enabled description to be shown on the incident pane.
- ProductionSeverity: The desired severity for the incident to be created with for production systems High, Medium. Can be set as Disabled.
- NonProdSeverity: The desired severity for the incident to be created with for nonproduction systems High, Medium. Can be set as Disabled.
- ProductionThreshold The "Per hour" count of events to be considered as suspicious for production systems 60.
- NonProdThreshold The "Per hour" count of events to be considered as suspicious for nonproduction systems 10.
- RolesTagsToExclude: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list.
- RuleType: Use Deterministic for the event type to be sent off to the SAP - Dynamic Deterministic Audit Log Monitor rule, or AnomaliesOnly to have this event covered by the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) rule. For more information, see Monitor the SAP audit log.
- TeamsChannelID: an optional dynamic parameter for use in playbooks.
- DestinationEmail: an optional dynamic parameter for use in playbooks.

For the RolesTagsToExclude field:
- If you list SAP roles or SAP profiles, this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the BASIC_BO_USERS ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.
- Tagging an event type is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP BASIS team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the MassiveAuthChanges tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace SAPAuditLogConfigRecommend function produces a list of recommended tags to be assigned to users, such as Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist.
SAP_User_Config Allows for fine tuning alerts by excluding /including users in specific contexts and is also used for configuring the built-in SAP analytics rules for monitoring the SAP audit log. For more information, see Monitor the SAP audit log.

- SAPUser: The SAP user
- Tags: Tags are used to identify users against certain activity. For example Adding the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV will prevent RFC related incidents to be created for this specific user
Other active directory user identifiers
- AD User Identifier
- User On-Premises Sid
- User Principal Name

Available playbooks

Playbooks provided by Microsoft Sentinel solution for SAP applications help you automate SAP incident response workloads, improving the efficiency and effectiveness of security operations.

This section describes built-in analytics playbooks provided together with the Microsoft Sentinel solution for SAP applications.

Playbook name Parameters Connections
SAP Incident Response - Lock user from Teams - Basic - SAP-SOAP-User-Password
- SAP-SOAP-Username
- SOAPApiBasePath
- DefaultEmail
- TeamsChannel
- Microsoft Sentinel
- Microsoft Teams
SAP Incident Response - Lock user from Teams - Advanced - SAP-SOAP-KeyVault-Credential-Name
- DefaultAdminEmail
- TeamsChannel
- Microsoft Sentinel
- Azure Monitor Logs
- Office 365 Outlook
- Microsoft Entra ID
- Azure Key Vault
- Microsoft Teams
SAP Incident Response - Reenable audit logging once deactivated - SAP-SOAP-KeyVault-Credential-Name
- DefaultAdminEmail
- TeamsChannel
- Microsoft Sentinel
- Azure Key Vault
- Azure Monitor Logs
- Microsoft Teams

The following sections describe sample uses cases for each of the provided playbooks, in a scenario where an incident warned you of suspicious activity in one of the SAP systems, where a user is trying to execute one of these highly sensitive transactions.

During the incident triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Microsoft Entra ID.

For more information, see Automate threat response with playbooks in Microsoft Sentinel

The process for deploying Standard logic apps generally is more complex than it is for Consumption logic apps. We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see Step-by-Step Installation Guide.

Tip

Watch the SAP playbooks folder in the GitHub repository for more playbooks as they become available.

Lock out a user from a single system

Build an automation rule to invoke the Lock user from Teams - Basic playbook whenever a sensitive transaction execution by an unauthorized user is detected. This playbook uses Teams' adaptive cards feature to request approval before unilaterally blocking the user.

For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals - You're gonna hear me SOAR! Part 1 (SAP blog post).

The Lock user from Teams - Basic playbook is a Standard playbook, and Standard playbooks are generally more complex to deploy than Consumption playbooks.

We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see Step-by-Step Installation Guide and Supported logic app types.

Lock out a user from multiple systems

The Lock user from Teams - Advanced playbook accomplishes the same objective, but is designed for more complex scenarios, allowing a single playbook to be used for multiple SAP systems, each with its own SAP SID.

The Lock user from Teams - Advanced playbook seamlessly manages the connections to all of these systems, and their credentials, using the InterfaceAttributes optional dynamic parameter in the SAP - Systems watchlist and Azure Key Vault.

The Lock user from Teams - Advanced playbook also allows you to communicate to the parties in the approval process using Outlook actionable messages together with Teams, using the TeamsChannelID and DestinationEmail parameters in the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist.

For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals - Part 2 (SAP blog post).

Prevent deactivation of audit logging

You might also be concerned about the SAP audit log, which is one of your security data sources, being deactivated. We recommend that you build an automation rule based on the SAP - Deactivation of Security Audit Log analytics rule to invoke the Reenable audit logging once deactivated playbook to make sure the SAP audit log isn't deactivated.

The SAP - Deactivation of Security Audit Log playbook also uses Teams, informing security personnel after the fact. The severity of the offense and the urgency of its mitigation indicate that immediate action can be taken with no approval required.

Since the SAP - Deactivation of Security Audit Log playbook also uses Azure Key Vault to manage credentials, the playbook's configuration is similar to that of the Lock user from Teams - Advanced playbook. For more information, see From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals - Part 3 (SAP blog post).

For more information, see Deploying Microsoft Sentinel solution for SAP applications.