Site icon

Microsoft Sentinel – SAP continuous threat monitoring workbooks

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

In May 2021, Microsoft announced a new threat monitoring protection for SAP systems in Microsoft Sentinel. Since then, we’ve continuously increased our out-of-the-box, predefined content, and after you’ve deployed the solution in your Microsoft Sentinel workspace, 50 different analytics rules, watchlists, and workbooks are added. In this blog we’ll go over the different features supported by our new workbooks. 

The main purpose of Microsoft Sentinel workbooks for SAP is to visualize and monitor data ingested via the SAP data connector. Workbooks provide a flexible canvas for data analysis, and for the creation of rich, visual reports in your Microsoft Sentinel workspace. Workbooks help you visualize your data from your workspace logs and combine them into unified interactive experiences. The SAP workbooks include one general workbook focused on the ABAP Security Audit log, and 3 other workbooks, which are use-case oriented. These workbooks are customizable templates: edit, remove, or add any chart or visualize anything.

After deploying the SAP solution and the content hub, SAP workbooks are found in the My workbooks tab: 

Our current SAP solution has four different workbooks: 

1. SAP - Audit Log Browser 

The Audit Log Browser is a workbook focused on the ABAP security audit log. 
It gives users a general view about their SAP systems and helps them monitor all several aspects. Users can pick filtering parameters, such as a relevant system, or all systems, and the time scope for the workbook.   

The SAP – Audit Log Browser workbook contains: 

For example, the following image shows a time chart with the number of users login by bins of days.  


2. The second workbook is named Initial Access & Attempts to Bypass SAP Security Mechanisms. This workbook focuses on two different use cases: Initial access and attempts to bypass SAP security mechanisms 

The relevant logs are:

Users can choose parameters, such as the relevant system or systems, and the time scope for the workbook.  



Sensitive Actions  

Sensitive actions include sensitive: transaction codes, ABAP programs, function modules.  

These actions are configured by our customers as sensitive by the relevant watchlists:  

Solution workbooks include the following graphs for sensitive actions: 


 3. The third workbook is Suspicious Privileges Operations - this workbook focuses on two different use cases: Persistency and Data exfiltration.  

Persistency is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network.  

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a system.  

The relevant logs for this workbook are:  

Users can select parameters, such as a relevant system (or all systems), and the time scope for the workbook.  

ICF Services  

An overview about ICF services, also known as internet communication framework services. The Internet Communication Framework is the layer between Internet Communication Manager (ICM), which sends and receives HTTP requests, and the SAP Web Application Server work process opening a door, an interface to the SAP system. 

This workbook includes the following graphs: 



4. The fourth workbook is Suspicious Privileged Operations - this workbook is focused on suspicious privileges operations. Suspicious privileges operations are sensitive authorizations (roles, profiles) given to users, or configuration changes of roles (adding or removing authorization objects). This workbook also monitors suspicious activity of sensitive privileged users.  

The relevant logs are: ABAP Audit Log (ABAPAuditLog_CL) and ABAP Change Docs Log (ABAPChangeDocsLog_CL). 
Users can select parameters, such as the relevant system or systems, and the time scope for the workbook.  

Select a user to drill down to their current activity. For example: 


Start Now!   

Exit mobile version