SAP Security Audit

Background

When I was working at CyberSec company, one of the client requested for auditing SAP user activity. Because of that, I've been assigned by Team Lead to do integration with SIEM, it takes 4 months to do just that with another task of course. So I'll share what I've found, because SAP do not have clear documentation and no blog post have good guide at that time.

SAP Configuration

1. Open SAP Easy Access

   

2. Go to sm19

   

3. Go to Dynamic Configuration

   

4. Select top individual server and edit configuration

   

5. Go to filter 1 and set selection criteria:

   Client	: *
   User	: *

   

6. Make sure the filter is active (˅), also dialog logon and RFC/CPIC logon enabled (˅)

   

7. Save the configuration

   

8. Raw log example (tsv)

   

Ship Log with Archsight Connector

1. Key configuration for parsing

   

2. Successfully shipped

   

3. Parsed SAP log to syslog server