September 28, 2023

Audit Logs in SAP

Why are SAP Audit Logs so important?

SAP Audit logs are records of all activities and changes occurring within the SAP system. These logs are crucial for security, compliance, and troubleshooting, as they provide a detailed history of user actions, system events, and data modifications, and help organizations monitor and maintain the integrity and security of their SAP environment. In fact, they are often the single point of truth for the detection of malicious activities that have happened in an SAP system. Unattended or inactive audit logs may pose a serious impact at the time of detection and response of an incident. In this article, we provide an overview of various audit logs present in SAP systems.

Are SAP Audit Logs active by default?

The inconvenient truth is “No”. Various Log sources exist that need to be activated by clients’ SAP basis experts or can be filtered. It ultimately falls into the responsibility of the SAP-using organization to decide which logs are relevant, whether legal obligations or limits exist that prevent the activation of logging, and to establish a regular assessment process.

Which SAP Audit Logs do I need to activate for Information Security?

The simple answer would be – the more, the better. The reason for this vague statement is the assumption that organizations can make an educated decision based on available information. It appears vital to acquire as much information as possible, but unfortunately, it is not simple. Each SAP system creates gigabytes of logs per-day, and this causes security fatigue. Many SAP Audit Logs hold information about business transactions that are not immediately relevant to a security analyst to assess a potential incident.

But let’s start with the basics: the minimum SAP Audit Log an organization needs to activate is the Security Log. A Security Audit Log exists for the S4/HANA Stack and the database. Furthermore, we also recommend not using filters on those logs.

Important SAP Audit Logs that you need to know:

Security Audit Log (SAL):

– The Security Audit Log is an SAP’s security infrastructure central component, which records security-relevant system and application activities, such as logon attempts, failed logins, and changes to user authorizations.

– Access to the Security Audit Log is tightly controlled to prevent unauthorized modifications, and you can configure SAL to log various events and activities based on your organization’s security policies.

– The logs can be stored in different ways – for example, file-based or on a database table. Hence, there should also be a strategy for log retention at the application level and for archiving it.

Change Document Logs:

– These logs record changes made to specific data objects, such as customer master records, material master records, or vendor master records.

– Change document logs help organizations track who made, what kind of changes, and when they were applied.

– You can enable change document logs for specific SAP objects through customization settings.

Application Log:

– The Application Log records information about application-specific events, such as errors, warnings, and messages generated during program execution. You can configure the Application Log to record specific events based on your requirements.

– You can use it mainly for troubleshooting and monitoring application processes.

Transport Log:

– This log tracks changes to transport requests and their objects, and it helps administrators and developers monitor changes to configuration settings and custom developments as they are transported between SAP systems.

System Log (SM21):

– The System Log (SM21 transaction) monitors the SAP system’s overall health and performance and provides an overview of system-wide events and messages, including system-level errors and warnings.

Data Change Logs (Database Logs) and Table logs:

– Data change logs are critical for auditing and tracking changes to sensitive data. They record changes are made directly to the database tables, including inserts, updates, and deletes.

Custom Audit Logs:

– SAP also allows organizations to create custom audit logs to record specific business processes or events not covered by standard logs. These can be developed using SAP’s auditing and logging framework.

In conclusion, to effectively use and manage SAP audit logs, it's crucial to:

Activate logging wherever possible.
Define and enforce security policies and procedures.
Review and analyze logs regularly to detect and respond to security incidents and unauthorized activities.
Configure log retention policies to comply with legal and regulatory requirements.
Implement role-based access control to restrict access to audit logs.
Integrate SAP audit logs with centralized security information and event management (SIEM) systems for real-time monitoring and analysis.

How can the SecurityBridge Platform help?

SecurityBridge leverages data from all the above audit logs and alerts the events with a meaningful message, so that an admin can easily track the event and take appropriate action. The Threat Detection component for SAP also verifies the healthy setup of log sources and provides an alert in case an important information source has been deactivated.

Here’s an overview of the SecurityBridge Threat Detection module:

Real-time Monitoring:

Our Threat Detection module can integrate with Security Information and Event Management (SIEM) systems to centralize SAP threat data. The platform provides real-time monitoring and alerting capabilities to immediately notify security teams of suspicious activities or potential threats.

Customizable Alerts:

Organizations can configure alerts in correlation with their specific security policies and necessities. They can be adjusted to trigger notifications for events that are crucial or that require immediate attention.

Zero-Day Threat Detection:

The platform aims to detect zero-day vulnerabilities and emerging threats in SAP systems thanks to advanced threat intelligence and heuristic analysis. This way, organizations stay ahead of potential threats that have not yet been documented or patched by SAP.

Anomaly Detection:

SecurityBridge uses machine learning and behavioral analysis to identify abnormal activities within the SAP landscape: unusual patterns in user behavior, unauthorized access attempts, or deviations from typical system activities.

Compliance Monitoring:

Our software solution grants the compliance of organizations worldwide by continuously monitoring SAP systems against specific compliance frameworks and generating specific reports and evidence.

Threat Intelligence Integration:

The platform incorporates threat intelligence feeds to stay up to date with the latest threats and vulnerabilities, and it can cross-reference SAP-specific threats with global threat intelligence sources.

Incident Response and Remediation:

When threats or vulnerabilities are detected, the SecurityBridge platform offers guidance on remediation steps to mitigate risks and secure SAP environments. Furthermore, it provides recommendations and best practices for best addressing security issues.

Detailed Knowledgebase

Finally, our platform comes with integrated Knowledgebase that provides detailed information on findings, transparent risk descriptions, and mitigation recommendations.

SecurityBridge’s threat detection capabilities help organizations successfully identify and respond to security threats and vulnerabilities in their SAP landscapes, ensuring the integrity and availability of critical SAP systems and data. It is the most comprehensive solution for SAP security that combines scanning, monitoring, and incident response into a single platform.