Skip to content

SAP BTP Audit Log

SAP BTP Audit Lg

The Business Technology Platform is the further development of the former SAP Cloud Platform. Behind the abbreviation, BTP hides the meaningful term Business Technology Platform. On the product page SAP advertises the following: SAP BTP combines data management, analytics, artificial intelligence, application development, automation, and integration in a unified environment.  

The new SAP technology allows a lot of flexibility and offers a well-structured BTP audit log in the security domain. As an SAP security solution provider, we took a closer look at it and integrated the BTP audit log into our monitoring portfolio. 

What is SAP BTP?

The SAP Business Technology Platform (SAP BTP) is a cloud platform on which companies can use numerous services and functions – both existing services from SAP and other providers, as well as custom developments. Divided into four principal areas: Database and Data Management, Analytics, Application Development, and Integration and Intelligence Tech, it advertises maximum flexibility and easy integration into the existing SAP product portfolio.

SAP BTP Audit Log

You should start with the concept of “environments” to delve a little deeper into the SAP Business Technology Platform. Environments form the actual Platform-as-a-Service offering of SAP BTP, enabling the development and management of business applications. Environments are anchored in SAP BTP at the subaccount level. The Cloud Foundry, ABAP, Kyma, and the Neo Environments exist. Follow this link to find more details on the subject in the SAP Help Portal.

What is the SAP BTP Audit Log?

Audit logs are a special type of logs. They represent security-relevant chronological records that provide documentary evidence for an event or activity that delivers information about e.g., User login to SAP BTP. The SAP BTP Audit Log Service stores audit logs representing different actions taken over your account and (or) data. There are predefined audit categories for data protection & privacy next to security-relevant events. All entries of the SAP BTP Audit log are grouped into the following areas: 

  • Identity provider management 
  • Instance management 
  • Role collection management 
  • Role management 
  • SAML authentication 

Further information can be found in
Audit Logging in the Cloud Foundry Environment 

SAP BTP Audit Log Viewer service

The SAP Audit Log service is a platform service that stores all the audit logs written on your behalf by other platform services that you use. It allows you to retrieve the audit logs for your subaccount via the audit log retrieval API or view them using the SAP Audit Log Viewer Service.  


The SecurityBridge Platform makes it easy for SAP customers to keep track of security-related activities with its threat detection capabilities. Especially with the new SAP BTP Audit Log, customers are confronted with an entirely new challenge. A new message format and new categorization are waiting, bringing new use cases. Customers now need to think about which of these security use cases needs to be incorporated into active monitoring (e.g., SAP SOC/SIEM). In addition to this practical obstacle, there are several technical questions to be answered:  

  • How can the data be accessed? 
  •  What needs to be decoded? How can the new format be brought into a uniform message structure? 
  • What are the error cases? What must be done if the log is no longer readable? 
  • Which SAP BTP tenants exist in the company at all?

When you read the last point, you may be crying out mentally, but actually, the tenants’ determination creates a challenge for many enterprises. As with many cloud solutions, it is easy to apply for a new tenant with SAP BTP. If there is an active connection to the on-premises SAP application, this is traceable. However, if the SAP BTP tenant exists on its own, things get a bit more complicated. 

Where can I find SAP BTP Audit Log information sources?

In conclusion, we would like to point out a few informative references that played a role in the context of this article. Perhaps one or more readers will find the links helpful. If you do not want to miss any helpful posts and want to stay up to date with SAP Cybersecurity, follow our LinkedIn page. 

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: SAP Security Baseline: Surviving an SAP Audit

With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.

Innovator für SAP-Sicherheit: SecurityBridge auf den DSAG-Technologietagen 2023

DSAG-Technologietage, das bedeutet traditionell: Wissensaustausch unter Technologen und Technologiebegeisterten. „Work in progress“ lautet das diesjährige Motto (22.- 23. März 2023, Congress Center Rosengarten, Mannheim). SecurityBridge nimmt die DSAG beim Wort und veranstaltet zusammen mit seinem Partner cbs Corporate Business Solutions Unternehmensberatung GmbH einen zweitägigen Hackathon, bei dem Studierende einen Prototyp für Security entwickeln können, unterstützt durch Coaches führender Beratungsunternehmen.
SAP security by design
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity
SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.