Skip to content

Why is User and Entity Behavior Analytics for SAP a new approach?

User and Behaviour Analytics

Threat detection for SAP cannot simply rely on monitoring audit and security logs because most threats come from regular authorized users or attackers who have gained access to such accounts. Detecting anomalies within normal user behavior is challenging, especially for SAP environments – because of the application complexity.

Simply forwarding SAP audit logs to SIEM only makes it worse, as SOC teams are overwhelmed by the volume and complexity of these events. By correlating these SAP events and forwarding meaningful messages based on expert knowledge, this problem gets solved, but anomaly detection still needs an understanding of normal behavior. User and Entity Behavior Analytics (UEBA) seems to be the new, highly promising solution for this ultimate challenge. Let’s take a closer look at why this is true, why it complements existing security postures, and how it can work for SAP enterprise landscapes.

What is UEBA, and what is it good for?

UEBA is a technology that analyzes the behavior patterns of users and entities, like IT systems or applications, in an organization’s network and detects anomalies or deviations from the normal baselines. During the initial baselining phase, the system learns the normal behavior within the target system by analyzing user activities and their leveraged endpoints, like client devices or servers. After that period, the UEBA system can detect deviations from normal behavior and initiate alerts or countermeasures.

The goal is to identify threats from insiders or unauthorized people and entities leveraging stolen access credentials. This is something traditional security solutions like firewalls or intrusion detection and prevention tools cannot achieve. Sophisticated cyberattacks these days avoid simple one-off threats, instead, they find their way through social engineering or phishing to steal authorized user accounts. These attacks target people by convincing employees to click on links, download software, or even send passwords. Once they gain system access, they can remain undetected by traditional threat management tools for several weeks or even months.

The UEBA approach is specialized in detecting unusual behavior. For SAP environments, this can help detect anomalies like:

  • Access to SAP systems or data outside of working hours
  • Rarely used transactions or excessive queries
  • Deviations from normal usage or activity patterns
  • Changes to SAP configuration or settings
  • Other indicators of compromise or attack.

Why does UEBA complement your IDS and SIEM solutions?

Detecting anomalies is also a capability of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) tools. However, their approach is different from the one used for UEBA. IDS or SIEM solutions are mainly focused on detecting real-time threats, such as distributed denial-of-service (DDoS) attacks, based on predefined rules or signatures. These solutions may not be able to detect unknown or emerging threats, such as insider threats, compromised accounts, or advanced persistent threats (APTs), that do not match any existing rules or signatures. Moreover, they may generate many false positives or false negatives, depending on the sensitivity of the rules or signatures. This risk can overwhelm the SOC team and reduce security operations’ efficiency and effectiveness.

UEBA complements IDS and SIEM solutions by providing additional context and insights into the activities and risks associated with users and entities. Being based on normal behavior patterns of users and entities, UEBA can identify any deviations that may indicate malicious or suspicious activities. By correlating the anomalies across different sources, UEBA can provide a holistic view of the user and entity risk profiles. This is especially important when you want to apply UEBA for SAP environments to identify fraud or data theft.

Why is UEBA for SAP so challenging?

Setting up UEBA for SAP landscapes is particularly challenging because SAP systems are complex, heterogeneous, and highly customized. This makes it difficult to establish a baseline of normal behavior and identify deviations from it. Therefore, UEBA for SAP requires a deep understanding of the SAP landscape, business processes, and the user roles and permissions – as well as advanced analytical capabilities to interpret and correlate the data from multiple SAP systems.

Understanding the various, sometimes quite cryptic, SAP logs is a big challenge. To interpret these log records, SAP knowledge needs to be built into the UEBA system. Moreover, you need an “SAP language model” to be able to correlate these events leveraging machine learning algorithms or AI capabilities. In other words, you need a UEBA built for SAP, not a generic one.

What do you need for UEBA for SAP?

UEBA for SAP is not an isolated approach, and more importantly, it is not the first step on the journey to a mature process for protecting SAP environments. UEBA relies on a solid security foundation for SAP, a security platform that can provide information and metadata that is needed for behavior analytics.

This is where SecurityBridge comes into action. The SecurityBridge Platform collects, stores, and aggregates relevant user activities, events, and logs from SAP landscapes and even integrates with infrastructure security tools. This already allows a comprehensive Threat Detection capability. However, only by combining this data with static information about the SAP system, its users, and connection interfaces, typically used for Security & Compliance Management, you gain the basis for a successful UEBA approach.

A security platform built for SAP that collects and pre-processes static and dynamic data for feeding a comprehensive UEBA model on the same platform is a new all-in-one approach. By applying machine learning algorithms or rules to analyze these data, UEBA generates behavioral profiles, baselines, and scores. A dashboard displays the results of the analysis and allows security teams to investigate and respond to alerts.


Complementing existing IDS and SIEM solutions, UEBA brings Threat Detection to the next level. This is especially beneficial for SAP environments where identifying fraud or data theft is complex and challenging. Integrating UEBA capabilities into SAP security processes can help organizations detect unknown malicious patterns and prevent insider threats. The ideal foundation for this approach is an all-in-one data security platform for gathering user and entity activities and behaviors across SAP modules and applications. Applying advanced analytics and machine learning to identify deviations from normal baselines and detecting suspicious patterns based on the severity and frequency of anomalous events is crucial: it enables security teams to respond and trigger remediation actions, such as blocking or suspending users or entities. UEBA for SAP can help organizations enhance their security posture and effectively mitigate insider threats and sophisticated cyberattacks.

Posted by 

Holger Huegel

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.