Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP solution
Published Sep 29 2022 06:03 PM 12.2K Views
Microsoft

Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP Solution

 

Introduction

 

Organizations who use the Microsoft for SAP solution obtain valuable security insights from events in the SAP security audit log, which contains a trail on many important activities on both standard SAP and customer enhanced events. The current Sentinel solution encapsulates a variety of out of the box detections and visualization based on the valuable information in the SAP security log.

 

We're proud to announce that the new Microsoft Sentinel for SAP Solution is enhanced with a feature designed to detect suspicious events in the SAP security audit log based on deviation from the norm, meaning anomalies, in addition to the existing deterministic detection patterns previously included with the solution.

 

The problem with being too deterministic

 

When trying to identify security events in a diverse activity log like the SAP audit log, there’s a tradeoff between the configuration effort and the amount of noise the alerts produce. In a perfect world, deterministic rule sets are defined for each activity, so that each rule names specific attributes of the user, network, and activity. But in real life, it’s difficult to constantly create and update these types of rules.

 

In most cases, users choose to look only at those events that they know how to define well. This results in a reasonable number of alerts to sort through, while disregarding the events that are too complex to define, potentially missing important security insights.

 

Anomaly detection to the rescue

 

With the new SAP audit log module in the Sentinel for SAP solution, customers get to choose:

  • Which events to look at deterministically, using customized, predefined thresholds and filters to produce high fidelity incidents.
  • Which events to leave out for the machine to learn the parameters on its own, to produce alerts on those event types that are otherwise overlooked. Microsoft Sentinel then generates an alert that can later be cross correlated with other higher fidelity incidents.

Once an SAP audit log event type is marked for anomaly detection, the alerting engine checks if the corresponding events recently streamed from the SAP audit log seem normal, considering the history it has learned.

 

Microsoft Sentinel checks an event or group of events for anomalies. It tries to match the event or group of events with previously seen activities of the same kind, at the user and system levels. The algorithm learns event frequency and seasonality based on the following attributes: the SAP user name, IP address and network (including the subnet mask), and activity (event type).

 

With this ability, customers can look at previously overlooked event types, such as user logons, in terms of anomalies. Here are some examples:

  • User JohnDoe logs on hundreds of times in an hour? Customers can now let Microsoft Sentinel decide if this is John from accounting, repeatedly refreshing a financial dashboard with multiple data sources, a DDoS attack forming up or an attempt to hide a data exfiltration activity.
  • Multiple file downloads by DataServices? If the DataServices user has been showing similar file download activity from the same IP subnet, and in the same SAP system, we’re probably good.
  • Multiple file downloads by a user that hasn’t been seen doing that before, from an IP address too far from his home or office is likely to trigger an anomaly alert, which can later be used to help in hunting.

 

Microsoft Sentinel customers can now benefit from out of the box machine learning capabilities using the new anomaly-based SAP Security Audit log detections, getting valuable insights across all SAP security audit data with minimal configuration.

 

OferInbar_0-1653375570384.png

 

OferInbar_1-1653375570395.pngOferInbar_2-1653375570400.png

 

Setting up the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) analytics rule 

 

In this section, we show customers how to set up the new rule and make the most out of the SAP security audit log data:

 

Check if the latest version of the application is running

 

Assuming you already have SAP audit log data streaming into the Sentinel workspace (if not, see the deployment process), follow these steps:

 

In the Microsoft Sentinel workspace Content Hub page, check if your Microsoft Sentinel Solution for SAP application has pending updates. If you see any updates, apply those.

 

OferInbar_0-1664470335305.png

From the Analytics blade, look for these 3 analytics rules under the Rule templates tab:

  • SAP - Dynamic Deterministic Audit Log Monitor- This rule reviews the SAP audit log event types marked as Deterministic to produce high fidelity security incidents.
  • SAP - (Preview) Dynamic Anomaly based Audit Log Monitor Alerts- This rule reviews the SAP events marked as AnomaliesOnly to produce alerts on abnormal events.
  • SAP - Missing configuration in the Dynamic Security Audit Log Monitor. Runs daily to provide configuration recommendations for the SAP audit log module.

 

OferInbar_1-1664471062293.png

Select those, one by one, and then select Create rule.

 

Next you see the Analytics rule wizard, where you can set some more options. As the SAP - (Preview) Dynamic Anomaly based Audit Log Monitor Alerts is considered a non-deterministic rule, it is recommended to disable the Create incidents from alerts triggered by this analytics rule option.

 

OferInbar_0-1664472503456.png

 

 

Next Steps

 

After going through the steps above, you should be all set. Microsoft Sentinel now scans the entire SAP audit log at regular intervals, for deterministic security events and anomalies. You can view the incidents this log generates in your Microsoft Sentinel Incidents page, and the anomaly alerts by running the “Security Alerts” sentinel workbook (available in the workbooks template gallery) or by querying the SecurityAlert table.

 

As with every machine learning solution, it will perform better with time. Anomaly detection works best using an SAP audit log history of 7 days or more.

 

You can further configure event types that produce too many alerts using the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist:

 

 

Run the configuration helper function to get system recommendations

 

The workspace function SAPAuditLogConfigRecommend() is designed to give detailed recommendations for an optimal setup for the SAP - (Preview) Dynamic Anomaly based Audit Log Monitor Alerts. The output of the function run can be used for filling up the configuration watchlists as described below.

 

OferInbar_0-1664474331991.png

 

 

Set severities and disable unwanted events

 

By default, both the deterministic and the anomaly-based SAP audit log analytics rules create alerts for events marked with medium and high severities. You can set these severities specifically for production and non-production environments. For example, you can set a debugging activity event as high severity in production systems and disable those events in non-production systems. 

 

 

Exclude users by their SAP roles or SAP profiles

 

Microsoft Sentinel for SAP ingests the SAP user’s authorization profile, including direct and indirect role assignments, groups and profiles. This way, you can speak the SAP language in your SIEM.

 

You can configure an SAP event to exclude users based on either their SAP roles or profiles. For example, in the watchlist, add the roles or profiles that group your RFC interface users in the RolesTagsToExclude column, next to the Generic table access by RFC event. From now on, you’ll get alerts only for users missing these roles. 

 

Create your own tags in Microsoft Sentinel

 

With tags, you can come up with your own grouping, without relying on complicated SAP definitions or even without SAP authorization knowledge. This is useful for SOC teams that want to create their own grouping for SAP users.

 

Conceptually, this works like name tags: You can set multiple events in the configuration with multiple tags. You don’t get alerts for a user with a tag associated with a specific event. For example, you don’t want specific service accounts to be alerted for Generic table access by RFC events, but you can’t find an SAP role or an SAP profile that groups these users. In this case, you can add the GenTableRFCReadOK tag next to the relevant event in the watchlist, and then go to the SAP_User_Config watchlist and assign the interface users the same tag. 

 

Specify a frequency threshold per event type and system role

 

This works like a speed limit. For example, you can decide that noisy User Master Record Change events only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limit—for example, 2 events in a 10-minute window— an incident is triggered. 

 

Determinism or anomalies

 

If you know the event’s characteristics— users that should be excluded and thresholds to be applied—you are in the deterministic realm. Not too sure how to correctly configure the event? don't have the confidence required to have this analytics alert rule create incident? Leave it to the machine to learn and decide on which events to alert you on. 

 

SOAR capabilities

 

The Microsoft Sentinel platform has a few additional capabilities intended to further orchestrate, automate and respond to incidents which can be applied on the SAP audit log dynamic alerts.

See Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel

 

Conclusion

 

The new SAP - Dynamic Anomaly-based Audit Log Monitor alert rule complements the existing SAP audit log module within the Sentinel for SAP solution. The new rule triggers alerts for event types that are hard to define, by learning the system usage history and pointing out anomalies. Coupled with the SAP - Dynamic Deterministic Security Audit Log Monitor rule, these rules make the most of your valuable SAP audit log data, securing your valuable SAP system with the least amount of noise. 

 

 

Co-Authors
Version history
Last update:
‎Oct 20 2022 08:54 AM
Updated by: