In May 2021, Microsoft announced a new threat monitoring solution for SAP systems in Microsoft Sentinel. Since then, we’ve continuously increased the number of different logs and tables that you can stream from your SAP systems to your Microsoft Sentinel workspace. The latest feature going out to public preview this week is the User Master Data set of logs, tables, and tools. SAP systems make use of different user master records, each of which contain sensitive data relating to the users in the SAP system – for example, role assignments, group memberships, user profiles, and more.
Here are some of the many new tables we’re adding to the solution:
USR01 – this table contains all the user master records (runtime data).
USR02 – contains users logon data.
UST04 – all the assignments of profiles to users.
USR05 - stores User Master Parameter ID data
AGR_USERS – all the assignments of roles to users.
AGR_1251 – authorization data for the activity group.
AGR_AGRS – uses to store roles in composite roles data.
AGR_FLAGS – role attributes.
DEVACCESS – a table showing which developer users have an access key.
AGR_DEFINE – this table contains data for role definition, including role metadata such as create date/time, created by, last modified by, modify date /time.
PAHI – contains previous configuration data of the system, DB and SAP parameters, contains data such as host name, parameter date, parameter name, parameter value and state of parameter (original, changed, active)
All the tables can be found in the Logs tab in the Sentinel workspace. In order to query them, select one of the tables and write a custom query with KQL. For example, in this query we requested 100 different records from the table USR01:
As we’ve added more than 14 new tables, you’ll need a way to get complete data and to see the whole picture from all the different tables. To help you do this, we’ve added three new functions to the solution:
1. SAPUsersAssignments – User Assignments to Roles and Profiles
This function gets as a parameter the time span that we’d like to get that data for (the default is 7 days). The function seeks user master data only during the most recent instance of that time span.
One of the fields returned by this function is the set of assigned user profiles, and this is very important because as we see in the screenshot, users who have the “SAP_ALL” set of profiles can basically do anything in the SAP systems. Only Admins should have this type of profile, and that’s something that we’d like to track once we see suspicious activity with this profile.
This function also returns direct roles (the set of directly assigned roles) and child roles (the set of indirectly assigned roles).
2. SAPUsersAuthorizations – User Assignments to authorizations
Like the previous function, this function gets as a parameter the time span that we’d like to get that data for, with the default being 7 days. It returns all users in the SAP systems, their roles, authorization details (set of authorization lines), client ID and system ID.
The screenshot below shows an example of this function from a demo environment. We can create new alerts and new rules according to the users’ roles:
3. SAPUsersGetPrivileged – Privileged Users
This function also gets the desired time span as a parameter, with the default being 7 days. It returns a list of all the relevant privileged users on the SAP systems.The screenshot below shows a list of users in a demo environment with their client ID and system ID. All of them are privileged users, i.e., users with privileged operations on the SAP systems.
This feature is now in public preview. We’re always adding more content and new rules regarding the user master data of SAP, so please share with us your feedback in the comments below.