Unifying SAP BTP’s Split Audit Logs Into One Detection Layer

SAP Business Technology Platform (BTP) carries extensions, integrations, automation, and a growing set of AI services. Each one generates security-relevant activity worth watching.

Under RISE with SAP, that is a customer responsibility. SAP secures the underlying infrastructure, while the application and data layer, including access, configuration, and incident monitoring, stays with the organization running the workloads.

Layer Seven Security builds its case there. The firm’s Cybersecurity Extension for SAP pulls security events from SAP BTP’s two native audit sources into a single detection layer, answering a problem many SAP teams now share.

Two Log Sources Cover Different BTP Activity

The first source is Cloud Foundry, the runtime that builds and runs applications inside BTP. Its CAPI v3 interface exposes a /v3/audit_events endpoint that records platform activity: service instance and service key lifecycle events, space and organization role assignments, and application lifecycle changes. These events Reveal who changed what in the runtime.

Reaching them requires a defined access path. A read-only account is created in SAP Identity Authentication Service. Two view-only roles give it the access it needs: the Org Auditor role covers the whole organization, and the Space Auditor role covers each monitored space. Cloud Foundry documentation confirms both as audit-only roles, which keeps collection separated from administrative rights.

The second source, the Audit Log Management Service, captures a broader band of activity through the CF v2 Audit Log API. It records user logons and failures, role and permission changes, subaccount configuration changes, API calls, and administrative actions.

Pulling that data relies on a standard security handshake called OAuth 2.0. The system trades a stored ID and secret for a temporary access pass, then uses that pass to request the logs. The pass expires on its own, so credentials are never exposed with each request.

The two sources complement rather than duplicate each other, one watching the runtime and the other watching the platform around it.

Retention and Regional Rules Shape Coverage

Retention is the first constraint, and the two sources differ.

Cloud Foundry audit events expire after 31 days by default, a window configurable only at the platform level. The Audit Log Management Service holds data longer, with a default retention of 90 days at no additional cost under SAP’s documentation.

The plans add a second layer of nuance. Subaccount-level events are collected through the default plan, while global-account events require the central plan.

SAP routes central-plan retrieval through the EU10 Frankfurt region for most customers, with exceptions for global accounts based in China through Shanghai and US Government Cloud accounts through their own central regions. Each service instance carries its own service key, credentials, and endpoint, and those credentials cannot be reused across subaccounts or plans.

Volume is the third constraint. SAP applies rate limits to the retrieval API, allowing roughly eight requests per second per token in regions such as CF-EU10. A quick script that pulls logs as fast as it can will hit that ceiling and get throttled. Steady, spaced-out requests are needed to stay under the cap.

Cybersecurity Extension for SAP Unifies BTP Logs

Layer Seven Security positions the Cybersecurity Extension for SAP to absorb both audit sources and correlate their events across global accounts, subaccounts, and runtimes.

The agentless, SAP-certified ABAP add-on is designed to pull those two separate sources together into a single detection layer. It polls continuously and archives events in a separate store, so records outlast the Cloud Foundry expiry.

From there, the add-on correlates those events into contextual alerts across seven classes, including misused admin rights, risky configuration changes, suspicious user activity, and exposed login credentials. Layer Seven frames this as the shift to policy-driven detection.

The extension also forwards filtered and enriched events through a single integration point to SIEM platforms including Splunk, Sentinel, and QRadar, letting a security operations center correlate BTP activity with the rest of the estate.

In early 2026, SAP switched on its own Audit Log Viewer for each subaccount and added a viewer for the whole account inside the BTP cockpit, so teams no longer need support tickets or custom code just to see their logs.

But those viewers only show the logs. Pulling both sources together, connecting the dots between them, and saving the records past the 31-day cutoff is the job Layer Seven Security built the Cybersecurity Extension for SAP to do.

What This Means for SAPinsiders

• Retention gaps become audit-evidence gaps. A 31-day runtime window expires long before most annual audits or breach investigations begin. Organizations treating native retention as their compliance record will find the trail gone exactly when regulators or forensics teams ask for it.
• Fragmented logging quietly raises operating cost. Every subaccount, plan, and region carries its own credentials and rate limits, so collection scales in engineering hours, not just data volume. The hidden expense is staff time spent maintaining plumbing rather than investigating threats.
• SAP’s native viewers will reset buyer expectations. As built-in visibility becomes the default in the BTP cockpit, the bar for third-party tools shifts from access to correlation. Vendors that only surface logs lose ground; those that interpret them across sources keep their reason to exist.