SIEM INTEGRATION FOR SAP©
Key Takeaways
⇨ Security Information and Event Management (SIEM) platforms require comprehensive log data collection, including SAP application logs, for effective threat detection and incident response.
⇨ Integrating SAP logs with SIEM systems is challenging due to log complexity, high volume, maintenance demands, and lack of standardized formats, making direct integration cumbersome.
⇨ Using SAP Solution Manager for log monitoring and alerting simplifies the integration process, enabling efficient detection of security events and easier ingestion by SIEM platforms.
Security Information and Event Management (SIEM) platforms combine the ability to collect log data from applications, hosts, routers, switches, firewalls and other endpoints with the ability to analyze events to support threat detection, event correlation and incident response.
SIEM platforms require complete coverage for maximum yield. In other words, organizations reap the full benefits of SIEM platforms when monitoring logs throughout the technological infrastructure. This includes SAP application logs for organizations with SAP systems.
However, there are several challenges with integrating SAP application logs with SIEM systems. The first challenge is complexity. SAP systems typically contain multiple logs that capture security-relevant events. The SAP NetWeaver Application Server ABAP (AS ABAP) alone has at least seven such logs including the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Change Document Log, and the Read Access Log. The logs do not have a standardized format or structure. Some are captured at the file level and others are stored in SAP tables. The complexities involved in integrating multiple and distinct logs from each SAP system should not be underestimated, especially for large SAP landscapes.
Explore related questions
The second challenge is log volume. Raw event logs can grow to gigabytes and even terabytes within a relatively short period of time in SAP systems that o en support thousands of end users and hundreds of cross-system connections. Transmitting large volumes of log data from SAP systems to SIEM platforms could consume high levels of network bandwidth. The need to store such data for analysis could also increase resource requirements and licensing costs for SIEM systems. The third challenge with directly integrating SAP logs is maintenance. Monitoring and supporting the numerous integration points between SAP systems and SIEM platforms, as well as regular archiving to deal with the accumulation of log data, could lead to high maintenance costs.
Finally, many SAP logs do not natively include information to support cross-platform correlation using SIEM tools. This includes source and destination IPs for security events. Values for sources and destinations in SAP logs are o en terminal names and SAP System IDs (SIDs) rather than IP addresses. Therefore, Security Operations Centers (SOCs) are not able to easily correlate SAP events with non-SAP events in SIEM platforms.
The challenges of log complexity, volume, maintenance and correlation can be overcome by monitoring SAP event logs with Solution Manager. SAP Solution Manager is a management platform installed in SAP landscapes. Licensing for Solution Manager is bundled with SAP Support agreements. Therefore, most SAP customers have usage rights for the software.
The monitoring and alerting infrastructure in Solution Manager connects directly to event logs in SAP systems to detect indicators of compromise (IOCs) and trigger alerts for security events. Alerts are written to text files in real-time by Solution Manager before they are ingested by SIEM platforms. This approach supports log filtering, normalization and enrichment, and therefore provides a simpler, easier and faster method for integrating SAP event logs with SIEM platforms.
Learn more with Layer Seven Security.
