Send Logging of SAP GUI for Windows entries to your SIEM solution

Our customers apply SAP Enterprise Threat Detection to consume logging of SAP GUI for Windows (shortened further “UIL”) entries in their SIEM solutions thanks to standard connectors between UIL and SAP Enterprise Threat Detection and connectors between SAP Enterprise Threat Detection and SIEM solutions like IBM QRadar, HP ArcSight, Splunk and others.

But what would you do in case SAP Enterprise Threat Detection is not available for you as the customer?

Below I describe experience from one of the customer projects that could help you to understand steps required to enrich your SIEM solution with UIL records:

1. Develop your own BADi implementation of BADI definition /LOGS4H/GET_TRANSFER_HDL_BADI instead of the standard one /LOGS4H/GET_TRANSFER_HDL_IMPL:

This way you can create your own transfer handler that would be used during the transfer to the Log repository (transaction /LOGS4H/TSF_TO_EXT) and thus you override standard logic that stores data into DB tables.

2. Standard BADi implementation is available in the method /LOGS4H/CL_GET_TRANSFER_HDL->
   /LOGS4H/IF_GET_TRANSFER_HDL~GET_TRANSFER_HANDLER():

Class /LOGS4H/CL_GET_TRANSFER_HDL implements interface /LOGS4H/IF_GET_TRANSFER_HDL.

Execute /LOGS4H/TSF_TO_EXT transaction if you want to debug standard log transfer behavior.

3. By default UIL stores its logs using /LOGS4H/CL_DATA_HAND_EXT_FTL->STORE_DATA() method:

Here you can see internal table LT_EXT_LOG[], which contains newly recorded delta for the UIL repository

4. Eventually method /LOGS4H/CL_EXT_LOG_ACCESS->STORE() will be executed, which is then executing /LOGS4H/CL_EXT_LOG_EDM_SAPGUI-> /LOGS4H/IF_EXTLOG_EDM_BADI~STORE_EDM() method to store UIL values into DB tables such as /LOGS4H/LOG_NV_D and /LOGS4H/LOG_NV_H

Here BADI /LOGS4H/EXT_LOG_EDM_BADI is used:

Metadata, Headers and Positions is what you see in the /LOGS4H/SHOW_LOG transaction:

where:

• Red – Metadata
• Green – Headers
• Yellow – Positions

Metadata, headers and positions are correlated using GUIDs:

Your own implementation of the transfer handler pushes UIL data to a web service published by SIEM solution or use any other compatible method (JDBC, files, etc.)

Thus you can enrich your central SIEM solution with events gathered from your SAP landscape such as:

• Who and when executed which business transactions or reports
• What screens, fields or controls where viewed and changed
• What actions and activities where performed

This is a great basis if you want to build some correlation rules protecting your enterprise against data leakages or misuse of your critical business data.

Of course your solution has to comply with the data protection and privacy regulations applicable to your country or geographical area.

More information about features and functions of logging of SAP GUI for Windows is available in UI Data Security (UI Masking and UI Logging) presentation here: https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html