The NIST framework for security lists 5 steps for a comprehensive security strategy. One of these steps is “detect”. In order to detect you will need to watch, or to monitor to use a more frequently used term. Threat detection using Security Information and Event Management (SIEM) systems, has quickly become one of the most common use cases in cybersecurity strategies throughout. However, most SIEM solutions focus on the infrastructure and are blind for threats to the application. Which seems odd, since often it is only by correlating application logs with infrastructure logs that actual attacks are detected.
The security audit log for SAP solutions (SAL) has been a big help in performing these correlation analyses. And while in our cloud environment, this analysis is performed by our SAP detection and response team, there are instances when customers need to access this information as well. Which is why a few years ago, we opened up the SAL of SAP S/4HANA Cloud to be analyzed directly from a Fiori app. With SAP S/4HANA Cloud 2108 we take this feature one step beyond and make the API we are using accessible to our customers directly.
Now, due to the success of SIEM, there are many solutions with different formats. Even though some of the leaders in the field use a format which due to its success is “understood” by a lot of competing solutions as well, we decided to be consistent with some of the other APIs that SAP is offering. Which is why the SAL API is a REST API and will respond in JSON format. This has the added benefit that you can use the SAL API in another context than just for integrating it with your SIEM solution.
Now for the more interesting part: how can you actually use the new SAL API. What I personally like about REST APIs is their (comparatively) ease of use. This is no different with the SAL API. One word of caution first: the Security Audit Log as such – and therefore valid for the API, too – will only show you events. For correlations, you will have to rely on a SIEM system or another analytic solution. Which doesn’t mean that with the “pure” API you will also see some interesting results.
For example: say you want to see all successful logins to your system. That might be a very big number, so in this first try we’ll limit it to 1000 entries.
Note for easier reading (if you can say that in a URL), the URL has been decoded.
The event type in this case is “AU1”, and you can use “top=1000” to limit the number of entries. Another useful hint: in order to see the latest entries first, append $orderby=log_tstmp%20desc to the query (Yes, we know what you are thinking. We’re with you).
Let’s make this a bit more difficult and see entries from the month of June only (well, from May 30th to June 30th, to be precise):
Or simply chose different events, like successful logins (AU1) as well as failed logins (AU2):
There is more, of course. You will find a complete documentation of the new API here:
https://help.sap.com/viewer/e8c6621864654025997c9daea001a778/latest/en-US/ca24a8adb8c9440a9e7246fb61...
And, of course, you also have the option to use the Fiori App “Display Security Audit Log” if you want to retrieve the information from our examples above – in this case using the respective filters. Here’s how this looks (in order to not be too repetitive, we’ll just have a look at the last example:
Let’s just talk about those events here for a second. If we are honest, “AU1” and “AU2” or all the other events do not really speak for themselves, do they? Well, besides looking it up in the documentation, here’s a pro tipp which, conincidentally, is also available since SAP S/4HANA Cloud 2108: the Static System Audit. It’s visible for the external auditor role, but it will show you everything you need to know – for example, whether the Security Audit Log is actually running. Mind you, it’s always running in the cloud, but external auditors need the proof, that’s why we are showing it. And since we wanted to include some helpful information, too, we put the description of those events which you can view in the security audit log there as well:
For the sake of completeness, here’s the view for the System Environment tab in this screen:
With this manual tools and the API our SAP S/4HANA Cloud customers now have the option for a comprehensive threat detection which can be perfectly integrated into their hybrid environments. Furthermore, this also enables custom security dashboards which are not limited to customers on premise systems, but also includes their SAP S/4HANA Cloud systems.
The security audit log for SAP solutions (SAL) has been a big help in performing these correlation analyses. And while in our cloud environment, this analysis is performed by our SAP detection and response team, there are instances when customers need to access this information as well. Which is why a few years ago, we opened up the SAL of SAP S/4HANA Cloud to be analyzed directly from a Fiori app. With SAP S/4HANA Cloud 2108 we take this feature one step beyond and make the API we are using accessible to our customers directly.
Now, due to the success of SIEM, there are many solutions with different formats. Even though some of the leaders in the field use a format which due to its success is “understood” by a lot of competing solutions as well, we decided to be consistent with some of the other APIs that SAP is offering. Which is why the SAL API is a REST API and will respond in JSON format. This has the added benefit that you can use the SAL API in another context than just for integrating it with your SIEM solution.
How to use it
Now for the more interesting part: how can you actually use the new SAL API. What I personally like about REST APIs is their (comparatively) ease of use. This is no different with the SAL API. One word of caution first: the Security Audit Log as such – and therefore valid for the API, too – will only show you events. For correlations, you will have to rely on a SIEM system or another analytic solution. Which doesn’t mean that with the “pure” API you will also see some interesting results.
For example: say you want to see all successful logins to your system. That might be a very big number, so in this first try we’ll limit it to 1000 entries.
Note for easier reading (if you can say that in a URL), the URL has been decoded.
/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog?$filter=eventID eq 'AU1'&$orderby=log_tstmp descThe event type in this case is “AU1”, and you can use “top=1000” to limit the number of entries. Another useful hint: in order to see the latest entries first, append $orderby=log_tstmp%20desc to the query (Yes, we know what you are thinking. We’re with you).
Let’s make this a bit more difficult and see entries from the month of June only (well, from May 30th to June 30th, to be precise):
/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog?$filter=(log_tstmp ge 2021-05-30T10:25:09Z and log_tstmp le 2021-06-30T10:25:09Z)&$orderby=log_tstmp desc&$count=true
Or simply chose different events, like successful logins (AU1) as well as failed logins (AU2):
/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog?$filter=log_tstmp gt 2021-05-30T10:06:49Z and (eventID eq 'AU1' or eventID eq 'AU2')&$orderby=log_tstmp desc&$count=true
There is more, of course. You will find a complete documentation of the new API here:
https://help.sap.com/viewer/e8c6621864654025997c9daea001a778/latest/en-US/ca24a8adb8c9440a9e7246fb61...
And, of course, you also have the option to use the Fiori App “Display Security Audit Log” if you want to retrieve the information from our examples above – in this case using the respective filters. Here’s how this looks (in order to not be too repetitive, we’ll just have a look at the last example:
Display of the Security Audit Log
Let’s just talk about those events here for a second. If we are honest, “AU1” and “AU2” or all the other events do not really speak for themselves, do they? Well, besides looking it up in the documentation, here’s a pro tipp which, conincidentally, is also available since SAP S/4HANA Cloud 2108: the Static System Audit. It’s visible for the external auditor role, but it will show you everything you need to know – for example, whether the Security Audit Log is actually running. Mind you, it’s always running in the cloud, but external auditors need the proof, that’s why we are showing it. And since we wanted to include some helpful information, too, we put the description of those events which you can view in the security audit log there as well:
Description of Security Audit Log Events
For the sake of completeness, here’s the view for the System Environment tab in this screen:
System Environment in Display Static System Audit
With this manual tools and the API our SAP S/4HANA Cloud customers now have the option for a comprehensive threat detection which can be perfectly integrated into their hybrid environments. Furthermore, this also enables custom security dashboards which are not limited to customers on premise systems, but also includes their SAP S/4HANA Cloud systems.
- SAP Managed Tags:
2 Comments
