How to Detect SAP Threats in Real-Time with LogSentinel SIEM?

LogSentinel Real-Time Alerting for SAP Enterprise Threat Detection

When it comes to the security of SAP systems, SIEM products often fail to meet companies’ expectations as they couldn’t fully interpret the SAP logs. LogSentinel Next-Gen SIEM solves this problem, eliminating the blind spots, as well as all SAP threats, and successfully parsing every log file in a human-readable format. LogSentinel SIEM helps companies to identify and prevent cyberattacks by gathering and analyzing log files from both SAP and non-SAP applications, correlating actions in real-time, and alerting for anomalies.

With LogSentinel SIEM, you are able to protect your SAP systems from insider and outsider cyberattacks, leveraging real-time threat detection. LogSentinel SIEM easily integrates your SAP systems with your SIEM software for compliance and security monitoring purposes. With LogSentinel SIEM, your security team will be capable of monitoring business-critical events in real-time and be able to detect and respond to SAP-related threats in real-time.



How to Quickly Set Up and Monitor LogSentinel SIEM’s Threat Detection for SAP Threats

LogSentinel SIEM for SAP

Supported connectors

The LogSentinel Collector is а component that gets installed on-premise to listen to a configured set of log sources. It can be installed on Linux and Windows and supports the types of sources such as Log files that can be collected and sent, line by line, to the LogSentinel SIEM service. These are typical application logs and logs by systems like SAP.

LogSentinel SIEM supports various collector types, including sapReadAccessLog, which is reading SAP’s RAL (Read access log).

The file connector can parse files in multiple formats (Common log format, delimited, JSON, XML, MySQL audit log, etc.) and retrieve them from multiple sources (Local, SSH, FTP, SMB). The SAP security audit log and SAP read access log are available in the format options of the file connector. This helps your security team be able to receive the SAP security logs in a human-readable format.

How to integrate SAP logs with LogSentinel SIEM

Once you connect your SAP with LogSeninel SIEM, you will be able to parse your logs in a human-readable, unified format. This way, you will be also able to cross-check events across different systems and track down sophisticated events involving more than one application.


SAP Threat Hunting how to collect logs

Go to Sources and Integrations->Data Sources, and select to update SAP’s settings.

You will be allowed to make additional data extractions settings in order to be able to read the actor ID, role, display name, etc. In the “Visualization” tab, you can apply a custom JavaScript code to all details before displaying them. 

In the “Integrity” tab, you will be able to customize the data integrity options or allow/disallow Merkle trees and hash generation.

In addition, you are able to add a  list of whitelisted IP addresses, in order to ensure no one is tampering with data from outside the organization.

You can even select threat intel sources to disable for this data source (SAP).

Real-Time Alerts suitable for SAP anomaly threat detection

LogSentinel SIEM helps security teams detect security threats by leveraging correlation rules, statistical rules, and ML-based anomaly detection.

All the alerts for detected anomalies based on the rules set up are displayed in the “Alerts” section. There, you can select the “SAP” data source to review the alerts fired for SAP only.

You can filter by rule name, alert type, or tags. You can also select a date range for your threat hunting purposes.

Real-time alert triaging

When you review all the threats displayed, you can Triage every each of them to track down in detail what exactly happened.

How to Triage SAP Security Threats

Once you click on the “Triage” button, a new dialogue box is displayed. There, you will review the logs in detail, and have the option to confirm the alert, execute a response, or dismiss it in case it’s a false positive.

You can click on every single log displayed and review the activities of the selected actor in the SAP system for this period of time. This will help you better understand the motives behind this action.

Triage security threats

Detailed Threat Review

If you click to review the actor’s consecutive actions, you will be able to review the security threat in detail and understand it better. Figure out what’s happening with a single glance: easily check action types, data sources, timestamps, and action details.

Detailed Threat Review of SAP

Correlation Rules for Detecting SAP Security Threats

Our SIEM offers a rich library of rules templates for the most common threat case scenarios.  To execute the ones relevant to your organization, you need to go to Alerts -> Correlation Rules. Then select the rule you would like to fire and click on “Create from selected templates”. You will be asked for which applications you would like to fire it, so you can select SAP only, or other applications as well.

Correlation Rules SAP

Why Does Tracking SAP Activity Outside of Working Hours Matter?

Insider threats would always happen outside of working hours. In fact, the recent success of the Kaseya Ransomware attack was based on something similar. And if your company has the capabilities to detect anomalies outside of working hours, you will be able to eliminate the blind spot of a big portion of the most common security threats.

The working hours’ setup is easy and can be made separately for each application. To set up SAP’s working hours, go to Alerts -> Working hours, and select SAP Working Hours. You can also add holidays, such as 25th of December when it would be uncommon for your staff to log in.

Outside of Working Hours


Are you interested to see how LogSentinel SIEM can secure your SAP in real-time? Request a free DEMO today:


Like this article? Share it with your network!