Best Practice 7.4 – Implement logging and reporting for user access and authorization changes and events - SAP Lens

Best Practice 7.4 – Implement logging and reporting for user access and authorization changes and events

User access and authorization events in your SAP systems should be logged, analyzed, and audited regularly. Consolidate and correlate security events from your SAP applications and database with other components of your architecture. This can allow for end-to-end tracing in the event of a critical security problem or breach. Automate analysis of events in a central Security Information and Event Management (SIEM) system. This can allow your operations team to understand if any unexpected or suspicious activity occurs outside of the bounds of normal system controls. They can then remediate as needed.

Suggestion 7.4.1 – Log AWS Identity and Access Management (IAM) events

Consider keeping a historical log of AWS IAM events. This can be used in detection or audit of user and authorization changes within AWS accounts. Determine your log retention period and types of events to log based on your organizations required security policies.

Enable your operations team to answer audit questions at the infrastructure level for your SAP system:

  • When and by whom was the new AWS console/CLI user created?

  • When and by whom was the AWS IAM role modified?

  • When did the AWS user last successfully sign in?

  • Is there a suspicious number of failed sign-in attempts to the AWS account?

For further information, consider the following:

Suggestion 7.4.2 – Log user and authorization changes in your operating system

Consider keeping a historical log of operating system (OS) user and authorization events such that they can be used in detection or audit. Determine your log retention period and types of events to log based on your organizations required security policies.

Enable your operations team to answer audit questions at the operating system level for your SAP system such as:

  • When and by whom was the new superuser OS account created?

  • When and by whom was the OS account permissions modified?

  • When did the OS user last successfully sign in?

  • Is there a suspicious number of failed sign-in attempts for the OS account?

  • When did your OS user last use elevated permissions?

For further information on auditing at the operating system consider:

Suggestion 7.4.3 – Log SAP application and database user and authorization events

Consider keeping a historical log of SAP user and authorization events such that they can be used in detection or audit. Consider both the application stack (for example, ABAP authorizations) and your database (for example, SAP HANA). Determine your log retention period and types of events to log based on your organizations required security policies.

Enable your operations team to answer audit questions at the SAP application and database level for events such as:

  • When and by whom was the new SAP or database account created?

  • When and by whom was the SAP or database account permissions modified?

  • When did the SAP or database user last successfully sign in?

  • Is there a suspicious number of failed sign-in attempts for the account?

  • What sensitive transaction codes or tools did the account last use?

For further information consider the following:

Suggestion 7.4.4 – Consolidate user and authorization events in a Security Information and Event Management (SIEM) system for analysis

Consider sending all your user and authorization events from across your SAP workload components into a central SIEM tool to allow correlation and analysis. Use tools like SAP Enterprise Threat Detection, third-party add-ons or directly ship your SAP audit logs from your application and database servers to an ingestion and analysis tool.

Establish baseline behaviors for your workload and monitor for abnormalities to improve detection of security incidents.

Consider AWS Marketplace SIEM solutions to monitor your workload in real-time, identify security issues, and expedite root-cause analysis and remediation.

For further information, consider the following resources: