SAP

  • Updated on Mar 5, 2025
  • Published on Aug 28, 2024
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

SAP Security Audit Logs

✅

✅

sap_security_audit_logs

CEF

S3

S/4HANA Security Audit Logs

✅

✅

sap_s4hana_security_audit_logs

NDJSON

API

Overview

SAP logoSAP is a global leader in enterprise software, known for its solutions that help businesses manage various operations such as finance, logistics, human resources, and supply chain management.

The company's flagship product, SAP S/4HANA, is an integrated enterprise resource planning (ERP) system that uses in-memory computing to process large volumes of data quickly. SAP's software is widely used across industries to improve efficiency, gain insights, and drive digital transformation.

Supported data types

SAP Security Audit Logs

Table name: sap_security_audit_logs

The security audit log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep a record of those activities you consider relevant for auditing. You can then access this information for evaluation in the form of an audit analysis report.

The main objective of the audit log is to record the following:

  • Security-related changes to the SAP system environment (for example, changes to user master records).

  • Information that provides a higher level of transparency (for example, successful and unsuccessful logon attempts).

  • Information that enables the reconstruction of a series of events (for example, successful or unsuccessful transaction starts).

Send data to Hunters

Hunters supports the ingestion of SAP Security Audit logs via an intermediary AWS S3 bucket.

To connect SAP Security Audit logs:

  1. Export your logs from SAP to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

MAI 21 02:20:27 example-server_AAS_04 CEF:1|Security|SAL|1.0|1|SAL|1|XMILOGMID=AAA SLGDATTIM=2024052102072200 MANDT=001 SYSID=AAS SLGINSTANCE=example-server_AAS_04 SLGTC= SLGREPNA=AAASSY1 SLGLTRM2=example-server.ads-aaaa SLGUSER=JaneDoh MESSAGE=Example message about accessing /example/path with activity 03 MSGV1=/SAAAPO/ASAS1 MSGV2=03 MSGV3= MSGV4=

S/4HANA Security Audit Logs

Table name: sap_s4hana_security_audit_logs

SAP S/4HANA Security Audit Logs are essential tools for tracking and monitoring system activities within the SAP environment, ensuring compliance and enhancing security. They capture detailed records of critical actions, such as user logins, changes to system configurations, and access to sensitive data, allowing administrators to detect suspicious activities or unauthorized access. These logs support audit readiness and help safeguard the integrity of business processes by providing real-time insights into potential security breaches or policy violations.

Send data to Hunters

Hunters supports the ingestion of SAP S/4HANA Security Audit logs via API connection.

💡Before you begin

Make sure you’ve created a Service Binding, under Service and Subscriptions in your SAP BTP Cockpit. Learn more here.

Step 1: Obtain the required information from SAP

After obtaining the .pfx file and credentials from the server, you need to extract the private key and certificate for use in SAP S/4HANA. Ensure you have the openssl package installed before proceeding.

Step 1: Extracting the Private Key

📘Note

In the commands below, the <password> should be surrounded with ' '

Example:

.....-nodes -passin pass:'1234'

openssl pkcs12 -in <pfx_file_path> -nocerts -out <local_key_path> -nodes -passin pass:'<password>'

  • Replace <pfx_file_path> with the path to your PFX file.

  • Replace <local_key_path> with the desired path for the private key file.

  • Replace <password> with the password for the PFX file.

Step 2: Extracting the Certificate

To extract the certificate from the PFX file, run the following command:

openssl pkcs12 -in <pfx_file_path> -nokeys -out <local_cert_path> -passin pass:'<password>'

  • Replace <pfx_file_path> with the path to your PFX file.

  • Replace <local_cert_path> with the desired path for the certificate file.

  • Replace <password> with the password for the PFX file.

Step 3: Using the Extracted Files

  • Copy all the content of the private key file and paste it in the SAP S/4HANA CLIENT PRIVATE KEY field.

  • Copy all the content of the certificate file and paste it in the SAP S/4HANA CLIENT CERTIFICATE field.

Step 2: Complete the process on the Hunters platform

Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{
"eventID": "AU1",
"log_tstmp": "2021-05-08T10:26:22.740611Z",
"slgmand": "100",
"sid": "ABC",
"counter": 0,
"terminal_name": "",
"user_fullname": "Example Administrator",
"slgtc": "S000",
"slgrepna": "RSBTCRTE",
"rsau_text": "Logon successful (type=B, method=A)",
"UserDescription": "Example Administrator"
},
{
"eventID": "AU1",
"log_tstmp": "2021-05-08T10:28:22.924215Z",
"slgmand": "100",
"sid": "ABC",
"counter": 0,
"terminal_name": "",
"user_fullname": "Example Administrator",
"slgtc": "S000",
"slgrepna": "RSBTCRTE",
"rsau_text": "Logon successful (type=B, method=A)",
"UserDescription": "Example Administrator"
},