Security Alerting with SAP Focused Run
SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.
This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.
Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure. The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.
The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring. The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.
Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.
Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.
You can select the list view to display the current alerts.
You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.
The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.
Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.
Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.
System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.
The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.
