Security Forensics with SAP Solution Manager

Security Forensics in SAP Solution Manager supports centralized log monitoring for SAP landscapes. The Fiori application from Layer Seven Security enables users to analyze incidents across multiple logs and systems directly from Solution Manager, helping organizations to detect and respond to security breaches. It also protects against anti-forensics.  Since event logs are replicated to a central log, attackers can not remove all traces of their actions to avoid detection.

Security Forensics is accessed from the Fiori launchpad for SAP Solution Manager.

The application currently supports the Security Audit Log, Gateway Server log, HTTP log, Transaction log, Read Access Log, System Log, User Change logs, and the HANA Audit log. Support for the Java Security Log and SAProuter log is scheduled for Q3 2020.

Advanced Search supports complex queries based on system, log source, date, time, user, source terminal/ IP address, and event ID.

Log Source:

Source terminal/ IP address:

Date/Time:

The query below filters log events to isolate actions performed by the SAP* user. The query results reveal that the SAP* user was locked due to failed logon attempts in system AS2 at 10:30:00 on 23.03.2020.

The results can be exported to a csv file to support offline analysis and collaboration. Event details can also be appended directly to an email by selecting the Notify option from the drilldown.

Personalized alarms for events can be configured using the Save As Tile option for filter selections.

Alarms are displayed as custom tiles in the launchpad. Below we have added an alarm for log events related to the SAP* user in production systems. The tile will automatically update to display the number of matching records. Users can click on the alarm to view the details of the events.

Security Forensics is available for SAP Solution Manager 7.2 SP07 or higher. The application is available for both HANA and conventional database platforms.  For the latter, customizing options are provided to activate log monitoring for only specific managed systems and adjust the log retention period.

Leave a Reply

Your email address will not be published.