{"id":324,"date":"2023-07-05T22:42:01","date_gmt":"2023-07-05T19:42:01","guid":{"rendered":"https:\/\/techltx.com\/de\/?p=324"},"modified":"2023-07-09T23:35:26","modified_gmt":"2023-07-09T20:35:26","slug":"sap-security-audit-log-sm20-data-leak","status":"publish","type":"post","link":"https:\/\/techltx.com\/en\/sap\/sap-security-audit-log-sm20-data-leak\/2023\/07\/","title":{"rendered":"SAP Security Audit Log SM20 data leak detection"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>Dear readers,<\/p>\n<p>In the ever-evolving world of information technology, the need for secure and comprehensive monitoring mechanisms is increasing. Central to this are security logs that record critical system information. One such tool is the SAP Security Audit Log, an audit log specifically designed to capture security-relevant system information in SAP AS ABAP systems. It documents events such as changes to user master records or unsuccessful login attempts, thereby providing an excellent basis for security analyses and compliance checks.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\"><img loading=\"lazy\" decoding=\"async\" width=\"491\" height=\"155\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\" alt=\"SAP Security SM20 Audit Log Logo\" class=\"wp-image-248\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png 491w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday-300x95.png 300w\" sizes=\"auto, (max-width: 491px) 100vw, 491px\" \/><\/a><\/figure>\n<\/div>\n<\/div>\n\n\n<p>The SAP Security Audit Log, accessible through transaction SM20, allows auditors to gain detailed insights into operations within the AS ABAP system. Once this log is activated, a record of specifically defined activities is created. The types of information that can be logged include successful and unsuccessful dialog and RFC login attempts, RFC calls to function modules, changes to user master records, successful and unsuccessful transaction starts, and changes to the audit configuration. SM20 aids in security monitoring and can be used to detect potential security breaches that might indicate a data leak. However, it is important to emphasize that SM20 is not a specific tool for detecting data leaks, like SAP ETD (Enterprise Threat Detection), for example.<\/p>\n<p>Here&#8217;s an overview:<\/p>\n<ul>\n<li>Successful and unsuccessful dialog login attempts<\/li>\n<li>Successful and unsuccessful RFC login attempts<\/li>\n<li>RFC calls to function modules<\/li>\n<li>Changes to user master records<\/li>\n<li>Successful and unsuccessful transaction starts<\/li>\n<li>Changes to the audit configuration<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-columns alignwide is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:32%\">\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"837\" height=\"947\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-Log-evaluate.jpg\" alt=\"SM20 Evaluate Security Audit Log\" class=\"wp-image-326\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-Log-evaluate.jpg 837w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-Log-evaluate-265x300.jpg 265w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-Log-evaluate-768x869.jpg 768w\" sizes=\"auto, (max-width: 837px) 100vw, 837px\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:68%\">\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download-1024x399.jpg\" alt=\"Auswertung SM20 Security Audit Log Data leak \" class=\"wp-image-327\" width=\"768\" height=\"299\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download-1024x399.jpg 1024w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download-300x117.jpg 300w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download-768x299.jpg 768w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download-1536x599.jpg 1536w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM20-Security-Audit-data-leak-download.jpg 1790w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><\/figure>\n<\/div>\n<\/div>\n\n\n<p>Explore how the SAP Security Audit Log, which maintains audit files on specific application servers, enables you to manually define file locations and sizes via profile parameters. Uncover the functionalities that allow for manual archiving at any given time, despite the lack of automatic archiving support. Learn how to set up activity logging filters using transaction SM19, read log files with SM20, and clean up old log files with SM18. Dive into the additional logging features offered by SAP NetWeaver Application Server for ABAP that records activities by transaction and user, accessible through SAP Workload: Business Transaction Analysis (transaction STAD).<\/p>\n<p>The SAP Security Audit Log (SM20) is an effective tool for security monitoring and auditing. With its ability to record security-relevant activities and provide them for later evaluation, it offers companies a robust solution for identifying and mitigating potential security risks. It thus plays a crucial role in compliance with IT security policies and compliance requirements, while simultaneously strengthening trust in the company&#8217;s security infrastructure. However, it has certain limitations that prevent it from fully meeting all the requirements of a Security Information and Event Management (SIEM) system:<\/p>\n<p style=\"padding-left: 40px;\"><strong>1) Complexity of correlation rules:<\/strong> SIEM solutions are known for their ability to create complex correlation rules across various systems and platforms to detect anomalies and security breaches. While the SAP Security Audit Log allows recording various security-relevant events, it lacks advanced correlation and analysis capabilities typical of SIEM systems.<\/p>\n<p style=\"padding-left: 40px;\"><strong>2) Real-time monitoring and alerting:<\/strong> SIEM systems often have the ability to monitor events in real-time and send notifications when specific conditions are met. In contrast, the SAP Security Audit Log stores events but does not offer real-time monitoring or automatic alerting.<\/p>\n<p style=\"padding-left: 40px;\"><strong>3) Automated responses:<\/strong> Many SIEM systems can be configured to automatically respond to certain events, such as blocking an IP address or isolating a network segment. The SAP Security Audit Log does not offer such automatic response capabilities.<\/p>\n<p style=\"padding-left: 40px;\"><strong>4) Centralized view:<\/strong> SIEM systems provide a centralized view of all systems and applications within an organization. In contrast, the SAP Security Audit Log is limited to the SAP system and does not provide a comprehensive view of all other systems and platforms.<\/p>\n<p style=\"padding-left: 40px;\"><strong>5) Long-term storage and compliance reporting:<\/strong> SIEM solutions typically offer functions for long-term storage of event data and generating compliance reports. While the SAP Security Audit Log allows for long-term data storage, it does not support automatic archiving of log files and also does not offer specialized functions for compliance reporting.<\/p>\n<p><strong>These limitations do not mean that the SAP Security Audit Log is useless<\/strong> &#8211; it is a valuable tool for security monitoring within SAP systems. However, it should be seen as part of a more comprehensive SIEM strategy that includes other tools and platforms. <a href=\"https:\/\/techltx.com\/sap\/sap-etd-enterprise-threat-detection\/\">We refer here to SAP&#8217;s own SAP Enterprise Threat Detection (ETD) SIEM tool.<\/a><\/p>\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration-1024x598.jpg\" alt=\"SAP Security Audit Log Configuration SM19\" class=\"wp-image-328\" width=\"768\" height=\"449\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration-1024x598.jpg 1024w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration-300x175.jpg 300w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration-768x449.jpg 768w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/07\/SAP-SM19-Security-Audit-Log-display-current-configuration.jpg 1190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The SAP Security Audit Log (transaction SM20) can record specific security-related activities and provides detailed insights into the NetWeaver Application Server ABAP. This article shows how it works and configuration options so that data leaks can be detected using logging. In addition, the article shows the limits of SM20 and explains what more you can expect from a SIEM tool like SAP ETD Enterprise Threat Detection.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_uag_custom_page_level_css":"","site-sidebar-layout":"right-sidebar","site-content-layout":"boxed-container","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[39,40,7],"class_list":["post-324","post","type-post","status-publish","format-standard","hentry","category-sap","tag-securityauditlog","tag-sm20","tag-sap"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"BALTX","author_link":"https:\/\/techltx.com\/en\/author\/baltx-com\/"},"uagb_comment_info":0,"uagb_excerpt":"The SAP Security Audit Log (transaction SM20) can record specific security-related activities and provides detailed insights into the NetWeaver Application Server ABAP. This article shows how it works and configuration options so that data leaks can be detected using logging. In addition, the article shows the limits of SM20 and explains what more you can&hellip;","_links":{"self":[{"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/posts\/324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/comments?post=324"}],"version-history":[{"count":10,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/posts\/324\/revisions"}],"predecessor-version":[{"id":425,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/posts\/324\/revisions\/425"}],"wp:attachment":[{"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/media?parent=324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/categories?post=324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techltx.com\/en\/wp-json\/wp\/v2\/tags?post=324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}