You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sap/sap-solution-security-content.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -174,7 +174,7 @@ These watchlists provide the configuration for the Microsoft Sentinel solution f
174
174
| <aname="tables"></a>**SAP - Sensitive Tables**| Sensitive tables, where access should be governed. <br><br>- **Table**: ABAP Dictionary Table, such as `USR02` or `PA008` <br>- **Description**: A meaningful table description. |
175
175
| <aname="roles"></a>**SAP - Sensitive Roles**| Sensitive roles, where assignment should be governed. <br><br>- **Role**: SAP authorization role, such as `SAP_BC_BASIS_ADMIN` <br>- **Description**: A meaningful role description. |
176
176
| <aname="transactions"></a>**SAP - Sensitive Transactions**| Sensitive transactions where execution should be governed. <br><br>- **TransactionCode**: SAP transaction code, such as `RZ11` <br>- **Description**: A meaningful code description. |
177
-
| <aname="systems"></a>**SAP - Systems**| Parameters to watch for [suspicious configuration changes](#monitoring-the-configuration-of-static-sap-security-parameters). This watchlist is prefilled with recommended values, and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set `'EnableAlerts' == 'false'`.<br><br>- **ParameterName**: The name of the parameter.<br>- **Comment**: The SAP standard parameter description.<br>- **EnableAlerts**: Defines whether to enable alerts for this parameter. Values are `true` and `false`.<br>- **Option**: Defines whether the value is greater equal, less equal, or equal. Values are `GE`, `LE`, `EQ`.<br>- **ProductionSeverity**: The incident severity for production systems.<br>- **ProductionValues**: Permitted values for production systems.<br>- **NonProdSeverity**: The incident severity for non-production systems.<br>- **NonProdValues**: Permitted values for non-production systems. |
177
+
| <a name="systems"></a>**SAP - Systems** | Parameters to watch for [suspicious configuration changes](#monitoring-the-configuration-of-static-sap-security-parameters). This watchlist is prefilled with recommended values (according to SAP best practice), and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set `'EnableAlerts' == 'false'`.<br><br>- **ParameterName**: The name of the parameter.<br>- **Comment**: The SAP standard parameter description.<br>- **EnableAlerts**: Defines whether to enable alerts for this parameter. Values are `true` and `false`.<br>- **Option**: Defines whether the value is greater equal, less equal, or equal. Values are `GE`, `LE`, `EQ`.<br>- **ProductionSeverity**: The incident severity for production systems.<br>- **ProductionValues**: Permitted values for production systems.<br>- **NonProdSeverity**: The incident severity for non-production systems.<br>- **NonProdValues**: Permitted values for non-production systems. |
178
178
| <aname="systemparameters"></a>**SAPSystemParameters**| Describes the landscape of SAP systems according to role and usage.<br><br>- **SystemID**: the SAP system ID (SYSID) <br>- **SystemRole**: the SAP system role, one of the following values: `Sandbox`, `Development`, `Quality Assurance`, `Training`, `Production` <br>- **SystemUsage**: The SAP system usage, one of the following values: `ERP`, `BW`, `Solman`, `Gateway`, `Enterprise Portal`|
179
179
| <aname="users"></a>**SAP - Excluded Users**| System users that are logged in and need to be ignored, such as for the Multiple logons by user alert. <br><br>- **User**: SAP User <br>- **Description**: A meaningful user description |
180
180
| <aname="networks"></a>**SAP - Excluded Networks**| Maintain internal, excluded networks for ignoring web dispatchers, terminal servers, and so on. <br><br>- **Network**: Network IP address or range, such as `111.68.128.0/17` <br>- **Description**: A meaningful network description |
Copy file name to clipboardExpand all lines: articles/sentinel/sap/sap-suspicious-configuration-security-parameters.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,15 +35,15 @@ This list includes the static SAP security parameters that the Microsoft Sentine
35
35
|login/no_automatic_user_sapstar |Controls the automatic login of the SAP* user. |High, because this parameter helps prevent unauthorized access to the SAP system via the default SAP* account. |
36
36
|rsau/max_diskspace/local |Defines the maximum amount of disk space that can be used for local storage of audit logs. This security parameter helps to prevent the filling up of disk space and ensures that audit logs are available for investigation. |Setting an appropriate value for this parameter helps prevent the local audit logs from consuming too much disk space, which could lead to system performance issues or even denial of service attacks. On the other hand, setting a value that's too low may result in the loss of audit log data, which may be required for compliance and auditing. |
37
37
|snc/extid_login_diag |Enables or disables the logging of external ID in Secure Network Communication (SNC) logon errors. This security parameter can help identify attempts of unauthorized access to the system. |Enabling this parameter can be helpful for troubleshooting SNC-related issues, because it provides additional diagnostic information. However, the parameter may also expose sensitive information about the external security products used by the system, which could be a potential security risk if that information falls into the wrong hands. |
38
-
|login/password_change_waittime |Defines the number of days a user must wait before changing their password again. This security parameter helps enforce password policies and ensure that users change their passwords periodically. ||
39
-
|snc/accept_insecure_cpic |Determines whether or not the system accepts insecure SNC connections using the CPIC protocol. This security parameter controls the level of security for SNC connections. ||
40
-
|snc/accept_insecure_r3int_rfc |Determines whether or not the system accepts insecure SNC connections for R/3 and RFC protocols. This security parameter controls the level of security for SNC connections. ||
41
-
|snc/accept_insecure_rfc |Determines whether or not the system accepts insecure SNC connections using RFC protocols. This security parameter controls the level of security for SNC connections. ||
42
-
|snc/data_protection/max |Defines the maximum level of data protection for SNC connections. This security parameter controls the level of encryption used for SNC connections. ||
43
-
|rspo/auth/pagelimit |Defines the maximum number of spool requests that a user can display or delete at once. This security parameter helps to prevent denial-of-service attacks on the spool system. ||
44
-
|snc/accept_insecure_gui |Determines whether or not the system accepts insecure SNC connections using the GUI. This security parameter controls the level of security for SNC connections. ||
45
-
|login/accept_sso2_ticket |Enables or disables the acceptance of SSO2 tickets for logon. This security parameter controls the level of security for logon to the system. ||
46
-
|login/multi_login_users |Defines whether or not multiple logon sessions are allowed for the same user. This security parameter controls the level of security for user sessions and helps prevent unauthorized access. ||
38
+
|login/password_change_waittime |Defines the number of days a user must wait before changing their password again. This security parameter helps enforce password policies and ensure that users change their passwords periodically. |Setting an appropriate value for this parameter can help ensure that users change their passwords regularly enough to maintain the security of the SAP system. At the same time, setting the wait time too short can be counterproductive because users may be more likely to reuse passwords or choose weak passwords that are easier to remember.|
39
+
|snc/accept_insecure_cpic |Determines whether or not the system accepts insecure SNC connections using the CPIC protocol. This security parameter controls the level of security for SNC connections. |Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted. |
40
+
|snc/accept_insecure_r3int_rfc |Determines whether or not the system accepts insecure SNC connections for R/3 and RFC protocols. This security parameter controls the level of security for SNC connections. |Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted. |
41
+
|snc/accept_insecure_rfc |Determines whether or not the system accepts insecure SNC connections using RFC protocols. This security parameter controls the level of security for SNC connections. |Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted.|
42
+
|snc/data_protection/max |Defines the maximum level of data protection for SNC connections. This security parameter controls the level of encryption used for SNC connections. |Setting a high value for this parameter can increase the level of data protection and reduce the risk of data interception or manipulation. The recommended security value for this parameter depends on the organization's specific security requirements and risk management strategy.|
43
+
|rspo/auth/pagelimit |Defines the maximum number of spool requests that a user can display or delete at once. This security parameter helps to prevent denial-of-service attacks on the spool system. |This parameter doesn't directly affect the security of the SAP system, but can help to prevent unauthorized access to sensitive authorization data. By limiting the number of entries displayed per page, it can reduce the risk of unauthorized individuals viewing sensitive authorization information.|
44
+
|snc/accept_insecure_gui |Determines whether or not the system accepts insecure SNC connections using the GUI. This security parameter controls the level of security for SNC connections. |Setting the value of this parameter to `0` is recommended to ensure that SNC connections made through the SAP GUI are secure, and to reduce the risk of unauthorized access or interception of sensitive data. Allowing insecure SNC connections may increase the risk of unauthorized access to sensitive information or data interception, and should only be done when there is a specific need and the risks have been properly assessed.|
45
+
|login/accept_sso2_ticket |Enables or disables the acceptance of SSO2 tickets for logon. This security parameter controls the level of security for logon to the system. |Enabling SSO2 can provide a more streamlined and convenient user experience, but also introduces additional security risks. If an attacker gains access to a valid SSO2 ticket, they may be able to impersonate a legitimate user and gain unauthorized access to sensitive data or perform malicious actions.|
46
+
|login/multi_login_users |Defines whether or not multiple logon sessions are allowed for the same user. This security parameter controls the level of security for user sessions and helps prevent unauthorized access. |Enabling this parameter can help prevent unauthorized access to SAP systems by limiting the number of concurrent logins for a single user. When this parameter is set to `0`, only one login session is allowed per user, and additional login attempts are rejected. This can help prevent unauthorized access to SAP systems in case a user's login credentials are compromised or shared with others. |
47
47
|login/password_expiration_time |Specifies the maximum time interval in days for which a password is valid. When this time elapses, the user is prompted to change their password. |Setting this parameter to a lower value can improve security by ensuring that passwords are changed frequently. |
48
48
|login/password_max_idle_initial |Specifies the maximum time interval in minutes for which a user can remain logged on without performing any activity. After this time elapses, the user is automatically logged off. |Setting a lower value for this parameter can improve security by ensuring that idle sessions aren't left open for extended periods of time. |
49
49
|login/password_history_size |Specifies the number of previous passwords that a user isn't allowed to reuse. |This parameter prevents users from repeatedly using the same passwords, which can improve security. |
0 commit comments