You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sap/sap-audit-log-workbook.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ You can use the workbook either for ongoing monitoring of your SAP systems, or t
21
21
22
22
1. Select **View template** to use the workbook as is, or select **Save** to create an editable copy of the workbook. When the copy is created, select **View saved workbook**.
23
23
24
-
:::image type="content" source="media/sap-audit-log-workbook/workbook-overview.png" alt-text="Screenshot of the SAP Audit workbook top view." lightbox="media/sap-audit-log-workbook/workbook-overview.png":::
24
+
:::image type="content" source="media/sap-audit-log-workbook/workbook-overview.png" alt-text="Screenshot of the top of the SAP Audit workbook." lightbox="media/sap-audit-log-workbook/workbook-overview.png":::
25
25
26
26
> [!IMPORTANT]
27
27
>
@@ -57,29 +57,29 @@ Shows different types of data regarding user sign-ins.
57
57
58
58
|Area |Description |Options |
59
59
|---------|---------|
60
-
|**Unique user logons per system**|Shows the number of unique sign ins for each SAP system, and a graph with the signin trends over the selected time for each system. For example: the 012 system has 1.4-K unique logon attempts in the last 14 days, and in these 14 days the graph shows a relatively rising sign-in trend. |
60
+
|**Unique user logons per system**|Shows the number of unique sign ins for each SAP system, and a graph with the sign-in trends over the selected time for each system. For example: the 012 system has 1.4-K unique logon attempts in the last 14 days, and in these 14 days the graph shows a relatively rising sign-in trend. |
61
61
|**Logon types trend**|Shows a trend of the number of sign ins according to type, for example, login via dialog. |You can hover over the graph to show the number of logons for different dates. |
62
62
|**Logon failures Vs. success by unique users - trend**|Shows a trend of successful and failed sign ins in the selected period. |You can hover over the graph to show the amount of successful and failed sign ins for different dates. |
63
63
64
64
### Logon failures - anomaly detection
65
65
66
66
The areas under **Anomaly detection - filtering out noisy failed login attempts** show login failure data for SAP systems and users. To see only data flagged by [anomaly detection](configure-audit-log-rules.md#anomaly-detection), select **Anomalous only** next to **Failed logons** on the right.
67
67
68
-
:::image type="content" source="media/sap-audit-log-workbook/logon-failures.png" alt-text="Screenshot of the sections in the Logon failures area of the SAP Audit workbook that can be filtered by anomaly detection." lightbox="media/sap-audit-log-workbook/logon-failures.png":::
68
+
:::image type="content" source="media/sap-audit-log-workbook/logon-failures.png" alt-text="Screenshot of the sections in the Logon failures area of the SAP Audit workbook that you can filter by anomalous data." lightbox="media/sap-audit-log-workbook/logon-failures.png":::
69
69
70
70
|Area |Description |Specific data |Options/notes |
71
71
|---------|---------|---------|---------|
72
72
|**Logon failure rate** > **Logon failure anomalies** > **Unique User failed logons per SAP system**| Shows the number of unique failed sign ins for each SAP system. |||
73
-
|**SAP and Active Directory are better together** | The **Anomalous login failures** table shows a combination of Microsoft Sentinel and Azure Active Directory data. The list is organized by risk, where users that indicate the most risk are at the top of the list, and the users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of failed sign-in attempts<br>• A timeline showing at which point an anomalous failed attempt occurred<br>• The type of anomaly<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |• When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**.<br>• If your Azure Active Directory data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**. |
73
+
|**SAP and Active Directory are better together** | The **Anomalous login failures** table shows a combination of Microsoft Sentinel and Azure Active Directory data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and the users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of failed sign-in attempts<br>• A timeline showing at which point an anomalous failed attempt occurred<br>• The type of anomaly<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |• When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**.<br>• If your Azure Active Directory data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**. |
74
74
|**Logon failure rate per system**|Visually represents the selected SAP systems. |• For each system, shows the number of failures in the selected period<br>• Systems are grouped by type.<br>• The color of the system indicates the number of failed attempts: Green indicates a few suspicious logon attempts, where red indicates more suspicious logon attempts. |You can select a system to see a list of failed sign ins with details about the failures. |
75
75
76
76
In this screenshot, you can see the data shown when the first line is selected in the **Anomalous login failures** table. The specific alerts and incident URLs are shown in the **Incidents/alerts overview for user** table.
77
77
78
78
:::image type="content" source="media/sap-audit-log-workbook/anomalous-logon-failures-table.png" alt-text="Screenshot of data shown when a line is selected in the Anomalous login failures table." lightbox="media/sap-audit-log-workbook/anomalous-logon-failures-table.png":::
79
79
80
-
In this screenshot, the **Azure audit and signin risks for user** table shows data for the signin risk related to this user.
80
+
In this screenshot, the **Azure audit and signin risks for user** table shows data for the sign-in risk related to this user.
81
81
82
-
:::image type="content" source="media/sap-audit-log-workbook/azure-audit-signin-risks.png" alt-text="Screenshot of audit and signin risk data shown when a line is selected in the Anomalous login failures table." lightbox="media/sap-audit-log-workbook/azure-audit-signin-risks.png":::
82
+
:::image type="content" source="media/sap-audit-log-workbook/azure-audit-signin-risks.png" alt-text="Screenshot of audit and sign-in risk data shown when a line is selected in the Anomalous login failures table." lightbox="media/sap-audit-log-workbook/azure-audit-signin-risks.png":::
83
83
84
84
In this screenshot, you can see the **Login failure rate per system** area, where the **84e** system under the **Test** group is selected. The **Failed logons for system** area on the right shows failure events for this system.
85
85
@@ -93,8 +93,8 @@ The **Logon failures trends** area shows the trends and number of failed sign-in
93
93
94
94
|Area |Description |
95
95
|---------|---------|
96
-
|**Login failure by cause**| Shows a trend of the number of sign-in failures according to cause, for example: incorrect sign-in data. |
97
-
|**Login failure by type**| Shows a trend of the number of sign-in failures according to type, for example: the sign-in triggered a background job, or the signin was via HTTP. |
96
+
|**Login failure by cause**| Shows a trend of the number of sign-in failures according to the cause of failure, for example: incorrect sign-in data. |
97
+
|**Login failure by type**| Shows a trend of the number of sign-in failures according to type, for example: the sign-in triggered a background job, or the sign-in was via HTTP. |
98
98
|**Login failure by method**| Shows a trend of the number of sign-in failures according to method, for example: SNC or a sign-in ticket. |
99
99
100
100
## Audit log alerts report tab
@@ -106,10 +106,10 @@ This tab shows severity and audit trends for each SAP system and user. All areas
106
106
|Area |Description |Specific data |Options/notes |
107
107
|---------|---------|---------|---------|
108
108
|**Alert severity trends per System ID**|Shows a list of systems, with a graph of medium and high severity event trends per system. For example, the 012 system had many high severity events over the entire period, and a few medium severity events with a spike that shows more medium severity events in the middle of the period. |||
109
-
|**Audit trend per user**|Shows a combination of Microsoft Sentinel and Azure Active Directory data. The list is organized by risk, where users that indicate the most risk are at the top of the list, and the users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of high and medium severity events<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**. |
109
+
|**Audit trend per user**|Shows a combination of Microsoft Sentinel and Azure Active Directory data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of high and medium severity events<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**. |
110
110
|**Risk score per system**| Visually represents each system in a cell shape. |• Shows the risk score for each system.<br>• Systems are grouped by type.<br>• The color of the system indicates the risk: Green indicates a system with a lower risk score, where red indicates a higher risk score. |You can select a system to see a list of SAP events per system. |
111
111
|**Events by MITRE ATT&CK® tactics**|Shows a list of SAP events grouped by MITRE ATT&CK® tactics, like Initial Access or Defense Evasion. ||You can hover over the graph to show the number of sign-ins for different dates. |
112
-
|**Events by category**|Shows a list of SAP event trends grouped by category, like RFC Start or Logon. ||You can hover over the graph to show the signin number for different dates. |
112
+
|**Events by category**|Shows a list of SAP event trends grouped by category, like RFC Start or Logon. ||You can hover over the graph to show the sign-in number for different dates. |
113
113
|**Events by authorization group**|Shows a list of SAP event trends grouped by the SAP authorization group, like USER or SUPER. ||You can hover over the graph to show the number of sign-ins for different dates. |
114
114
|**Events by user type**|Shows a list of SAP event trends grouped by the SAP user type, like Dialog or system. ||You can hover over the graph to show the number of sign-ins for different dates. |
Copy file name to clipboardExpand all lines: articles/sentinel/sap/sap-solution-security-content.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ Available security content includes built-in workbooks and analytics rules. You
19
19
20
20
## Built-in workbooks
21
21
22
-
Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After deploying the SAP solution, SAP workbooks are found in the **My workbooks** tab.
22
+
Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the **My workbooks** tab.
23
23
24
24
| Workbook name | Description | Logs |
25
25
| --------- | --------- | --------- |
@@ -64,8 +64,8 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
64
64
| --------- | --------- | --------- | --------- |
65
65
|**SAP - Login from unexpected network**| Identifies a sign-in from an unexpected network. <br><br>Maintain networks in the [SAP - Networks](#networks) watchlist. | Sign in to the backend system from an IP address that is not assigned to one of the networks. <br><br>**Data sources**: SAPcon - Audit Log | Initial Access |
|**SAP - Dialog logon attempt from a privileged user**| Identifies dialog sign-in attempts, with the **AUM** type, by privileged users in a SAP system. For more information, see the [SAPUsersGetPrivileged](sap-solution-log-reference.md#sapusersgetprivileged). | Attempt to sign in from the same IP to several systems or clients within the scheduled time interval<br><br>**Data sources**: SAPcon - Audit Log | Impact, Lateral Movement |
68
-
|**SAP - Brute force attacks**| Identifies brute force attacks on the SAP system using RFC logons | Attempt to login from the same IP to several systems/clients within the scheduled time interval using RFC<br><br>**Data sources**: SAPcon - Audit Log | Credential Access |
67
+
|**SAP - Dialog logon attempt from a privileged user**| Identifies dialog sign-in attempts, with the **AUM** type, by privileged users in an SAP system. For more information, see the [SAPUsersGetPrivileged](sap-solution-log-reference.md#sapusersgetprivileged). | Attempt to sign in from the same IP to several systems or clients within the scheduled time interval<br><br>**Data sources**: SAPcon - Audit Log | Impact, Lateral Movement |
68
+
|**SAP - Brute force attacks**| Identifies brute force attacks on the SAP system using RFC logons | Attempt to log in from the same IP to several systems/clients within the scheduled time interval using RFC<br><br>**Data sources**: SAPcon - Audit Log | Credential Access |
69
69
|**SAP - Multiple Logons from the same IP**| Identifies the sign-in of several users from same IP address within a scheduled time interval. <br><br>**Sub-use case**: [Persistency](#built-in-sap-analytics-rules-for-persistency)| Sign in using several users through the same IP address. <br><br>**Data sources**: SAPcon - Audit Log | Initial Access |
70
70
|**SAP - Multiple Logons by User**| Identifies sign-ins of the same user from several terminals within scheduled time interval. <br><br>Available only via the Audit SAL method, for SAP versions 7.5 and higher. | Sign in using the same user, using different IP addresses. <br><br>**Data sources**: SAPcon - Audit Log | PreAttack, Credential Access, Initial Access, Collection <br><br>**Sub-use case**: [Persistency](#built-in-sap-analytics-rules-for-persistency)|
71
71
|**SAP - Informational - Lifecycle - SAP Notes were implemented in system**| Identifies SAP Note implementation in the system. | Implement an SAP Note using SNOTE/TCI. <br><br>**Data sources**: SAPcon - Change Requests | - |
0 commit comments