limkedin Skip to main content

How to avoid huge and fluctuating SAP-SIEM data cost

By 28 March 2023No Comments

By using Protect4S Threat Detection  

For real-time SAP threat detection, it is quite common to monitor SAP systems from a Security Operations Center (SOC) by using central SIEM solutions. However, traditionally these SIEM solutions are not ‘SAP-aware’ and should be fed with SAP security relevant data to get the most out of them and secure the entire organization altogether. 


Without a specialized SAP threat detection solution there is only one option left and that is to send all SAP security events to SIEM which leads to very high and unpredictable data cost. To extract the relevant threats from that enormous amount of unfiltered events is a hell of a job for SIEM vendors. 

What are SIEM solutions? 

There are many definitions, but the one from Microsoft explains it straightforward in our view:  

Security Information and Event Management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.  

SIEM combines both security information management (SIM) and security event management (SEM) into one security management system. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action. 

In short, SIEM gives organizations visibility into activity within their network so they can respond swiftly to potential cyberattacks and meet compliance requirements. 

Combined with SAP specific information, fed from a Threat Detection solution, SIEM solutions offer great visibility into activity in their SAP landscape, providing superb means of swift response, integration with Incident Management and other solutions to have a more complete SAP protection in place.  

What do they cost? 

Nowadays, many SIEM solutions charge customers based on the amount of data fed to them. The more data sent, the higher the monthly charges.  

This might lead to high costs, especially in the SAP world where many different SAP logs and data sources exist and they quickly generate enormous amounts of events. When sending all SAP security events from all these data sources unfiltered to SIEM solutions, they easily generate many gigabytes of daily data.  


What alternatives exist to minimize the data stream towards SIEM solutions? 

There are several ways to restrict the number of events sent to SIEM solutions. To start with, you can tune the source by not having SAP systems generate the events in the first place. This will limit the number of events being generated and hence limit the number of events sent to SIEM solutions.  

However, this is not a good approach since in the case of an attack or other cases when forensic research is needed, you might not have the full picture of what happened in your SAP systems leading to less overall security. 


A more pragmatic approach that we apply in our own Protect4S SAP Threat Detection solution, is to send only qualified threats (based on rules and logic) to SIEM solutions, with the involved events attached that led to the threat alert. This makes sure that on the SIEM side, action can be taken based on the reported Threats and at the same time reduce the amount of data sent to SIEM drastically (>90%) leading to serious cost reductions. 

An example of such a threat ending up in this case in Microsoft Sentinel SIEM can look like this: 

image - How to avoid huge and fluctuating SAP-SIEM data cost

Where the triggering event(s) with its details is also attached to the threat: 

image - How to avoid huge and fluctuating SAP-SIEM data cost


Threat Detection capabilities for SAP landscapes are being introduced into the SAP ecosystem on a steady pace. The integration with SIEM solutions is a logical and important next step where it is important to be aware of possible (high) cost increase when all events are sent unfiltered to these SIEM solutions. 

The Protect4S Threat Detection solution takes a more pragmatic approach and only sends qualified Threats to SIEM with the underlying triggering events from the data sources involved. This leads to a drastic cost reduction. 

Interested to learn more? We are happy to tell you more about our SAP Vulnerability Management and Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!