An easy way to process SAP threats without a SIEM solution

Introduction
Usually, a typical SAP threat detection scenario runs through a SIEM solution in a Security Operation Center (SOC). But what if you, as an SAP customer or SAP managed service provider, do not (yet) have a SIEM option? Or maybe because you want the SAP threat detection process to run directly through the SAP support team instead of indirectly through a SOC. For that reason, the Protect4S product development team has added a so-called email output option to our SAP Threat Detection solution. This new functionality ensures that the detected SAP cybersecurity threats can be further processed via email.
Flexibility in threat analysis to suit different customer needs
Protect4S SAP Threat Detection offers real-time analysis of events in SAP systems to identify security threats. It does so by reading security related information from so-called ‘data sources’ like the SAP RFC gateway and the Security Audit log. And by analyzing this information to determine if these events (or combination of events) are a sign of suspicious behavior. If this is the case, a so-called ‘threat’ is generated, that can be used by the customer to take immediate action or to start further investigation. See our previous blogs here and here for examples of threat detection use-cases.
“Not all organizations have a SIEM solution and are looking for an alternative to easily analyze and process SAP threats”
One way to analyze SAP threats, is to simply logon to the Protect4S application and check whether any new threats have been generated. The application gives detailed information about all threats that are generated including the underlying events that are the basis for these threats. The obvious downside of this method is that it requires manual action from the user which makes this labor intensive and not always suitable for quick follow-up.
Another way is the usage of a SIEM solution that normally does allow a quick follow-up of threats. Moreover, all sort of additional actions, rules, correlation etc. can be defined in a typical SIEM solution for incoming events. This makes a SIEM solution the ideal match for real-time threat detection. Therefore, we support integration with SIEM solutions like Microsoft Sentinel and IBM QRadar, and are enhancing this with other solutions as well. However, not all organizations have a SIEM solution (fully) implemented and are looking for an alternative way to receive and analyze threats.
“Threats by email as a pragmatic solution to receive and analyze threats”
As an additional alternative, our SAP threat detection solution is now also able to forward threats by email.
A straightforward, but pragmatic solution that does not require any other solutions like SIEM and can easily be implemented. While still enabling near real-time detection for follow-up of threats. It can also be used alongside a SIEM solution, so that threats are received by both the SIEM solution and email recipients. See below for an example.
Example of threat forwarding by email
Let’s use an example of a threat situation to demonstrate how we have implemented this feature. We will use the example of one of the built-in use cases, that detects usage of critical transactions in an SAP ABAP system. A typical example of a transaction that should normally be used with due care, is transaction SE16 which allows direct access to tables in the SAP system. Proper setup of authorizations should restrict access to this transaction for most – if not all –users but by activating this use case, it can still be identified when the transaction is used.
- Prerequisites
First, some preliminary steps need be made. In the Protect4S SAP Threat Detection application, a simple configuration of sender and receiver addresses must be done:

As shown, multiple receivers can configured, separated by a semicolon (“;”).
Further, the underlying SMTP configuration needs to be setup. To keep the example clear, this is not further detailed here. See the following link for how this is done on an SAP ABAP based system.
2. Start of transaction SE16 in a monitored system by Protect4S SAP Threat Detection
Here, we simply logon to a system that is monitored by a threat detection system and start transaction SE16 in an attempt to start direct access to tables. Note that no table is accessed yet, only the transaction is started.

3. This action is logged as an ‘event’ by the monitored system and identified by the threat detection application as a ‘threat’. The threat can be viewed in detail in the threat application itself, as shown below:

4. Following the email configuration, the threat is also sent by email to the defined recipients. It contains all relevant fields of the threat in the email body, a separate attachment of the threat in JSON format and also a link to directly access the threat in the threat detection application. See below example (not all fields shown):

Conclusion
Apart from the existing options to display and analyse threats of Protect4S SAP Threat Detection, we are happy to also have added the email feature. This ensures that SAP customers and SAP managed service providers can choose between an ‘indirect’ SIEM/SOC scenario or a direct scenario where the detected SAP threats are dealt with directly by the SAP support team.
Feel free to contact us about the capabilities of our solutions Vulnerability Management and Threat Detection.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!