Detect and investigate threats in SAP logs

Google Security Operations (SecOps) provides a suite of tools and predefined YARA-L rules specifically designed to help you detect, investigate, and respond to threats within your SAP environment. After you have successfully ingested your SAP logs, you can use these capabilities to enhance your security posture.

To detect and respond to threats, follow this high-level workflow:

• Import YARA-L rules for SAP from GitHub
• Activate and configure YARA-L rules
• Customize YARA-L rules and data tables
• Investigate SAP-related cases
• Search and filter SAP logs
• Automate with playbooks

Import YARA-L rules for SAP from GitHub

Google maintains a collection of YARA-L rules for SAP in a public GitHub repository. These rules are designed to identify common SAP-specific attack vectors, such as unauthorized configuration changes, sensitive transaction execution, and privilege escalation.

To import YARA-L rules, do the following:

1. Access the Google SecOps Detection Rules repository on GitHub.
2. Navigate to the rules directory to find SAP-related rule files.
3. To implement a rule, copy the YARA-L content from the YAML file in GitHub.
4. In the Google SecOps menu, go to Detection > Rules and Detections > Rules Editor.
5. Select the plus (+) icon to create a new rule, paste the YARA-L content, and select Save as new.

For more information on managing rules, see Manage rules using the Rules Editor.

Activate and configure YARA-L rules

To begin monitoring your SAP logs, you must configure their operational state. Google SecOps disables new YARA-L rules by default. For more information, see Run a rule on live data.

Configure the following operational states for your rules:

• Detecting: Use this state to generate detections. We recommend that you enable this state immediately for all relevant SAP rules.
• Alerting: Use this state to promote detections to formal alerts. Alerts are the primary objects used by the SOAR (Security Orchestration, Automation, and Response) engine to build cases.
• Risk scoring: You can assign a risk score to each rule. When a rule triggers, the associated entities accumulate this score, allowing analysts to prioritize investigations based on high-risk users or assets. For details on configuring entity risk scores in your rules, see Specify entity risk score in rules.

Customize YARA-L rules and data tables

Some YARA-L rules for SAP require customization to account for your specific environment, such as identifying production systems or authorized administrator accounts.

Use the Rules Editor

You can use the Rules Editor to manually fine-tune rule logic, such as adding specific SAP transaction codes or excluding authorized users from detection findings. Common edits include:

• Filter events by transaction codes: Add or remove specific SAP transaction codes (TCODEs) to narrow the rule's scope.
• Exclude authorized activity: Add logic to ignore events generated by specific service accounts, administrative users, or maintenance windows.
• Adjust correlation windows: Modify the match or duration values in multi-event rules to change the timeframe for related security events.

Example customization: The following YARA-L snippet shows how to modify a rule to exclude activity from a specific maintenance user:

$event.principal.user.userid != "MAINTENANCE_USER"

To exclude a group of authorized administrators defined in a data table named SAP_ADMIN_USERS:

not $event.principal.user.userid in %SAP_ADMIN_USERS

For more information, see Manage rules using the Rules Editor.

Use data tables

Data tables are lookup files used by YARA-L rules to include or exclude specific values. For example, a YARA-L rule monitoring for sensitive transaction execution may reference a data table named SAP_ADMIN_USERS to exclude authorized administrative activity.

Common SAP-specific data tables include:

• SAP_ADMIN_USERS: SAP usernames for administrators who perform authorized maintenance.
• production_systems: SAP System IDs (SIDs), such as DS4, to identify production environments.
• sensitive_abap_programs: A list of ABAP programs or reports that require heightened monitoring.
• sensitive_roles and sensitive_tables: Critical SAP components that trigger alerts when accessed.

Some YARA-L rules don't function correctly and cannot be saved until their associated data tables are populated. For more information about required tables, see the documentation or comments within the rule file in GitHub.

To create and manage these tables, in the Google SecOps menu, select Investigation > Data Tables. To learn how to manage and query supplementary data, see Use data tables.

Investigate SAP-related cases

In Google SecOps, an alert is a notification that a specific YARA-L rule has been triggered by your SAP logs. A case represents one or multiple related alerts that are grouped together for investigation by a security analyst.

Access cases

To begin an investigation, navigate to the Cases page in the Google SecOps menu.

1. In the Google SecOps menu, select Response > Cases.
2. Select a case from the list to open the case overview. You can filter the list by Priority, Status, or Search for SAP-specific alerts, for example, by searching for SAP.

Navigate the analyst interface

When you open a case, the interface provides several views to conduct your investigation:

• Case Overview: View the Gemini summary, case description, and a list of all associated alerts.
• Case Wall: A chronological log of case activities where you can add comments, attach files, and track SOAR playbook actions.
• Alert View: Provides a detailed look at the specific Unified Data Model (UDM) events and the Rule Name that triggered the alert. This view is customizable, letting you highlight the most relevant SAP fields.

Use automated analysis with Gemini

Google SecOps includes built-in AI integration with Gemini to accelerate your triage process. When a case is created, Gemini automatically generates a summary that includes:

• An overview of the threat.
• Initial investigation steps.
• Suggested next steps for remediation.

This AI-driven analysis provides instant context, even for analysts who are not familiar with SAP-specific technical logs. For more information, see Using the Gemini case summary widget.

Search and filter SAP logs

Google SecOps provides powerful search capabilities to hunt for specific threats or anomalies across your SAP logs.

• UDM Search: Conduct searches across parsed and normalized SAP data using the UDM Search interface.
• Raw Log Search: Search your raw, unparsed logs using strings or regular expressions, for example, raw = "user_name". To learn how to search across unparsed log data, see Use raw log search.
• Aggregations: Use the Aggregations feature to identify trends and outliers within large datasets.

Automate with playbooks

SOAR playbooks automate response actions and enrich alerts with additional context, significantly reducing the manual effort for analysts.

• Custom triggers: To target specifically SAP alerts, configure playbook triggers. You can use regular expressions in the trigger conditions. For example, match alert names that start with SAP_ using $alert.name.
• Enrichment and remediation: Playbooks can automatically pull additional data from your SAP environment or trigger remediation actions, such as using actions in playbooks.

To learn more about response capabilities, see Google SecOps SOAR overview.

What's next

• SAP to UDM field mapping reference: Reference how SAP logs map to the Unified Data Model.
• Troubleshoot SAP log ingestion: Resolve common configuration and connectivity issues.