This document provides a reference for how Google SecOps for SAP log sources are mapped to the Unified Data Model (UDM) log types in Google SecOps.
How mapping works
The Google SecOps for SAP uses SAP-specific standard parsers within Google SecOps to automatically transform raw SAP logs into the UDM format.
Field mapping reference
This section provides an overview of the SAP log sources that are mapped to the UDM. For detailed field-level mapping information, see the reference documentation for each log source.
SAP HANA Audit
The SAP_HANA_AUDIT parser captures security-relevant events within the SAP HANA database, such as system configuration changes, user authorization modifications, and access to sensitive data.
Ingestion label: SAP_HANA_AUDIT
For more information, see SAP HANA Audit UDM mapping.
SAP Change Document
The SAP_CHANGE_DOCUMENT parser tracks changes made to business objects in SAP systems, including creations, modifications, and deletions of data.
Ingestion label: SAP_CHANGE_DOCUMENT
For more information, see SAP Change Document UDM mapping.
SAP Web Dispatcher
The SAP_WEBDISP parser logs HTTP and HTTPS traffic passing through the SAP Web Dispatcher, providing visibility into external access to SAP web services and applications.
Ingestion label: SAP_WEBDISP
For more information, see SAP Web Dispatcher UDM mapping.
SAP Security Audit
The SAP_SECURITY_AUDIT parser records security-critical events at the SAP application level, such as user logins, failed logon attempts, transaction executions, and report starts.
Ingestion label: SAP_SECURITY_AUDIT
For more information, see SAP Security Audit UDM mapping.
SAP Gateway
The SAP_GATEWAY parser monitors communication between SAP systems and external applications through the SAP Gateway, logging connection attempts and security-related errors.
Ingestion label: SAP_GATEWAY
For more information, see SAP Gateway UDM mapping.
SAP ICM
The SAP_ICM parser records details of web-based communication (HTTP, HTTPS, SMTP) between the SAP Application Server and the internet.
Ingestion label: SAP_ICM
For more information, see SAP ICM UDM mapping.
Use UDM in searches
To filter SAP events when searching in Google SecOps, use the log_type filter to narrow your results:
log_type = "SAP_SECURITY_AUDIT" and principal.user.userid = "ADMIN_USER"
Get support
For issues related to Google SecOps for SAP, contact Google SecOps support. Our team provides assistance or guides you to the right resource to help ensure a timely resolution.
For issues involving SAP systems or the LogServ service, contact SAP support. For issues related to other third-party products, such as Bindplane, contact the appropriate third-party vendor for assistance.
Get technical answers and peer support in the Google SecOps Community.