I hope this post finds you well. Today, I'd like to discuss how to extract custom SAP table modification logs in SIEM using LogPoint.
For those unfamiliar with the concept, SIEM (Security Information and Event Management) is a technology that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by network hardware and applications.
LogPoint is an industry-leading SIEM solution that enables users to collect and analyze log data from various sources, including SAP systems.
When it comes to SAP systems, LogPoint can be used to extract modification logs for standard tables. However, for custom tables, some additional configuration is required to ensure that the logs are collected and analyzed properly.
Here are the steps you can follow to extract custom SAP table modification logs in LogPoint:
Step 1: Enable Change Document Object
First, you need to enable the change document object for your custom table. You can do this by using the transaction code SCDO. Once you have enabled the change document object, SAP [https://www.lenovo.com/ca/en/servers-storage/solutions/sap] will start creating logs whenever a change is made to your custom table.
Step 2: Define Change Document Object for Logging
Next, you need to define the change document object for logging. You can do this by using the transaction code SCU3. In the Object Attributes tab, select "Change Documents" and then choose the "Create/Change" option to define the change document object.
Step 3: Define Logical System Name
Now, you need to define the logical system name for your SAP system. You can do this by using the transaction code SALE. In the "Logical Systems" option, select "Define Logical System" and then create a new logical system name.
Step 4: Configure the RFC Destination
Next, you need to configure the RFC destination. You can do this by using the transaction code SM59. In the "RFC Destinations" option, create a new RFC destination for your SAP system.
Step 5: Configure the Data Source in LogPoint
Finally, you need to configure the data source in LogPoint. To do this, go to the "Sources" tab in LogPoint and select "SAP" as the source type. Then, configure the data source by entering the RFC destination details and selecting the custom table for which you want to extract the modification logs.
In conclusion, extracting custom SAP table modification logs in SIEM using LogPoint requires some additional configuration steps. By following the steps outlined above, you can ensure that the logs are collected and analyzed properly, enabling you to detect and respond to potential security threats in your SAP system.
I hope you found this post helpful. If you have any questions or suggestions, please feel free to share them in the comments section below.
Thanks a lot for sharing
@yashusharma, very insightful indeed :)