Print this page
SAP Intrusion Detection, connect SAP to Splunk SAP Intrusion Detection, connect SAP to Splunk
Friday, 15 June 2018 11:43

SAP® Cybersecurity monitoring made easy Featured

Learn how to secure your SAP landscape without jeopardizing resource capacity, stressing budgets and running lengthy projects.

In the average security conscience corporation, there is a team of cybersecurity analysts monitoring the IT landscape around the clock to protect against malicious attacks, theft of intellectual property and other security incidents. But, what about the company’s SAP systems that support critical business processes and store some of the most sensitive data? Our years of experience working with some top global players teaches us that cybersecurity teams tend to neglect, sometimes ignore these systems. Reasons are multi-dimensional and range from a missing understanding of SAP specifics to the lack of appropriate solutions in the market. We set out to change this when we created SecurityBridge!

Best of Breed

SecurityBridge was initially designed to “bridge the gap” between SAP® and IT Security. It is a lightweight SAP add-on that can be installed on any SAP ABAP based system to detect malicious attacks, authorization misuse, compliance deviations, fraud and much more! Accomplished by correlating all relevant SAP data sources in real-time security event are raised at the time suspicious activity is executed, and all with no additional hardware required.

An easy to use web interface represents configuration and alerts across your entire SAP landscape.

SecurityBridge sends intelligible SAP events, directly to existing Security Information Event Management (SIEM) systems using the standardized Common Events Format (CEF), also known as Syslog. Translation of technical SAP messages into a self-explanatory event enriched with the needed security context is a key feature of SecurityBridge and builds the foundation the risk evaluation by a non-SAP native.

Organizations not running a SIEM monitor their SAP systems with SecurityBridge, which also includes out-of-the-box monitoring and dashboards. With no additional effort, you can tap into the capabilities provided by industry leading security suites.

Splunk Enterprise Security,
real-time security needs real-time answers is now announcing a free Splunk App for SecurityBridge. Splunk Enterprise Security is a market leading SIEM solution, which streamlines all aspects of security operations and is suitable for organizations of all sizes and expertise.

The SecurityBridge Splunk App will make your cybersecurity analysts effective on day one with pre-built dashboards and criticality groupings.

Intelligence versus dump adapters

Why not collect all available SAP log sources (Security Audit Log is by far not enough!) directly into your SIEM using an adapter?

Size: only store the data you really need

Collecting all logs for a large SAP landscape would be in the gigabytes per day range, and much of this data does not have a useful security context.

Separate the signal from the noise

To efficiently monitor your systems without completely duplicating storage requirements, you need tool driven intelligence, that can separate the signal from the noise using SAP specific knowledge for the correlation and alerting. With SecurityBridge, security relevant information, in context of suspicious actions, is combined in a human readable format.


Complexity: rely on the experts to avoid mistakes

Correlating large amounts of log data is a complex task and takes a team of experts with years of experience to do right. Only few companies have the required combination of SAP and cybersecurity expertise to develop hundreds of detection scenarios. This task gains complexity, since most log sources only contain a subset of information to detect and alert on cybersecurity events. This does not take into account that there are new exploits released all the time and the detection logic must be continuously updated to stay ahead of the latest cyber threats.

Here is a classic example of what we see with customers that attempt to collect and analyze SAP logs before they start using SecurityBridge. In the screenshot below, you will see what is detected in the Security Audit Log (SAL) when a rogue developer or attacker steals passwords using a code injection technique:

That’s right. Not a single log entry gets recorded in the Security Audit Log!

On the other hand, when using correct correlation and a full understanding of attacker techniques, a SecurityBridge customer would receive the following alert notifying about the intrusion:

When using SecurityBridge, customers not only benefit from decades of SAP and cyber security experience with the out-of-the-box detection, but also receive updates that result from new developments in other customers’ environments. This ensures that commonly used attack patterns are recognized and will become visible as they are executed.

Workload: save months of work from internal staff

When deciding to embark on the journey to create correlation of all relevant SAP log sources yourself, in an attempt to alert on all suspicious activity across your SAP landscape, it will take months (or years) to develop and tune to a fully operational state. Even if you were successful at implementation, you would still need a dedicated team to ensure that all correlation rules will be regularly tested and that new rules are routinely created for emerging cyber threats. The cost to benefit ratio is just not there to make this a worthwhile undertaking.

With SecurityBridge, it takes only days to implement full monitoring across your SAP landscape without taxing your already overburdened internal staff.

Alternatives to SecurityBridge

SecurityBridge covers a wide scope, including compliance monitoring which is customizable to individual hardening standards, insider threat detection, cyber-attack detection, access monitoring for regulations such as PCI or GDPR, and identity theft detection. Alternative solutions focus on one, or only a few of these use cases. The result is that the customer is left with a false sense of security or requires multiple tools to reach a full set of security controls.

We are so confident in our product that we offer customers a one-month free trial of SecurityBridge to see how easy it is to setup and the immediate value provided. Request your test drive at


The SB splunk application is available as a free download via Splunkbase.

SB Splunkbase

Additional Info

  • Language:: English
Ivan Mans

Ivan Mans

Passionate about SAP.

Email This email address is being protected from spambots. You need JavaScript enabled to view it.

Related items