SAP HANA¶
About¶
SAP HANA (High-performance ANalytic Appliance) is a multi-model database that stores data in its memory instead of keeping it on a disk. The column-oriented in-memory database design allows you to run advanced analytics alongside high-speed transactions – in a single system. Why is this so important? Because it lets companies process massive amounts of data with near-zero latency, query data in an instant, and become truly data-driven. By storing data in column-based tables in main memory and bringing online analytical processing (OLAP) and online transactional processing (OLTP) together, SAP HANA is unique – and significantly faster than other database management systems (DBMS) on the market today. SAP HANA offers advanced search, analytics, and data integration capabilities for all types of data – structured and unstructured. It also functions as an application server and helps companies build smart, insight-driven applications based on real-time data, in-memory computing, and machine learning technology. These capabilities are available both in the cloud, and on-premise.
Product Details¶
Vendor URL: SAP HANA | In-Memory Database
Product Type: Database Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: 2624117 - How-To: Configure HANA audit log in SYSLOG | SAP
Log Guide: Data and Log Volumes - SAP Help Portal Additional Link for SYSLOG values
Parser Details¶
Log Format: CEF + KV Data/CSV Data
Expected Normalization Rate: Near 100%
Data Label: SAP_HANA
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
HANA | metadata.product_name |
SAP | metadata.vendor_name |
Audit_Action | metadata.product_event_type |
Session_User | principal.user.userid |
Client_Name | principal.hostname |
Client_Name | principal.asset.hostname |
Client_IP_Address | principal.ip |
Client_IP_Address | principal.asset.ip |
Application_Name | principal.application |
Client_Process_ID | principal.process.pid |
Executed_Statement | principal.process.command_line |
Service_Name | target.application |
Hostname | target.hostname |
Hostname | target.asset.hostname |
Target_Object | target.resource.name |
Database_Name | target.resource.parent |
DATABASE | target.resource.type |
SID | target.asset.product_object_id |
Target_Principal | target.user.userid |
Action Status_cs1 | target.asset.attribute.labels |
Comment_cs2 | target.asset.attribute.labels |
Component,Section,Parameter_cs3 | target.asset.attribute.labels |
HANA DB event ID_cs4 | target.asset.attribute.labels |
HANA DB_cs5 | target.asset.attribute.labels |
Grantable,Privilege,Role_cs6 | target.asset.attribute.labels |
PIPE_SAPHANA_TCP_CDC_c6a4 | target.asset.attribute.labels |
Audit_Action | security_result.action_details |
Audit_Action-Action_Status | security_result.description |
Action_Status | security_result.summary |
Audit_Level | security_result.severity_details |
Policy_Name | security_result.rule_name |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
Default | FILE_DELETION | ||
GENERIC_EVENT | |||
GROUP_CREATION | |||
GROUP_DELETION | |||
GROUP_MODIFICATION | |||
PROCESS_PRIVILEGE_ESCALATION | |||
RESOURCE_CREATION | |||
RESOURCE_DELETION | |||
RESOURCE_PERMISSIONS_CHANGE | |||
RESOURCE_WRITTEN | |||
SERVICE_MODIFICATION | |||
SERVICE_STOP | |||
SETTING_CREATION | |||
SETTING_MODIFICATION | |||
SYSTEM_AUDIT_LOG_UNCATEGORIZED | |||
USER_CHANGE_PERMISSIONS | |||
USER_CREATION | |||
USER_DELETION | |||
USER_RESOURCE_CREATION | |||
USER_RESOURCE_DELETION | |||
USER_RESOURCE_UPDATE_CONTENT | |||
USER_RESOURCE_UPDATE_PERMISSIONS | |||
USER_UNCATEGORIZED |
Log Sample¶
CEF:0|SAP|HANA Syslog Audit Trail|SPS 11|HEC Audit – Table Drop|DROP TABLE|WARNING|rt=1667101770.555 dproc=EXAMPLEREDACTED5623860_123_9_1_12345 dhost=SERVER1 deviceExternalId=REDACTED deviceFacility=02 dpt=30240 devicePayloadId=ABC123 src=10.1.2.3 shost=SERVERNAME sproc=USERNAME sourceTranslatedPort=52036 cs4=298579 cs1=SUCCESSFUL act=DROP TABLE externalId=411137 deviceProcessName=server cs1Label=Action Status cs2Label=Comment cs3Label=Component,Section,Parameter cs3= cs4Label=HANA DB event ID duser=USERNAME suser=USERNAME cs5Label=HANA DB cs6Label=Grantable,Privilege,Role cs5=HDB_TENANTDB dvcpid=298579 c6a4Label=PIPE_SAPHANA_TCP_AMS rawEvent=2022-10-30T03:49:27.979859+00:00 SERVERNAME HDB_TENANTDB[298579]: 2022-10-30T03:49:27.974401Z;server;SERVER1;REDACTED;02;30240;ABC123;10.1.2.3;SERVERNAME;12345;52036;HEC Audit – Table Drop;WARNING;DROP TABLE;USERNAME;EXAMPLE;REDACTED5623860_123_9_1_12345;;;;;SUCCESSFUL;;;;;;;DROP TABLE "EXAMPLE"."REDACTED5623860_123_9_1_12345";411137;USERNAME;;;;;USERNAME;;USERNAME;;;;;;;;;;;;;; cryptoSignature=68f9897737813068REDACTEDbc0b8dbe4509b end=2022-10-30 03:49:27 +00:00
Sample Parsing¶
metadata.event_type = "RESOURCE_DELETION"
metadata.vendor_name = "HANA"
metadata.product_name = "SAP"
metadata.product_event_type = "DROP TABLE"
principal.hostname = "SERVERNAME"
principal.user.userid = "USERNAME"
principal.process.pid = "12345"
principal.process.command_line = "DROP TABLE EXAMPLE.REDACTED5623860_123_9_1_12345"
principal.ip = "10.1.2.3"
principal.asset.hostname = "SERVERNAME"
principal.asset.ip = "10.1.2.3"
target.hostname = "SERVER1"
target.application = "server"
target.resource.type = "DATABASE"
target.resource.name = "REDACTED5623860_123_9_1_12345"
target.resource.parent = "ABC123"
target.asset.product_object_id = "REDACTED"
target.asset.hostname = "SERVER1"
target.asset.attribute.labels.key = "Action Status"
target.asset.attribute.labels.value = "SUCCESSFUL"
target.asset.attribute.labels.key = "HANA DB event ID"
target.asset.attribute.labels.value = "298579"
target.asset.attribute.labels.key = "HANA DB"
target.asset.attribute.labels.value = "HDB_TENANTDB"
security_result.rule_name = "HEC Audit – Table Drop"
security_result.summary = "SUCCESSFUL"
security_result.description = "DROP TABLE SUCCESSFUL"
security_result.severity_details = "WARNING"
security_result.action_details = "DROP TABLE"
Parser Alerting¶
This product currently does not have any Parser-based Alerting