Skip to content

SAP HANA

SAP HANA

About

SAP HANA (High-performance ANalytic Appliance) is a multi-model database that stores data in its memory instead of keeping it on a disk. The column-oriented in-memory database design allows you to run advanced analytics alongside high-speed transactions – in a single system. Why is this so important? Because it lets companies process massive amounts of data with near-zero latency, query data in an instant, and become truly data-driven. By storing data in column-based tables in main memory and bringing online analytical processing (OLAP) and online transactional processing (OLTP) together, SAP HANA is unique – and significantly faster than other database management systems (DBMS) on the market today. SAP HANA offers advanced search, analytics, and data integration capabilities for all types of data – structured and unstructured. It also functions as an application server and helps companies build smart, insight-driven applications based on real-time data, in-memory computing, and machine learning technology. These capabilities are available both in the cloud, and on-premise.

Product Details

Vendor URL: SAP HANA | In-Memory Database

Product Type: Database Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: 2624117 - How-To: Configure HANA audit log in SYSLOG | SAP

Log Guide: Data and Log Volumes - SAP Help Portal Additional Link for SYSLOG values

Parser Details

Log Format: CEF + KV Data/CSV Data

Expected Normalization Rate: Near 100%

Data Label: SAP_HANA

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
HANA metadata.product_name
SAP metadata.vendor_name
Audit_Action metadata.product_event_type
Session_User principal.user.userid
Client_Name principal.hostname
Client_Name principal.asset.hostname
Client_IP_Address principal.ip
Client_IP_Address principal.asset.ip
Application_Name principal.application
Client_Process_ID principal.process.pid
Executed_Statement principal.process.command_line
Service_Name target.application
Hostname target.hostname
Hostname target.asset.hostname
Target_Object target.resource.name
Database_Name target.resource.parent
DATABASE target.resource.type
SID target.asset.product_object_id
Target_Principal target.user.userid
Action Status_cs1 target.asset.attribute.labels
Comment_cs2 target.asset.attribute.labels
Component,Section,Parameter_cs3 target.asset.attribute.labels
HANA DB event ID_cs4 target.asset.attribute.labels
HANA DB_cs5 target.asset.attribute.labels
Grantable,Privilege,Role_cs6 target.asset.attribute.labels
PIPE_SAPHANA_TCP_CDC_c6a4 target.asset.attribute.labels
Audit_Action security_result.action_details
Audit_Action-Action_Status security_result.description
Action_Status security_result.summary
Audit_Level security_result.severity_details
Policy_Name security_result.rule_name

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default FILE_DELETION
GENERIC_EVENT
GROUP_CREATION
GROUP_DELETION
GROUP_MODIFICATION
PROCESS_PRIVILEGE_ESCALATION
RESOURCE_CREATION
RESOURCE_DELETION
RESOURCE_PERMISSIONS_CHANGE
RESOURCE_WRITTEN
SERVICE_MODIFICATION
SERVICE_STOP
SETTING_CREATION
SETTING_MODIFICATION
SYSTEM_AUDIT_LOG_UNCATEGORIZED
USER_CHANGE_PERMISSIONS
USER_CREATION
USER_DELETION
USER_RESOURCE_CREATION
USER_RESOURCE_DELETION
USER_RESOURCE_UPDATE_CONTENT
USER_RESOURCE_UPDATE_PERMISSIONS
USER_UNCATEGORIZED

Log Sample

CEF:0|SAP|HANA Syslog Audit Trail|SPS 11|HEC Audit – Table Drop|DROP TABLE|WARNING|rt=1667101770.555 dproc=EXAMPLEREDACTED5623860_123_9_1_12345 dhost=SERVER1 deviceExternalId=REDACTED deviceFacility=02 dpt=30240 devicePayloadId=ABC123 src=10.1.2.3 shost=SERVERNAME sproc=USERNAME sourceTranslatedPort=52036 cs4=298579 cs1=SUCCESSFUL act=DROP TABLE externalId=411137 deviceProcessName=server cs1Label=Action Status cs2Label=Comment cs3Label=Component,Section,Parameter cs3= cs4Label=HANA DB event ID duser=USERNAME suser=USERNAME cs5Label=HANA DB cs6Label=Grantable,Privilege,Role cs5=HDB_TENANTDB dvcpid=298579 c6a4Label=PIPE_SAPHANA_TCP_AMS rawEvent=2022-10-30T03:49:27.979859+00:00 SERVERNAME HDB_TENANTDB[298579]: 2022-10-30T03:49:27.974401Z;server;SERVER1;REDACTED;02;30240;ABC123;10.1.2.3;SERVERNAME;12345;52036;HEC Audit – Table Drop;WARNING;DROP TABLE;USERNAME;EXAMPLE;REDACTED5623860_123_9_1_12345;;;;;SUCCESSFUL;;;;;;;DROP TABLE "EXAMPLE"."REDACTED5623860_123_9_1_12345";411137;USERNAME;;;;;USERNAME;;USERNAME;;;;;;;;;;;;;; cryptoSignature=68f9897737813068REDACTEDbc0b8dbe4509b end=2022-10-30 03:49:27 +00:00

Sample Parsing

metadata.event_type = "RESOURCE_DELETION"
metadata.vendor_name = "HANA"
metadata.product_name = "SAP"
metadata.product_event_type = "DROP TABLE"
principal.hostname = "SERVERNAME"
principal.user.userid = "USERNAME"
principal.process.pid = "12345"
principal.process.command_line = "DROP TABLE EXAMPLE.REDACTED5623860_123_9_1_12345"
principal.ip = "10.1.2.3"
principal.asset.hostname = "SERVERNAME"
principal.asset.ip = "10.1.2.3"
target.hostname = "SERVER1"
target.application = "server"
target.resource.type = "DATABASE"
target.resource.name = "REDACTED5623860_123_9_1_12345"
target.resource.parent = "ABC123"
target.asset.product_object_id = "REDACTED"
target.asset.hostname = "SERVER1"
target.asset.attribute.labels.key = "Action Status"
target.asset.attribute.labels.value = "SUCCESSFUL"
target.asset.attribute.labels.key = "HANA DB event ID"
target.asset.attribute.labels.value = "298579"
target.asset.attribute.labels.key = "HANA DB"
target.asset.attribute.labels.value = "HDB_TENANTDB"
security_result.rule_name = "HEC Audit – Table Drop"
security_result.summary = "SUCCESSFUL"
security_result.description = "DROP TABLE SUCCESSFUL"
security_result.severity_details = "WARNING"
security_result.action_details = "DROP TABLE"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon