In this exercise you will learn about security recommendations that help protect your accounts from risks by using the audit log. The SAP Audit Log service is a platform service that stores all the audit logs written on your behalf by other platform services that you use. It allows you to retrieve the audit logs for your subaccount via the audit log retrieval API or view them using the SAP Audit Log Viewer service. The default retention time is 90 days, after which the audit log data is deleted. Because of that, we recommend downloading audit logs on a regular basis and save them, ideally in an existing and central audit log system or Security Information and Event Management (SIEM) system of your choice. This can be done via the audit log retrieval API or in the SAP Audit Log Viewer service.
- SAP BTP Security Recommendations
- BTP-AUD-0001
In this exercise you will subscribe to the SAP Audit Log Viewer service
- Open the SAP BTP Cockpit and navigate to your trial subaccount by clicking on the tile.
- Go to Service Marketplace.
- Enter audit in the search field. Click on the tile for the SAP Audit Log Viewer service.
- Now subscribe to it. This is done by using the Create-button in the upper right corner. The Audit Log Management Service can later be used to configure the retention period and to retrieve the logfiles for your SIEM system. We do not need it in this exercise.
- A window pops up. Click on the Create-button.
- Click on the button View Subscription to navigate to the subscription details.
- Under Instances and Subscriptions, you can now see the new application SAP Audit Log Viewer service and the Go to Application button.
In this exercise you will configure the SAP Audit Log Viewer service to see audit relevant log entries.
- Open the SAP BTP Cockpit.
-
Go to the trial subaccount by clicking on the tile.
-
Choose the menu item Security --> Role Collections and click on the Create-button to create a new role collection.
- In the pop-up window enter the role collection name Audit Log Viewer. In the description enter View the audit relevant logs in the audit log viewer. Click on the Create-button.
-
Now you can see the Audit Log Viewer role collection together with the other role collections. Click on ">" on the right side of the newly created role collection to open the details.
-
In the extended window you can assign roles and users to the role collection. Start assigning the two roles of the SAP Audit Log Viewer service called Auditlog_Auditor to the role collection. To do so click on the Edit-button.
- Open the selection dialog for roles in the Roles section.
- Mark the two roles called Auditlog_Auditor and click the Add-button.
- Go to the Users section and enter the email address of your SAP Cloud Identity Services user. Enter it in the ID field and select the entry from the list. Ensure that you pick the user from your custom identity provider, not the default identity provider.
- Click the Save button to save your changes.
- The result will be that the user with the assigned authorizations can use the SAP Audit Log Viewer service. You need to be logged into the cockpit with this user to be able to see the viewer in the next step.
Exercise 3.3 Check the audit logs and download audit log entries via the SAP Audit Log Viewer service
You can download the audit logs via the audit log retrieval API to import them into your Security Information and Event Management (SIEM) system or you can download them via the viewer user interface to store them as backup on your file system. Now you learn how to download them via the user interface.
- Open the SAP BTP Cockpit.
- Navigate to Services --> Instances and Subscriptions. Under Subscriptions you will see the SAP Audit Log Viewer service. Next to the text field there is a link to the user interface. Click on it.
-
A logon page will appear. Select your trial SAP Cloud Identity Services tenant.
-
A pop-up will ask for Email and Password. Enter the email of your SAP Cloud Identity Services user and her password.
-
As we enabled in the first exercise Multi-Factor Authentication (MFA) using Time-based one-time password (TOTP) for applications on BTP, the Two-Factor Authentication window will pop-up. Generate the passcode on your mobile device and enter it. After entering the time-based passcode generated by your mobile device, the SAP Audit Log Viewer service-application will open.
-
In the newly opened Audit Log Viewer UI you can accept the default timeframe or select a specific one to see the latest audit log entries. On the right side there is button to retrieve the logs after the selection of the timeframe.
-
Now you can see the log entries of the specific audit relevant changes that have been performed lately.
-
The retention period of the logs in the Cloud Foundry environment is 90 days. Therefore, it is recommended to backup the audit log files or import them via the audit log retrieval API into a SIEM system. You can download the files from the user interface. To do so, click on the download button in the middle of the toolbar.
-
In the pop-up window, select a place on your laptop to save the viewLogs.json file. Click on Save.
You now know how to download the audit relevant log files for backup.
In this exercise you have configured the SAP Audit Log Viewer service to see the audit relevant log entries. In addition, you have seen how to export the audit log before the retention period ends.
Continue to - Exercise 4 - Managing administrative authorizations in SAP Cloud Identity Services