Effective security for the SAP Business Technology Platform (BTP) requires robust logging and alerting. The primary methods involve using the central Audit Log, which can be integrated with external systems via the pull-based Audit Log Retrieval API, or using the push-based SAP Alert Notification Service for real-time event notifications. Both can be unified with SIEM tools for comprehensive landscape monitoring.
The SAP Business Technology Platform (BTP) is a Platform-as-a-Service (PaaS) that enables organizations to extend their SAP solutions without modifying the core systems. This promotes a modular architecture, simplifies upgrades, and lowers maintenance costs. Security for BTP operates on a shared responsibility model: SAP manages the platform’s infrastructure, while customers are responsible for application-level security, including user access, configurations, and data. To meet these responsibilities, customers must leverage BTP’s native logging and alerting capabilities. The two primary services for this are the SAP BTP Audit Log and the SAP Alert Notification Service. The Audit Log provides a comprehensive record of all security-relevant events, while the Alert Notification Service offers a framework for sending real-time alerts to various external channels. Integrating these event sources into a central Security Information and Event Management (SIEM) system is crucial for achieving end-to-end visibility across both cloud and on-premise SAP landscapes.
Key Takeaways
- Shared Responsibility: In SAP BTP, SAP secures the platform, but you are responsible for securing your custom applications, data, and user access.
- Central Audit Log: The BTP Audit Log is the main source for security events, recording data access, configuration changes, and user actions with a default 90-day retention period.
- Two Integration Methods: You can pull logs via the Audit Log Retrieval API or receive real-time push notifications using the SAP Alert Notification Service.
- Real-Time Alerts: The SAP Alert Notification Service provides native integrations with tools like ServiceNow, Slack, and Microsoft Teams for immediate event notification.
- SIEM Integration is Key: To achieve unified monitoring, BTP events should be integrated with a SIEM. Tools like the Cybersecurity Extension for SAP can centralize BTP alerts with those from your entire SAP landscape.
What is SAP BTP?
SAP BTP is a cloud platform designed to decouple customer-specific customizations from the standard SAP core solutions. By providing a separate environment for building and deploying extensions, integrations, and applications, BTP allows organizations to maintain a “clean core”. This approach offers greater flexibility, easier scalability, and significantly lower maintenance costs, which is especially important for SAP RISE customers who receive BTP consumption credits. The platform provides a rich set of services for development, automation, integration, and AI, including low-code tools like SAP Build Apps and professional development environments like the Business Application Studio.
What is the Shared Responsibility Model for SAP BTP Security?
SAP BTP operates on a shared responsibility model where security is a collaborative effort between SAP and the customer. SAP is responsible for the security of the cloud, which includes the physical infrastructure and the core platform services. The customer is responsible for security in the cloud. This includes managing application-level security, user authentication and authorizations, custom application maintenance, and the configuration of global and sub-account settings. Sub-accounts act as sandboxed environments to separate projects, with user and role management handled at this level.
How Does Security Logging Work in SAP BTP?
Security-related events from all BTP services and applications are recorded in a central Audit Log. These events are categorized into data access, data modification, security events (like logons and permission changes), and configuration changes. Each log record contains details such as the event ID, timestamp, user, and the application involved. The default retention period for these logs is 90 days. To extend this period or to log events from custom-built applications, a subscription to the premium edition of the Audit Log service is required. While the logs can be viewed within BTP using the Audit Log Viewer, it is limited to 500 records per query, making it suitable for targeted checks but not for comprehensive analysis.
How Can You Integrate BTP Logs with External Systems?
There are two primary methods for integrating BTP security events with external monitoring systems like a SIEM: the Audit Log Retrieval API and the SAP Alert Notification Service.
The Auditlog Management service provides access to the Audit Log Retrieval API. This is a pull-based mechanism where an external system makes an HTTP GET request to retrieve log data. Access is secured via OAuth and is subject to regional rate limits, typically between 4-8 requests per second. This method is effective for batch retrieval of historical logs.
The SAP Alert Notification Service offers a more modern, push-based alternative. It sends real-time notifications for specific events across BTP applications and services. Its key advantage is the broad range of native integrations and support for automated actions.
Audit Log Retrieval API vs. SAP Alert Notification Service
The choice between the two services depends on your specific monitoring requirements. The Alert Notification Service is generally preferred for real-time threat detection and automated response, while the API is suitable for compliance-driven log collection.
| Feature | Audit Log Retrieval API | SAP Alert Notification Service |
|---|---|---|
| Method | Pull (HTTP GET Request) | Push (Real-time Notifications) |
| Timeliness | Batched / Near Real-time | Real-time |
| Integrations | Custom API integration required | Native (ServiceNow, Slack, Teams, Email) |
| Cloud Feeds | Not supported | Supported (AWS, Azure, GCP) |
| Automated Response | Not supported | Supported (via SAP Automation Pilot) |
How Can You Achieve End-to-End SAP Landscape Monitoring?
Neither the Audit Log API nor the Alert Notification Service provides a complete, out-of-the-box solution for integrating BTP events into an enterprise security program. A specialized connector is needed to bridge the gap between BTP and SIEM platforms like Splunk, Microsoft Sentinel, or QRadar.
The Cybersecurity Extension for SAP supports both the Audit Log Retrieval API and the SAP Alert Notification Service to monitor BTP security events. It unifies alerts from BTP with security events from other SAP applications, databases, and operating systems. This provides a single, correlated stream of enriched data for your SIEM, enabling end-to-end monitoring of your entire SAP landscape, whether on-premise or in the cloud.
Frequently Asked Questions (FAQ)
Q: What is the default retention period for the SAP BTP Audit Log?
A: The default retention period for events in the Audit Log is 90 days. A subscription to the premium edition of the Audit Log service is necessary to change this retention period.
Q: Can I connect the BTP Audit Log to my SIEM?
A: Yes, you can connect the BTP Audit Log to a SIEM using either the pull-based Audit Log Retrieval API or the push-based SAP Alert Notification Service. A connector solution like the Cybersecurity Extension for SAP is often used to streamline this integration with platforms like Splunk, Sentinel, or QRadar.
Q: What is the difference between a BTP global account and a sub-account?
A: A global account is the top-level organizational unit in BTP. Sub-accounts are created within a global account and function as sandboxed environments to separate different development projects, scenarios, or landscapes (e.g., dev, test, prod). Users, roles, and entitlements are managed at the sub-account level.