Console
    Start free

    UDM mapping for SAP logs

    This document provides a reference for how Google SecOps for SAP log sources are mapped to the Unified Data Model (UDM) log types in Google SecOps.

    How mapping works

    The Google SecOps for SAP uses SAP-specific standard parsers within Google SecOps to automatically transform raw SAP logs into the UDM format.

    Field mapping reference

    This section provides an overview of the SAP log sources that are mapped to the UDM. For detailed field-level mapping information, see the reference documentation for each log source.

    SAP HANA Audit

    The SAP_HANA_AUDIT parser captures security-relevant events within the SAP HANA database, such as system configuration changes, user authorization modifications, and access to sensitive data.

    Ingestion label: SAP_HANA_AUDIT

    For more information, see SAP HANA Audit UDM mapping .

    SAP Change Document

    The SAP_CHANGE_DOCUMENT parser tracks changes made to business objects in SAP systems, including creations, modifications, and deletions of data.

    Ingestion label: SAP_CHANGE_DOCUMENT

    For more information, see SAP Change Document UDM mapping .

    SAP Web Dispatcher

    The SAP_WEBDISP parser logs HTTP and HTTPS traffic passing through the SAP Web Dispatcher, providing visibility into external access to SAP web services and applications.

    Ingestion label: SAP_WEBDISP

    For more information, see SAP Web Dispatcher UDM mapping .

    SAP Security Audit

    The SAP_SECURITY_AUDIT parser records security-critical events at the SAP application level, such as user logins, failed logon attempts, transaction executions, and report starts.

    Ingestion label: SAP_SECURITY_AUDIT

    For more information, see SAP Security Audit UDM mapping .

    SAP Gateway

    The SAP_GATEWAY parser monitors communication between SAP systems and external applications through the SAP Gateway, logging connection attempts and security-related errors.

    Ingestion label: SAP_GATEWAY

    For more information, see SAP Gateway UDM mapping .

    SAP ICM

    The SAP_ICM parser records details of web-based communication (HTTP, HTTPS, SMTP) between the SAP Application Server and the internet.

    Ingestion label: SAP_ICM

    For more information, see SAP ICM UDM mapping .

    Use UDM in searches

    To filter SAP events when searching in Google SecOps, use the log_type filter to narrow your results:

      log_type 
  
 = 
  
 "SAP_SECURITY_AUDIT" 
  
 and 
  
 principal 
 . 
 user 
 . 
 userid 
  
 = 
  
 "ADMIN_USER"

    Get support

    For issues related to Google SecOps for SAP, contact Google SecOps support . Our team provides assistance or guides you to the right resource to help ensure a timely resolution.

    For issues involving SAP systems or the LogServ service, contact SAP support. For issues related to other third-party products, such as Bindplane, contact the appropriate third-party vendor for assistance.

    Get technical answers and peer support in the Google SecOps Community .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: