SAP ERP

Enterprise Resource Planning (ERP)

SAP ERP - Comprehensive enterprise resource planning solution for managing business processes across finance, HR, supply chain, and more.

Detection Rules for SAP ERP
These detection rules will focus on various aspects of SAP ERP such as comprehensive enterprise resource planning solution for managing business processes across finance,HR,supply.

Provider: SAP ERP

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized User Access Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Check login history for unusual times or locations.
Incident Creation Criteria Create an incident if login occurs outside approved times or from flagged locations.
Suspicious Privilege Escalation Privilege Escalation T1078.003: Local Accounts Critical
Investigation Actions (APIs) Verify user role changes and access levels in user access logs.
Incident Creation Criteria Incident if unapproved admin privileges are granted.
Data Exfiltration from Financial Records Exfiltration T1048: Exfiltration Over Web Service High
Investigation Actions (APIs) Use data transfer logs and audit history to trace data flows from sensitive financial tables.
Incident Creation Criteria Incident if large or repeated unauthorized data downloads are detected.
Malicious Payroll Adjustments Impact T1485: Data Destruction High
Investigation Actions (APIs) Review change logs for unauthorized payroll entries and modifications.
Incident Creation Criteria Incident if payroll adjustments involve significant sums or unapproved users.
Unauthorized Vendor Creation Persistence T1136.001: Create Account Medium
Investigation Actions (APIs) Analyze user action logs for vendor addition and assignment.
Incident Creation Criteria Incident if vendor is created by a user without financial permissions.
Repeated Failed Login Attempts Credential Access T1110: Brute Force High
Investigation Actions (APIs) Investigate IPs and users involved in failed login attempts.
Incident Creation Criteria Incident if multiple failed logins occur within a short timeframe.
Unauthorized Data Access in HR Records Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Track access logs for unauthorized access to sensitive HR data.
Incident Creation Criteria Incident if HR data is accessed by users outside of the HR team.
Large-Scale Data Export Requests Exfiltration T1030: Data Transfer Size Limits High
Investigation Actions (APIs) Monitor data export requests to detect unusually large data movements.
Incident Creation Criteria Incident if data export volume exceeds normal limits.
Manipulation of Inventory Data Impact T1485: Data Destruction Medium
Investigation Actions (APIs) Review inventory update logs and compare against expected changes.
Incident Creation Criteria Incident if inventory data is altered without proper authorization.
Network Access from Suspicious IP Command and Control T1071.001: Web Protocols High
Investigation Actions (APIs) Use GeoIP and IP reputation services to assess IP legitimacy.
Incident Creation Criteria Incident if IP is flagged as malicious or located in restricted regions.
System Configuration Changes Defense Evasion T1070.003: Clear Command History Medium
Investigation Actions (APIs) Check configuration change logs for unauthorized system alterations.
Incident Creation Criteria Incident if configurations are altered by non-admin users.
Suspicious Changes to Financial Settings Impact T1484.001: Domain Policy Modification High
Investigation Actions (APIs) Review financial settings change logs for anomalies in values and users.
Incident Creation Criteria Incident if financial settings are modified without approval.
Unexpected System Process Spawning Execution T1059: Command and Scripting Interpreter High
Investigation Actions (APIs) Monitor system process creation for unusual scripts or executables.
Incident Creation Criteria Incident if unusual scripts are spawned by low-privilege accounts.
Bulk User Account Lockouts Credential Access T1110.001: Account Lockouts Medium
Investigation Actions (APIs) Investigate causes of account lockouts to identify potential brute-force attacks.
Incident Creation Criteria Incident if multiple accounts are locked out within a short period.
Abnormal Export of Client Data Collection T1530: Data from Cloud Storage Object High
Investigation Actions (APIs) Monitor exports involving sensitive client data and validate with business context.
Incident Creation Criteria Incident if sensitive client data is repeatedly exported by unauthorized accounts.

APIs and Their Scopes

App : Sap Required API Scopes Required Usage
Unauthorized User Access SAP Identity Authentication API Read: User Events Retrieve logs on user login events to detect unauthorized or unusual access patterns.
Suspicious Privilege Escalation SAP User Management API Read: User Role Changes Monitor user privilege modifications to detect unauthorized role escalations.
Data Exfiltration from Financial Records SAP Audit Logging API Read: Financial Data Access Logs Track export and data access events within financial modules to detect large or unusual data movements.
Malicious Payroll Adjustments SAP Payroll API Read: Financial Data Access Logs Review payroll modification events for suspicious changes.
Unauthorized Vendor Creation SAP Procurement API Read: Vendor Creation Logs Track vendor creation logs for actions performed by unauthorized users.
Suspicious Purchase Order Modifications SAP Purchase Order API Read: Order Modification Logs Monitor purchase order changes to detect unauthorized modifications.
Repeated Failed Login Attempts SAP Identity Authentication API Read: Failed Login Events Retrieve records of failed login attempts to identify potential brute-force or credential-stuffing attacks.
Unauthorized Data Access in HR Records SAP HR Management API Read: HR Data Access Monitor access logs for HR data to detect unauthorized access.
Large-Scale Data Export Requests SAP Data Export API Read: Export Request Logs Review large or repeated data export requests for potential data exfiltration.
Network Access from Suspicious IP SAP Network Access API Read: Access Location Data Retrieve IP addresses used in logins and activity to verify location and legitimacy.
System Configuration Changes SAP System Configuration API Read: Configuration Changes Track system configuration changes to detect unauthorized alterations.
Suspicious Changes to Financial Settings SAP Financial Settings API Read: Settings Change Logs Review changes to financial settings for unauthorized modifications.
Unexpected System Process Spawning SAP System Process Monitoring API Read: Process Spawn Events Track unusual processes initiated within the SAP ERP environment.
Bulk User Account Lockouts SAP Identity Management API Read: Account Lockout Events Review events related to multiple user account lockouts to identify potential brute-force attacks.
Abnormal Export of Client Data SAP Data Export API Read: Sensitive Data Export Monitor exports of sensitive client data to detect unusual or unauthorized access patterns.

Reports and Widgets for CISO

Report Name Widgets Description
User Access and Authentication Failed Login Attempts Line graph Tracks login activity to detect unauthorized access attempts and geographic anomalies in login behavior.

Successful vs. Failed Logins Pie chart

Geo-Location Login Map World Map

Privilege Escalation Monitoring Recent Role Changes List view with user and role details Identifies and highlights unusual role changes, helping detect unauthorized privilege escalations.

Top Privilege Escalations Bar chart by role type

Anomalous Role Changes Indicator

Data Exfiltration Activity Export Volume by Module Stacked bar chart Monitors data export activity for potential data exfiltration incidents, especially in sensitive modules.

Top Data Accessed (table)

Unusual Data Access Events (alert indicators)

Payroll and Financial Integrity Payroll Modification Events Timeline Tracks payroll and financial changes, alerting on potential fraud or unauthorized modifications.

Transaction Volume by User Heatmap

Unusual Financial Transactions Alert indicators

Vendor Management and Procurement New Vendors Created List view with user details Monitors procurement activity, flagging unusual vendor creation or adjustments to detect fraud.

Top Supplier Adjustments Bar chart

Unusual Procurement Activity Alert indicators

System Configuration and Integrity Configuration Change Log Log view with timestamps Tracks changes in system configurations to identify unauthorized modifications to critical settings.

System Alerts Alert panel

Unauthorized Configuration Changes Indicator

Inventory Management Integrity Inventory Changes Table with item details Monitors inventory changes for potential tampering or unauthorized adjustments.

Top Inventory Modifiers Bar chart

Suspicious Inventory Adjustments Alert indicators

Network Activity Access by IP Location Map Analyzes network access to detect login attempts from suspicious IP addresses or regions.

Network Access Attempts Line graph

Suspicious IP Login Events Alert indicators

Incident Response Overview Incident Status by Type Pie chart Provides an overview of incident management, helping CISOs track ongoing investigations and resolution times.

Average Time to Resolution Gauge

Open Security Incidents List with priority levels