SAP Audit Event Type Codes for Data Updates

Systems Applications and Products (SAP) offer centralized data management that improves operational efficiency, productivity, and user experience. SAP software is generally used for enterprise resource planning (ERP) purposes and is gaining more importance with its cloud-based solutions and integration of AI and ML technologies. SAP is the world's 35th most valuable company, with a market capitalization of €262.15 billion, according to the Companiesmarketcap report of November 2024. Similarly, 99 of the 100 biggest global companies are using SAP systems, according to the 2024 SAP Industry Overview and Insights, published by Houlihan Lokey.

SAP systems enable administrators to monitor and record all logs in the environment. SAP audit logs ensure sensitive data's confidentiality, integrity, and availability. SAP audit event types account for specific events and help auditors monitor activities, detect potential threats, and take necessary measures.

Effective SAP audit management is crucial for maintaining business continuity and creating a robust work environment. Therefore, this blog will focus on SAP audit event type code for data updates.

What are SAP audit event type codes?

SAP audit events record and document all actions within the SAP environment. Auditors utilize these logs to monitor for deviant behaviors, fix vulnerabilities, and ensure adherence to relevant standards and regulations. Audit events are vital to promote accountability and transparency in all operational and business processes.

SAP audit event type codes categorize and explain specific actions in the security logs. Each event type code is a three-character identifier that responds to a particular issue in the SAP system. Below are three examples of audit event type codes and their descriptions:

• AU1: Successful login attempts
• AU2: Unsuccessful login attempts
• AU3: Password changes

Here are the 5 main SAP audit event type codes:

Security Audit Events

Security audit events provide better visibility, reduce the attack surface, and harden systems within the SAP environment. SAP audit logs enable auditors to proactively monitor, analyze, and respond to cyber threats.

Authentication and Authorization Events

Data access logs help admins detect cyber threats and ensure the confidentiality of digital assets by monitoring authentication and authorization activities. Auditors can track authenticated and authorized users who can access data and prevent lateral movement or privilege escalation.

Data Updates

Data modifications are essential in the SAP environment. Auditors can monitor suspicious alterations in sensitive information, including personal information, group policies, workflows, or user permissions.

Configuration Updates

Auditors can identify any modifications in the configuration settings that generally require administrative permissions. Security risks or threats intended to turn off security systems and add or delete users are possible examples of configuration modifications.

Integration Events

A modern SAP environment requires integrating various tools and environments. Therefore, integration or collaboration events, such as inbound or outbound API calls and data import-export processes, help detect anomalies or irregularities within audit events.

What is the importance of data updates in SAP audits?

Data updates in SAP audits are critical for 5 main reasons: accountability, data integrity, confidentiality, availability, and compliance.

Accountability

Accountability refers to tracing all activities and holding users responsible for their actions. It ensures that all modifications are logged properly. Creating transparent operations creates trust with customers. Admins can monitor the owner of the alteration and a timestamp of updated events.

Data Integrity

SAP audits provide data integrity by ensuring all actions are monitored and maintaining the reliability, consistency, and accuracy of digital assets. Audits in data updates can identify both malicious and unintentional errors. Therefore, auditors can detect anomalies, prevent further activities, and recover to a secure state quickly by monitoring for data modifications.

Confidentiality

Data updates in SAP security audits ensure confidentiality by monitoring and preventing unauthorized access. Admins utilize data updates to identify system vulnerabilities, perform system hardening, and detect unusual behaviors to protect personally identifiable information, customer data, trade secrets, and intellectual property. Keeping private data safe from threats also helps build trust.

Availability

Regular audits of data changes ensure business continuity. They provide data availability when needed by detecting vulnerabilities, outages, or other unexpected situations. Admins can also benefit from data updates to create redundancy, maintain the uptime of the SAP environment, and enable quick recovery in alignment with disaster recovery plans.

Compliance

Regular internal or external audits effectively prepare organizations. Some regulations, such as Sarbanes-Oxley or GDPR, mandate logging data updates for sensitive information. Complying with SAP audit regulations and frameworks helps detect weak points in the system, maintain the organization's reputation, and avoid possible penalties.

What Types of Data Updates Are Tracked by SAP Audit Event Codes?

SAP audit event codes track 4 main types of data updates: Master data, account, structural, and data transfer updates.

Master Data Updates

Data changes refer to any updates in the organizational data within the SAP environment. For instance, vendor, client, or database updates explain data modifications.

Account Updates

Auditors can detect log modifications when users or perpetrators create, delete, or modify accounts. They are able to track any modifications in user permissions. For example, when a new account is created, it will show a user management update.

Structural Updates

Auditors can track any change in the configurations. Any update in the settings will result in an audit event. Configurational updates define the modifications made to the company's operation.

Data Transfer Updates

Admins can track transactional activities for updates. Finance, marketing, and sales operations are some types of transactional efforts. For instance, a purchase order update creates a transactional event.

SAP Audit Event Type Code for Data Updates

SAP audit event type codes can log and monitor all modifications to master data, account data, transactional data, or system configuration settings. Audit logs for data updates enable administrators to perform root cause analysis, prevent both malicious and accidental activities, and quickly recover the system to a secure state. Auditors can proactively recognize vulnerabilities, fix issues, and strengthen security measures.

Audit event codes provide accountability and transparency in SAP systems, which also builds trust between parties. Data update logs can determine who made the modification and when allowing administrators to detect and prevent unauthorized modifications.

Moreover, auditors must adhere to relevant laws and standards to maintain the organization's reputation and avoid potential penalties. Admins should follow ethical and legal practices in the retention and process of sensitive data to confirm that data is appropriately handled and protected.

Professionals can effectively manage SAP audit logs to oversee resources, ensure compliance, and mitigate errors or problems.

Here are the 7 best practices for SAP audit event type codes for data updates:

1. Properly configure logs and apply filters that are aligned with organizational policies to focus on relevant data.
2. Identify the audit event type you want to focus on, such as configuration updates, user management, or data modifications.
3. Keep focus restricted to the area you are working on to avoid unnecessary storage overhead and prevent getting lost in excessive information.
4. Apply system hardening in the SAP environment to ensure only authorized users can manage security logs.
5. Utilize appropriate tools and methods to analyze audit event logs effectively.
6. Regular updates are applied, and the system's configurations and settings are continuously tested.
7. Ensure data retention policies comply with regulatory and organizational requirements.

What Tools or Methods are Available for Analyzing SAP Audit Event Logs?

SAP audit event logs can be used to monitor, analyze, and troubleshoot system activities using various tools and methods.

Here are some of the most important approaches:

• SAP SM18: This code accounts for administrative activities within SAP systems. It records security-related events and enables forensic research. This transaction also involves deleting log files.
• SAP SM19: The main function of the SM19 transaction is for configuration purposes. Administrators can set filters or modify settings using the static or dynamic configuration options.
• SAP SM20: Admins can use security audits to read and analyze security logs. This transaction code is used for the local analysis of system audit logs.
• SAP SM21: This code monitors health metrics and system performances. It focuses on system logs rather than security audit logs.
• Additionally, the SAP BASIS 7.50 update introduced some new codes. Although this replaced older versions, they will work together in the transition process:
• RSAU_ADMIN: It is used for administrative purposes and is a newer version of SM18.
• RSAU_CONFIG: It is used for system configurations and a newer version of SM19.
• RSAU_READ_LOG: It is used for reading activities and detailed analysis and a newer version of SM20.

In conclusion, SAP audit event type codes for data updates are important for 5 main reasons: accountability, integrity, confidentiality, availability, and compliance. Organizations can build a robust and visible SAP environment by monitoring and managing audit events.

In this context, Defencemore offers the One Click Audit for SAP, which is a comprehensive product that improves the security and compliance of the SAP environments.

Contact us to learn more and schedule a free demo of our product that detects security vulnerabilities in SAP systems. Ensure your systems are not only functional but also secure.