v14.

7 Database Activity Monitoring User Guide

v14.7 Database Activity Monitoring User

Guide

v14.7 Database Activity Monitoring User Guide 1

 Contents

Contents
Defining SAP Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Configuring SAP Transactions for use in SecureSphere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configure Data Enrichment Policy for SAP Transaction Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configure an Audit Policy for Auditing SAP Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Viewing SAP Transactions in Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

v14.7 Database Activity Monitoring User Guide

 v14.7 Database Activity Monitoring User Guide

Defining SAP Transactions

Imperva SecureSphere includes a list of sensitive SAP transactions, defined in SecureSphere as elements of a
privileged operations group.

SecureSphere administrators cannot make changes to this list, but they can add SAP transactions to the User Defined
Privileged Operations Group and include these transactions in auditing and reporting.

v14.7 Database Activity Monitoring User Guide 3

 v14.7 Database Activity Monitoring User Guide

Configuring SAP Transactions for use in SecureSphere

Because SecureSphere uses the privileged operations mechanism to identify SAP transactions, you must create a data
enrichment policy to extract the SAP transactions from the SQL which is then recognized by SecureSphere as a
privileged operation.

Note: This solution applies to SAP ECC 6.0.

The following table lists the main tasks that need to be conducted to configure SAP Transactions for use in
SecureSphere:

  Action Description For more information, see

Configuring Data Enrichment Define a Data Enrichment policy to Configure Data Enrichment Policy
1
Policies extract SAP Literals from SQL for SAP Transaction Detection

Define an audit policy that will

Configure an Audit Policy for
2 Define an Audit Policy only audit the transactions defined
Auditing SAP Transactions
using the data enrichment policy

Configure an audit view to display

3 View audited transactions SAP transactions and save it as a Viewing SAP Transactions in Audit
report for future reference.

v14.7 Database Activity Monitoring User Guide 4

 v14.7 Database Activity Monitoring User Guide

Configure Data Enrichment Policy for SAP Transaction Detection

To configure a Data Enrichment Policy for SAP SQL Transactions:

1. In the Main workspace, select Policies > Data Enrichment.

2. In the Create New Policy window, click New, type a Name, and from Type select DB Service Enrichment, then
click Create.
3. On the Rules tab, create a new User Defined Field, under Target Field Name type SAP-T-Code, select the From
Event SQL extraction method, then click Save. The field becomes expandable.
4. Expand the item you just added, under Extract Literal #, type 3, and in the From Query field, type:

select "devclass" from "tadir" where "pgmid" = ? and "object" = ? and

"obj_name" = ?

5. Expand the Additional Conditions option, in the when Literal # field, type 2. In the second field after is, type
TRAN.
6. In the Apply to tab, select the database service on which the SAP application is running, for example Oracle.
7. Click Save.

Once you have completed configuring the data enrichment policy to extract the required fields, you need to
configure an Audit policy to audit this traffic as described in Configure an Audit Policy for Auditing SAP
Transactions.

v14.7 Database Activity Monitoring User Guide 5

 v14.7 Database Activity Monitoring User Guide

Configure an Audit Policy for Auditing SAP Transactions

Once you have created a data enrichment policy to extract the literals needed to audit SAP transactions, you need to
configure an audit policy.

To configure an Audit Policy to view SAP SQL extraction:

1. In the Main workspace, select Policies > Audit.

2. In the Create New Policy window, click New, type an intuitive Name such as SAP SQL Transactions, from Type
select Database, then click Create.
3. On the Match Criteria tab, add the Destinations Table criteria by clicking its Green Arrow .
4. Expand the criteria and add the table tadir, to the selected pane.
5. On the Match Criteria tab, add the Enrichment Data criteria by clicking its Green Arrow .
6. Expand the criteria,
◦ Under User Defined Field type SAP-T-Code
◦ In the Operation field select Exclude All, and under User Defined, click new then type TXX. This tells the
audit policy to filter only events with enrichment data on the SAP-T-Code field.
7. On the Settings tab, under User Defined 1, select SAP-T-Code.
8. In the Apply to tab, apply the policy to the appropriate SAP database server and save it.

v14.7 Database Activity Monitoring User Guide 6

 v14.7 Database Activity Monitoring User Guide

Viewing SAP Transactions in Audit

Once you have configured a data enrichment policy to extract SAP data and an audit policy to audit this data, you can
view SAP transactions in the audit window.

To view SAP transactions in the audit window:

1. In the Main workspace, select Audit > DB Audit Data.

2. In the Views pane, select the Data view.
3. In the upper right-hand corner of the main audit window, under Select Field, choose User Defined 1.

4. Select a row in the resulting data, then click Retrieve Event Data.
5. To save this view for easy access, click Save as Report .

v14.7 Database Activity Monitoring User Guide 7