Table of Contents
Auditing allows you to monitor and record selected actions performed in the SAP HANA Cloud database. It can help you achieve better security in the following ways:
- Uncover security vulnerabilities
- Show attempts to breach security
This example commands performs an SQL query to find any audit log entries that might be considered suspicious. It does so by pulling data from the AUDIT_LOG system view. If there is at least one such audit log entry, the execution fails with an error message:
ℹ️ SQL query should be modified to fit the user's needs and to better detect audit log entries which should be treated as suspicious.
To use this example you'll need the following:
- SAP HANA Cloud database
- Enabled HANA Cloud auditing as described here
- Database user with a AUDIT ADMIN, AUDIT OPERATOR, or AUDIT READ system privilege
- JDBC URL of the following format:
jdbc:sap://<endpoint>:<port> - Allowed connections from Automation Pilot to your HANA Cloud database. Use this procedure to add the NAT IPs of the relevant Automation Pilot region.
Check out the following resources for more information:
- Deploy SAP HANA Cloud
- Create Users and Manage Roles and Privileges
- Connect to the SAP HANA Database in SAP HANA Cloud via JDBC
- Auditing Database Activity
Import the content of examples catalog in your Automation Pilot tenant. Navigate to the CheckHanaCloudAuditLogs command and trigger it.
You'll need to provide values for the following input keys:
- connectionUrl - JDBC connection URL for the database
- user - Name of a database user
- password - Password for the specified database user
ℹ️ If you applied SAP's recommended auditing policies settings, you can use the following SQL statement to simulate some suspicious activity:
-- Create temporary test role
CREATE ROLE TEST_ROLE;
-- Simulate suspicious activity with first user
CREATE USER TEST_USER_1 PASSWORD Abcd1234;
GRANT TEST_ROLE TO TEST_USER_1;
VALIDATE USER TEST_USER_1 PASSWORD Abcd1234;
DROP USER TEST_USER_1;
-- Simulate suspicious activity with second user
CREATE USER TEST_USER_2 PASSWORD Abcd1234;
GRANT TEST_ROLE TO TEST_USER_2;
VALIDATE USER TEST_USER_2 PASSWORD Abcd1234;
DROP USER TEST_USER_2;
-- Drop temporary test role
DROP ROLE TEST_ROLE;This command is most useful when executed every day. Automation Pilot allows executions to be automatically triggered on regular intervals - hourly, daily, weekly, monthly or yearly. You can find more details in the documentation.
Another important aspect is alerting. It's important to receive notifications (in the form of email, slack message, Jira ticket or other) whenever the CheckHanaCloudAuditLogs command finds suspicious audit log entries. This could be easily achieved with the help of SAP Alert Notification. More information can be found here.