03: Set up anomaly-based audit log and monitor alerts

Task 03: Set up anomaly-based audit log and monitor alerts

Description

The SAPAuditLogConfigRecommend() function in Microsoft Sentinel provides system-specific recommendations for configuring anomaly-based audit log monitor alerts. Here you’ll use the SAPAuditLogConfigRecommend function to generate recommendations for configuring anomaly-based alerts. These recommendations help identify unusual behavior in SAP audit logs and guide the setup of watchlists for fine-tuning alert rules.

Success criteria

The SAPAuditLogConfigRecommend function is executed.
Output is reviewed for recommended event types and thresholds.
Watchlists are identified for future configuration.

Learning resources

Anomaly detection

Key tasks

In the Workbooks menu, under General, select Logs.
Under the New Query 1 vertical menu, switch to the Functions {fx} tab.
Search for or locate the function named:
```
 SAPAuditLogConfigRecommend
```
Select the SAPAuditLogConfigRecommend function from the list to run.
Review the output.
The function will return a table with recommendations for: Event types to monitor, Suggested severity levels
- Tags to apply
- Users or roles to exclude
- Frequency thresholds per event type and system role 1
- Use the output to populate watchlists
Select the dropdown arrow on the second result - Expected daily incident count is 0.
Based on the output, in a real life environment you can update the following watchlists:
- SAP_Dynamic_Audit_Log_Monitor_Configuration
- SAP_User_Config
- SAP_Systems
These watchlists help fine-tune the anomaly detection rule by defining what’s considered normal or acceptable behavior.