(DI-2311) Collector for RFC Security

The technical name of the Collector for RFC Security is /DVD/MON_SEC_CL_COL_RFC.

The purpose of this data collector is to monitor and ensure the security of Remote Function Call (RFC) connections in the SAP system. It collects information about RFC users, incoming RFC calls, and failed RFC calls to detect anomalies and potential security threats. The collector identifies suspicious activities, unauthorized access, and potential vulnerabilities, thereby helping to enhance the overall security posture of the system.

Default KPIs delivered with this collector

The following KPIs are delivered with this collector:

KPI name

Description

Unit

Detail table

KPI name

Description

Unit

Detail table

SEC_RFC_DIA_USR

Number of RFC connections with dialog users

Count

Yes

SEC_RFC_OUT_FAIL

Number of outbound failed RFC calls

Count

Yes

SEC_RFC_IN_FAIL

Number of inbounds failed RFC calls

Count

Yes

SEC_RFC_ANOMAL

Number of anomalies in RFC calls

Count

Yes

Detail tables

The collector provides a detail table for RFC connections with dialog users. The technical name of the detail table is /DVD/MON_SEC_S_RFC_DIA_DET.

This detail table provides records of RFC connections made by dialog users in the SAP system. It contains the following fields:

Technical name

Description

Technical name

Description

BNAME

User Name

MANDT

Client

RFCDEST

Logical Destination (Specified in Function Call)

The collector provides also a detail table for errors and anomalies in RFC calls. The technical name of the detail table is /DVD/MON_SEC_S_RFC_FAIL_DET.

A detail table is used to report records related to both failed RFC calls and anomalies in RFC communications. It contains information on instances where unexpected or suspicious behavior occurs in the context of RFC connections, helping to monitor and identify potential security threats.

It contains the following fields:

Technical name

Description

Technical name

Description

TIMESTAMP

When the records are saved into the detail table

SID

System ID

EVENT

RFC event description

EVENT_TIMESTAMP

RFC event timestamp

RFC_DIRECTION

RFC direction

TCODE

Transaction Code

USER_NAME

RFC user name

The anomalies logged in the detail table include scenarios:

  • Unusual terminal activity: An anomaly is logged when an RFC user logs in from a different terminal than usual.

  • Long unused RFC users: Anomaly records are generated for RFC users who have not been used for more than 30 days and then access the system again.

  • Long unused RFC connection: Anomaly records are generated for RFC connections that have not been used for more than 30 days and then were accessed again.

  • Failed inbound RFC calls: Anomalies are logged for failed incoming asynchronous RFC calls.

  • Failed outbound RFC calls: Anomalies are logged for failed outgoing asynchronous RFC calls.

  • RFC anomalies from SM19 logs: Anomaly records are generated based on information extracted from transaction SM19 logs. Not available by default. Anomalies detected by SM19 include:

    • RFC/CPIC logon failed.

    • Failed sync. RFC call.

    • Failed web service call.

    • Generic table access by RFC.

To set up a collection of RFC anomalies from SM19 logs, you must follow the steps below to enable logging this type of security logging:

  1. Go to the transaction SM19.

  2. Click on Filter 1 and mark the checkbox to set the filer to active mode.

  3. Select RFC/CPIC logon and RFC call from Audit classes.

  4. Select Only Critical from Events.

There is no performance impact, not in time nor space, if you log unsuccessful (=critical) events as these events happen rarely. However, if you would enable logging for all kinds of audit classes and event types it could have a significant effect on space and performance.

  1. Click the Save button.

  2. Click on DynamicConfiguration in the menu.

  3. Activate audit (Ctrl + F3), the status of server recording should change.

For more information about the SM19/SM20 security audit log you can also check https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/