Install the Microsoft Sentinel solution for SAP applications
The Microsoft Sentinel solution for SAP applications includes the SAP data connector, which collects logs from your SAP systems and sends them to your Log Analytics workspace enabled for Microsoft Sentinel, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats. Installing your solution is a required step before you can configure your data connector agent container.
Content in this article is relevant for your security team.
Prerequisites
To deploy the Microsoft Sentinel solution for SAP applications from the content hub, you need:
- A Log Analytics workspace enabled for Microsoft Sentinel.
- Read and write permissions to the workspace. For more information, see Roles and permissions in Microsoft Sentinel.
Make sure that you also review the prerequisites for deploying Microsoft Sentinel solution for SAP applications, especially Azure prerequisites.
Install the solution from the content hub
Installing the Microsoft Sentinel solution for SAP applications makes the Microsoft Sentinel for SAP data connector available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the SAP - System Applications and Products workbook and SAP-related analytics rules.
In the Microsoft Sentinel Content hub, search for the SAP applications solution and install it on your Log Analytics workspace enabled for Microsoft Sentinel.
On the Microsoft Sentinel solution for SAP applications page, select Create to define deployment settings. For example:
On the Basics tab, under Project details, select the Subscription and Resource group where you want to install the solution.
Under Instance details, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.
If you're working with the Microsoft Sentinel solution for SAP applications in multiple workspaces, select Some of the data is on a different workspace, and then define your target workspace, your SOC workspace, and SAP workspace. For example:
For example:
Select Review + create or Next to browse through the solution components. When you're ready, select Create
The deployment process can take a few minutes. After the deployment is finished, you can view the deployed content in Microsoft Sentinel.
Tip
If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select Some of the data is on a different workspace. In such cases, for more information, see SAP and SOC data maintained in the same workspace.
For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.
View deployed content
When the deployment is finished, display your new content by browsing again to the Microsoft Sentinel for SAP applications solution from the Content hub. Alternatively:
For the built-in SAP workbooks, in Microsoft Sentinel, go to Threat Management > Workbooks > Templates.
For a series of SAP-related analytics rules, go to Configuration > Analytics Rule templates.
Your data connector doesn't appear as connected until you configure your data connector agent container to complete the connection.
Next step
Related content
For more information, see Microsoft Sentinel solution for SAP applications: security content reference.