SecurityBridge Threat Detection for SAP connector for Microsoft Sentinel
SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | SecurityBridgeLogs_CL |
| Data collection rules support | Not currently supported |
| Supported by | Christoph Nagy |
Query samples
Top 10 Event Names
SecurityBridgeLogs_CL
| extend Name = tostring(split(RawData, '
|')[5])
| summarize count() by Name
| top 10 by count_
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto Functions alias, SecurityBridgeLogs
Note
This data connector has been developed using SecurityBridge Application Platform 7.4.0.
- Install and onboard the agent for Linux or Windows
This solution requires logs collection via an Microsoft Sentinel agent installation
The Sentinel agent is supported on the following Operating Systems:
Windows Servers
SUSE Linux Enterprise Server
Redhat Linux Enterprise Server
Oracle Linux Enterprise Server
If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector
Configure the logs to be collected
Configure the custom log directory to be collected
- Select the link above to open your workspace advanced settings
- Click +Add custom
- Click Browse to upload a sample of a SecurityBridge SAP log file (e.g. AED_20211129164544.cef). Then, click Next >
- Select New Line as the record delimiter then click Next >
- Select Windows or Linux and enter the path to SecurityBridge logs based on your configuration. Example:
- '/usr/sap/tmp/sb_events/*.cef'
NOTE: You can add as many paths as you want in the configuration.
After entering the path, click the '+' symbol to apply, then click Next >
Add SecurityBridgeLogs as the custom log Name and click Done
Check logs in Microsoft Sentinel
Open Log Analytics to check if the logs are received using the SecurityBridgeLogs_CL Custom log table.
NOTE: It may take up to 30 minutes before new logs will appear in SecurityBridgeLogs_CL table.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for