Microsoft Sentinel solution for SAP applications: Deployment overview
Article
Applies to:
Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal
Use the Microsoft Sentinel solution for SAP applications to monitor your SAP systems with Microsoft Sentinel, detecting sophisticated threats throughout the business logic and application layers of your SAP applications.
This article introduces you to the Microsoft Sentinel solution for SAP applications deployment.
Important
Noted features are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Solution components
The Microsoft Sentinel solution for SAP applications includes a data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats.
Data connector
The Microsoft Sentinel solution for SAP applications supports both a containerized data connector agent and an agentless data connector. Both agents collect application logs for all your onboarded SAP SIDs from across the entire SAP system landscape, and then send those logs to your Log Analytics workspace in Microsoft Sentinel.
For example, the following image shows a multi-SID SAP landscape with a split between production and nonproduction systems, including the SAP Business Technology Platform. All the systems in this image are onboarded to Microsoft Sentinel for the SAP solution.
The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system, using a user and role created specifically for this purpose.
Microsoft Sentinel supports a few options for storing your agent configuration information, including the configuration for your SAP authentication secrets. The decision of which option might depend on where you deploy your VM and which SAP authentication mechanism you use. Supported options are as follows, listed in order of preference:
An Azure Key Vault accessed through an Azure system-assigned managed identity
An Azure Key Vault accessed through a Microsoft Entra ID registered-application service principal
A plaintext configuration file
You can also authenticate using SAP's Secure Network Communication (SNC) and X.509 certificates. While using SNC provides a higher level of authentication security, it might not be practical for all scenarios.
The Microsoft Sentinel agentless data connector for SAP uses the SAP Cloud Connector and SAP Integration Suite to connect to your SAP system and pull logs from it, as shown in the following image:
By using the SAP Cloud Connector, the Agentless solution profits from already existing setups and established integration processes. This means you don't have to tackle network challenges again, as the people running your SAP Cloud Connector have already gone through that process.
The Agentless solution is compatible with SAP S/4HANA Cloud, Private Edition RISE with SAP, SAP S/4HANA on-premises, and SAP ERP Central Component (ECC), ensuring continued functionality of existing security content, including detections, workbooks, and playbooks.
The agentless solution in limited preview starts by supporting the SAP audit log, which typically covers the majority of SAP threat scenarios.
Important
Microsoft Sentinel's Agentless solution is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the Agentless solution also requires registration and is only available to approved customers and partners during the preview period. For more information, see Microsoft Sentinel for SAP goes agentless .
Security content
The Microsoft Sentinel solutions for SAP applications include the following types of security content to help you gain insight into your organization's SAP environment and detect and respond to security threats:
Analytics rules and watchlists for threat detection.
Functions for easy data access.
Workbooks to create interactive data visualization.
Watchlists for customization of the built-in solution parameters.
Playbooks that you can use to automate responses to threats.
Deploying the Microsoft Sentinel solutions for SAP applications involves several steps and requires collaboration across multiple teams, differing depending on whether you're using a data connector agent or the agentless solution. Select one of the following tabs to learn more:
Deploying the Microsoft Sentinel solutions for SAP applications involves several steps and requires collaboration across multiple teams, including the security, infrastructure, and SAP BASIS teams. The following image shows the steps in deploying the Microsoft Sentinel solutions for SAP applications, with relevant teams indicated:
We recommend that you involve all relevant teams when planning your deployment to ensure that effort is allocated and the deployment can move smoothly.
Configure your SAP system for the Microsoft Sentinel solution, including configuring SAP authorizations, configuring SAP auditing, and more. We recommend that these steps be done by your SAP BASIS team, and our documentation includes references to SAP documentation.
Connect your SAP system by deploying a containerized data connector agent. This step requires coordination between your security, infrastructure, and SAP BASIS teams.
If you're using the data connector agent and need to stop Microsoft Sentinel from collecting your SAP data, stop log ingestion and disable the connector. Then remove the extra user role and any optional CRs installed on your SAP system.
Deploying the Microsoft Sentinel solutions for SAP applications involves several steps and requires collaboration across your security and SAP BASIS teams. The following image shows the steps in deploying the Microsoft Sentinel solutions for SAP applications, with relevant teams indicated:
We recommend that you involve both teams when planning your deployment to ensure that effort is allocated and the deployment can move smoothly.
Configure your SAP system for the Microsoft Sentinel solution, including configuring SAP authorizations, configuring SAP auditing, and more. We recommend that these steps be done by your SAP BASIS team, and our documentation includes references to SAP documentation.
Connect your SAP system using an agentless data connector with the SAP Cloud Connector. This step is handled by your security team on the Azure portal, using information provided by your SAP BASIS team.
Understand the Microsoft Sentinel solution for SAP BTP. The module explores the benefits of monitoring BTP activity, and describes the steps for deploying the Microsoft Sentinel solution for SAP BTP.
This article shows you how to configure initial security content for the Microsoft Sentinel solution for SAP applications in order to start enabling SAP detections and threat protection.
Learn how to install a Microsoft Sentinel solution for SAP applications from the content hub to your Log Analytics workspace enabled for Microsoft Sentinel.
Learn how to deploy the Microsoft Sentinel for SAP data connector environments using expert configuration options, such as and on-premises machine and custom, manual configurations.