Deploy and configure the container hosting the SAP data connector agent

This article shows you how to deploy the container that hosts the SAP data connector agent. You do this to ingest SAP data into Microsoft Sentinel, as part of the Microsoft Sentinel Solution for SAP.

Deployment milestones

Deployment of the Microsoft Sentinel Solution for SAP is divided into the following sections

  1. Deployment overview

  2. Deployment prerequisites

  3. Prepare SAP environment

  4. Deploy data connector agent (You are here)

  5. Deploy SAP security content

  6. Configure Microsoft Sentinel Solution for SAP

  7. Optional deployment steps

Data connector agent deployment overview

For the Microsoft Sentinel Solution for SAP to operate correctly, you must first get your SAP data into Microsoft Sentinel. To accomplish this, you need to deploy the solution's SAP data connector agent.

The data connector agent runs as a container on a Linux virtual machine (VM). This VM can be hosted either in Azure, in a third-party cloud, or on-premises. We recommend that you install and configure this container using a kickstart script; however, you can choose to deploy the container manually.

The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system - that's why you created a user and a role for the agent in your SAP system in the previous step.

Your SAP authentication infrastructure, and where you deploy your VM, will determine how and where your agent configuration information, including your SAP authentication secrets, is stored. These are the options, in descending order of preference:

  • An Azure Key Vault, accessed through an Azure system-assigned managed identity
  • An Azure Key Vault, accessed through an Azure AD registered-application service principal
  • A plaintext configuration file

If your SAP authentication infrastructure is based on SNC, using X.509 certificates, your only option is to use a configuration file. Select the Configuration file tab below for the instructions to deploy your agent container.

If you're not using SNC, then your SAP configuration and authentication secrets can and should be stored in an Azure Key Vault. How you access your key vault depends on where your VM is deployed:

Deploy the data connector agent container

  1. Transfer the SAP NetWeaver SDK to the machine on which you want to install the agent.

  2. Run the following command to Create a VM in Azure (substitute actual names for the <placeholders>):

    az vm create --resource-group <resource group name> --name <VM Name> --image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest --admin-username <azureuser> --public-ip-address "" --size  Standard_D2as_v5 --generate-ssh-keys --assign-identity --role <role name> --scope <subscription Id>
    
    

    For more information, see Quickstart: Create a Linux virtual machine with the Azure CLI.

    Important

    After the VM is created, be sure to apply any security requirements and hardening procedures applicable in your organization.

    The command above will create the VM resource, producing output that looks like this:

    {
      "fqdns": "",
      "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resourcegroupname/providers/Microsoft.Compute/virtualMachines/vmname",
      "identity": {
        "systemAssignedIdentity": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
        "userAssignedIdentities": {}
      },
      "location": "westeurope",
      "macAddress": "00-11-22-33-44-55",
      "powerState": "VM running",
      "privateIpAddress": "192.168.136.5",
      "publicIpAddress": "",
      "resourceGroup": "resourcegroupname",
      "zones": ""
    }
    
  3. Copy the systemAssignedIdentity GUID, as it will be used in the coming steps.

  4. Run the following commands to create a key vault (substitute actual names for the <placeholders>). If you'll be using an existing key vault, ignore this step:

    az keyvault create \
      --name <KeyVaultName> \
      --resource-group <KeyVaultResourceGroupName>
    
  5. Copy the name of the (newly created or existing) key vault and the name of its resource group. You'll need these when you run the deployment script in the coming steps.

  6. Run the following command to assign a key vault access policy to the VM's system-assigned identity that you copied above (substitute actual names for the <placeholders>):

    az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --object-id <VM system-assigned identity> --secret-permissions get list set
    

    This policy will allow the VM to list, read, and write secrets from/to the key vault.

  7. Sign in to the newly created machine with a user with sudo privileges.

  8. download and run the deployment Kickstart script: For public cloud, the command is:

    wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh
    

    For Azure China 21Vianet, the command is:

    wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh --cloud mooncake
    

    For Azure Government - US, the command is:

    wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh --cloud fairfax
    

    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts or to customize the container deployment. For more information on available command line options, see Kickstart script reference.

  9. Follow the on-screen instructions to enter your SAP and key vault details and complete the deployment. When the deployment is complete, a confirmation message is displayed:

    The process has been successfully completed, thank you!
    

    Note the Docker container name in the script output. You'll use it in the next step.

  10. Run the following command to configure the Docker container to start automatically.

    docker update --restart unless-stopped <container-name>
    

    To view a list of the available containers use the command: docker ps -a.

Next steps

Once the connector is deployed, proceed to deploy Microsoft Sentinel Solution for SAP content: