Edit

Deploy and configure the container hosting the SAP data connector agent (via UI)

  • Article

This article shows you how to deploy the container that hosts the SAP data connector agent. You do this to ingest SAP data into Microsoft Sentinel, as part of the Microsoft Sentinel solution for SAP® applications.

This article shows you how to deploy the container and create SAP systems via the UI. Also see this video that shows the agent deployment process via the UI.

Alternatively, you can deploy the data connector agent using other methods: Managed identity, a registered application, a configuration file, or directly on the VM.

Important

Deploying the container and creating SAP systems via the UI is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Deployment milestones

Deployment of the Microsoft Sentinel solution for SAP® applications is divided into the following sections

  1. Deployment overview

  2. Deployment prerequisites

  3. Work with the solution across multiple workspaces (PREVIEW)

  4. Prepare SAP environment

  5. Configure auditing

  6. Deploy the Microsoft Sentinel solution for SAP applications® from the content hub

  7. Deploy data connector agent (You are here)

  8. Configure Microsoft Sentinel solution for SAP® applications

  9. Optional deployment steps

Data connector agent deployment overview

For the Microsoft Sentinel solution for SAP® applications to operate correctly, you must first get your SAP data into Microsoft Sentinel. To accomplish this, you need to deploy the solution's SAP data connector agent.

The data connector agent runs as a container on a Linux virtual machine (VM). This VM can be hosted either in Azure, in a third-party cloud, or on-premises. We recommend that you install and configure this container using a kickstart script; however, you can choose to deploy the container manually.

The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system - that's why you created a user and a role for the agent in your SAP system in the previous step.

Your SAP authentication mechanism, and where you deploy your VM, will determine how and where your agent configuration information, including your SAP authentication secrets, is stored. These are the options, in descending order of preference:

  • An Azure Key Vault, accessed through an Azure system-assigned managed identity
  • An Azure Key Vault, accessed through an Azure AD registered-application service principal
  • A plaintext configuration file

If your SAP authentication is done using SNC and X.509 certificates, your only option is to use a configuration file. Select the Configuration file tab below for the instructions to deploy your agent container.

If you're not using SNC, then your SAP configuration and authentication secrets can and should be stored in an Azure Key Vault. How you access your key vault depends on where your VM is deployed:

Deploy the data connector agent container via the UI

In this section, you deploy the data connector agent. After you deploy the agent, you configure the agent to connect to an SAP system.

Prerequisites

Managed identity

  1. Transfer the SAP NetWeaver SDK to the machine on which you want to install the agent.

  2. Run the following command to Create a VM in Azure (substitute actual names for the <placeholders>):

    az vm create --resource-group <resource group name> --name <VM Name> --image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest --admin-username <azureuser> --public-ip-address "" --size  Standard_D2as_v5 --generate-ssh-keys --assign-identity --role <role name> --scope <subscription Id>

    For more information, see Quickstart: Create a Linux virtual machine with the Azure CLI.

    Important

    After the VM is created, be sure to apply any security requirements and hardening procedures applicable in your organization.

    The command above will create the VM resource, producing output that looks like this:

    {
  "fqdns": "",
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resourcegroupname/providers/Microsoft.Compute/virtualMachines/vmname",
  "identity": {
    "systemAssignedIdentity": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
    "userAssignedIdentities": {}
  },
  "location": "westeurope",
  "macAddress": "00-11-22-33-44-55",
  "powerState": "VM running",
  "privateIpAddress": "192.168.136.5",
  "publicIpAddress": "",
  "resourceGroup": "resourcegroupname",
  "zones": ""
}

  3. Copy the systemAssignedIdentity GUID, as it will be used in the coming steps.

  4. Run the following commands to create a key vault (substitute actual names for the <placeholders>). If you'll be using an existing key vault, ignore this step:

    az keyvault create \
  --name <KeyVaultName> \
  --resource-group <KeyVaultResourceGroupName>

  5. Copy the name of the (newly created or existing) key vault and the name of its resource group. You'll need these when you run the deployment script in the coming steps.

  6. Run the following command to assign a key vault access policy to the VM's system-assigned identity that you copied above (substitute actual names for the <placeholders>):

    az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --object-id <VM system-assigned identity> --secret-permissions get list set

    This policy will allow the VM to list, read, and write secrets from/to the key vault.

Registered application

  1. Transfer the SAP NetWeaver SDK to the machine on which you want to install the agent.

  2. Run the following command to create and register an application:

    az ad sp create-for-rbac

    The command above will create the application, producing output that looks like this:

    {
  "appId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
  "displayName": "azure-cli-2022-01-28-17-59-06",
  "password": "ssssssssssssssssssssssssssssssssss",
  "tenant": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}

  3. Copy the appId, tenant, and password from the output. You'll need these for assigning the key vault access policy and running the deployment script in the coming steps.

  4. Run the following commands to create a key vault (substitute actual names for the <placeholders>). If you'll be using an existing key vault, ignore this step:

    az keyvault create \
  --name <KeyVaultName> \
  --resource-group <KeyVaultResourceGroupName>

  5. Copy the name of the (newly created or existing) key vault and the name of its resource group. You'll need these for assigning the key vault access policy and running the deployment script in the coming steps.

  6. Run the following command to assign a key vault access policy to the registered application ID that you copied above (substitute actual names or values for the <placeholders>):

    az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --spn <appId> --secret-permissions get list set

    For example:

    az keyvault set-policy -n sentinelkeyvault -g sentinelresourcegroup --application-id aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --secret-permissions get list set

    This policy will allow the VM to list, read, and write secrets from/to the key vault.

Deploy the data connector agent

  1. From the Microsoft Sentinel portal, select Data connectors.

  2. In the search bar, type Microsoft Sentinel for SAP.

  3. Select the Microsoft Sentinel for SAP connector and select Open connector.

    You create an agent and SAP system under the Configuration > Add an API based collector agent area.

    Screenshot of the Configuration > Add an API based collector agent area of the SAP data connector page.

  4. Deploy the agent. To add a system, you must add an agent first.

    1. Create a new agent
    2. Connect the agent to a new SAP system

Create a new agent

  1. In the Configuration area, select Add new agent (Preview).

    Screenshot of the Create a collector agent area.

  2. Under Create a collector agent on the right, define the agent details:

    • Type the agent name. The agent name can include these characters:
      • a-z
      • A-Z
      • 0-9
      • _
      • .
      • -
    • Select the subscription and key vault.
    • Under NWRFC SDK zip file path on the agent VM, type a path that contains the SAP NetWeaver Remote Function Call (RFC), Software Development Kit (SDK) archive (.zip file). For example, /src/test/NWRFC.zip.
    • To ingest NetWeaver/ABAP logs over a secure connection using Secure Network Communications (SNC), select Enable SNC connection support. If you select this option, under SAP Cryptographic Library path on the agent VM, provide the path that contains the sapgenpse binary and libsapcrypto.so library.

    Note

    Make sure that you select Enable SNC connection support at this stage if you want to use an SNC connection. You can't go back and enable an SNC connection after you finish deploying the agent.

    Learn more about deploying the connector over a SNC connection.

    • To deploy the container and create SAP systems via managed identity, leave the default option Managed Identity, selected. To deploy the container and create SAP systems via a registered application, select Application Identity. You set up the managed identity or registered application (application identity) in the prerequisites.

  3. Select Create and review the recommendations before you complete the deployment:

    Screenshot of the final stage of the agent deployment.

  4. Under Just one step before we finish, select Copy Screenshot of the Copy icon. next to Agent command.

  5. In your target VM (the VM where you plan to install the agent), open a terminal and run the command you copied in the previous step.

    The relevant agent information is deployed into Azure Key Vault, and the new agent is visible in the table under Add an API based collector agent.

    At this stage, the agent's Health status is Incomplete installation. Please follow the instructions. If the agent is added successfully, the status changes to Agent healthy. This update can take up to 10 minutes.

    Screenshot of the health statuses Configuration > Add an API based collector agent area of the SAP data connector page.

    The table displays the agent name and health status for agents you deploy via the UI only.

    If you need to copy your command again, select View Screenshot of the View icon. to the right of the Health column and copy the command next to Agent command on the bottom right.

Connect to a new SAP system

  1. In the Configuration area, select Add new system (Preview).

    Screenshot of the Add new system area.

  2. Under Select an agent, select the agent you created in the previous step.

  3. Under System identifier, select the server type and provide the server details.

  4. Select Next: Authentication.

  5. For basic authentication, provide the user and password. If you selected an SNC connection when you set up the agent, select SNC and provide the certificate details.

  6. Select Next: Logs.

  7. Select which logs you want to pull from SAP, and select Next: Review and create.

  8. Review the settings you defined. Select Previous to modify any settings, or select Deploy to deploy the system.1.

    The system configuration you defined is deployed into Azure Key Vault. You can now see the system details in the table under Configure an SAP system and assign it to a collector agent. This table displays the associated agent name, SAP System ID (SID), and health status for systems that you added via the UI or via other methods.

    At this stage, the system's Health status is Pending. If the agent is updated successfully, it pulls the configuration from Azure Key vault, and the status changes to System healthy. This update can take up to 10 minutes.

    Learn more about how to monitor your SAP system health.

Next steps

Once the connector is deployed, proceed to deploy Microsoft Sentinel solution for SAP® applications content:

Deploy the solution content from the content hub