Deploy the Microsoft Sentinel solution for SAP applications from the content hub

Article
02/29/2024

This article shows you how to deploy the Microsoft Sentinel solution for SAP applications security content from the content hub to your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP.

Prerequisites

To deploy the Microsoft Sentinel solution for SAP applications from the content hub, you need:

A Microsoft Sentinel instance.
A defined Microsoft Sentinel workspace, and read and write permissions to the workspace.
A Microsoft Sentinel for SAP data connector set up.

Check deployment milestones

Track your SAP solution deployment journey through this series of articles:

Deployment overview
Deployment prerequisites
Work with the solution in multiple workspaces (preview)
Prepare your SAP environment
Configure auditing
Deploy the data connector agent
Deploy the Microsoft Sentinel solution for SAP applications from the content hub (You are here)
Configure the Microsoft Sentinel solution for SAP applications
Optional deployment steps:

Deploy the security content from the content hub

Deploy the SAP security content from the Microsoft Sentinel Content hub and Watchlists areas.

Deploying the Microsoft Sentinel solution for SAP applications causes the Microsoft Sentinel for SAP data connector to be displayed in the Microsoft Sentinel Data connectors area. The solution also deploys the SAP - System Applications and Products workbook and SAP-related analytics rules.

To deploy SAP solution security content:

In Microsoft Sentinel, on the left pane, select Content hub (Preview).

The Content hub (Preview) page displays a filtered, searchable list of solutions.
To open the SAP solution page, select Microsoft Sentinel solution for SAP applications.
To start the solution deployment wizard, select Create, and then enter the details of the Azure subscription and resource group.
For the Deployment target workspace, select the Log Analytics workspace (the one that Microsoft Sentinel uses) where you want to deploy the solution.
If you want to work with the Microsoft Sentinel solution for SAP applications in multiple workspaces (preview), select Some of the data is on a different workspace, and then do the following steps:
1. Under Configure the workspace where the SOC data resides in, select the SOC subscription and workspace.
2. Under Configure the workspace where the SAP data resides in, select the SAP subscription and workspace.
For example:

Note

If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select Some of the data is on a different workspace. If you want the SOC and SAP data to be kept on the same workspace, but to apply additional access controls, review this scenario.
Select Next to cycle through the Data Connectors, Analytics, and Workbooks tabs, where you can learn about the components that are deployed with this solution.

For more information, see Microsoft Sentinel solution for SAP applications: security content reference.
On the Review + create tab pane, wait for the Validation Passed message, and then select Create to deploy the solution.

Tip

You can also select Download a template for a link to deploy the solution as code.
When deployment is finished, to display the newly deployed content:
- For the built-in SAP workbooks, go to Threat Management > Workbooks > My workbooks.
- For a series of SAP-related analytics rules, go to Configuration > Analytics.
In Microsoft Sentinel, go to the Microsoft Sentinel for SAP data connector to confirm the connection:

SAP ABAP logs are displayed on the Microsoft Sentinel Logs page, under Custom logs:

For more information, see Microsoft Sentinel solution for SAP applications solution logs reference.