Deploy SAP security content in Microsoft Sentinel

This article shows you how to deploy Microsoft Sentinel security content into your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel Solution for SAP.

Deployment milestones

Track your SAP solution deployment journey through this series of articles:

1. Deployment overview

2. Deployment prerequisites

3. Prepare SAP environment

4. Deploy data connector agent

5. Deploy SAP security content (You are here)

6. Configure Microsoft Sentinel Solution for SAP

7. Optional deployment steps

   • Configure auditing
   • Configure data connector to use SNC
   • Select SAP ingestion profiles

Deploy SAP security content

Deploy the SAP security content from the Microsoft Sentinel Content hub and Watchlists areas.

Deploying the Microsoft Sentinel Solution for SAP causes the Microsoft Sentinel for SAP data connector to be displayed in the Microsoft Sentinel Data connectors area. The solution also deploys the SAP - System Applications and Products workbook and SAP-related analytics rules.

To deploy SAP solution security content, do the following:

1. In Microsoft Sentinel, on the left pane, select Content hub (Preview).

   The Content hub (Preview) page displays a filtered, searchable list of solutions.

2. To open the SAP solution page, select Microsoft Sentinel Solution for SAP.

   

3. To launch the solution deployment wizard, select Create, and then enter the details of the Azure subscription, resource group, and Log Analytics workspace (the one used by Microsoft Sentinel) where you want to deploy the solution.

4. Select Next to cycle through the Data Connectors, Analytics, and Workbooks tabs, where you can learn about the components that will be deployed with this solution.

   For more information, see Microsoft Sentinel Solution for SAP: security content reference.

5. On the Review + create tab pane, wait for the Validation Passed message, then select Create to deploy the solution.

   Tip

   You can also select Download a template for a link to deploy the solution as code.

6. After the deployment is completed, a confirmation message appears at the upper right.

   To display the newly deployed content, go to:

   • Threat Management > Workbooks > My workbooks, to find the built-in SAP workbooks.
   • Configuration > Analytics to find a series of SAP-related analytics rules.

7. In Microsoft Sentinel, go to the Microsoft Sentinel for SAP data connector to confirm the connection:

   

   SAP ABAP logs are displayed on the Microsoft Sentinel Logs page, under Custom logs:

   

   For more information, see Microsoft Sentinel Solution for SAP solution logs reference.

Next steps

Learn more about the Microsoft Sentinel Solution for SAP:

• Deploy Microsoft Sentinel Solution for SAP
• Prerequisites for deploying Microsoft Sentinel Solution for SAP
• Deploy SAP Change Requests (CRs) and configure authorization
• Deploy and configure the container hosting the SAP data connector agent
• Deploy SAP security content
• Deploy the Microsoft Sentinel for SAP data connector with SNC
• Enable and configure SAP auditing
• Collect SAP HANA audit logs

Troubleshooting:

• Troubleshoot your Microsoft Sentinel Solution for SAP deployment
• Configure SAP Transport Management System

Reference files:

• Microsoft Sentinel Solution for SAP solution data reference
• Microsoft Sentinel Solution for SAP: security content reference
• Update script reference
• Systemconfig.ini file reference

For more information, see Microsoft Sentinel solutions.