Prerequisites for deploying Microsoft Sentinel solution for SAP® applications

This article lists the prerequisites required for deployment of the Microsoft Sentinel solution for SAP® applications.

Deployment milestones

Track your SAP solution deployment journey through this series of articles:

  1. Deployment overview

  2. Deployment prerequisites (You are here)

  3. Prepare SAP environment

  4. Deploy data connector agent

  5. Deploy SAP security content

  6. Configure Microsoft Sentinel solution for SAP® applications

  7. Optional deployment steps

Table of prerequisites

To successfully deploy the Microsoft Sentinel solution for SAP® applications, you must meet the following prerequisites:

Azure prerequisites

Prerequisite Description
Access to Microsoft Sentinel Make a note of your Microsoft Sentinel workspace ID and primary key.
You can find these details in Microsoft Sentinel: from the navigation menu, select Settings > Workspace settings > Agents management. Copy the Workspace ID and Primary key and paste them aside for use during the deployment process.
[Optional] Permissions to create Azure resources At a minimum, you must have the necessary permissions to deploy solutions from the Microsoft Sentinel content hub. For more information, see the Microsoft Sentinel content hub catalog.
[Optional] Permissions to create an Azure key vault or access an existing one The recommended deployment scenario is to use Azure Key Vault to store secrets required to connect to your SAP system. For more information, see the Azure Key Vault documentation.

System prerequisites

Prerequisite Description
System architecture The data connector component of the SAP solution is deployed as a Docker container, and each SAP client requires its own container instance.
The container host can be either a physical machine or a virtual machine, can be located either on-premises or in any cloud.
The VM hosting the container does not have to be located in the same Azure subscription as your Microsoft Sentinel workspace, or even in the same Azure AD tenant.
Virtual machine sizing recommendations Minimum specification, such as for a lab environment:
Standard_B2s VM, with:
- 2 cores
- 4 GB RAM

Standard connector (default):
Standard_D2as_v5 VM or
Standard_D2_v5 VM, with:
- 2 cores
- 8 GB RAM

Multiple connectors:
Standard_D4as_v5 or
Standard_D4_v5 VM, with:
- 4 cores
- 16 GB RAM
Administrative privileges Administrative privileges (root) are required on the container host machine.
Supported Linux versions The SAP data connector agent has been tested with the following Linux distributions:
- Ubuntu 18.04 or higher
- SLES version 15 or higher
- RHEL version 7.7 or higher

If you have a different operating system, you may need to deploy and configure the container manually instead of using the kickstart script.
Network connectivity Ensure that the container host has access to:
- Microsoft Sentinel
- Azure key vault (in deployment scenario where Azure key vault is used to store secrets
- SAP system via the following TCP ports: 32xx, 5xx13, 33xx, 48xx (when SNC is used), where xx is the SAP instance number.
Software utilities The SAP data connector deployment script installs the following required software on the container host VM (depending on the Linux distribution used, the list may vary slightly):
- Unzip
- NetCat
- Docker
- jq
- curl

SAP prerequisites

Prerequisite Description
Supported SAP versions The SAP data connector agent support SAP NetWeaver systems and was tested on SAP_BASIS versions 731 and above.

Certain steps in this tutorial provide alternative instructions if you're working on the older SAP_BASIS version 740.
Required software SAP NetWeaver RFC SDK 7.50 (Download here)
Make sure that you also have an SAP user account in order to access the SAP software download page.
SAP system details Make a note of the following SAP system details for use in this tutorial:
- SAP system IP address and FQDN hostname
- SAP system number, such as 00
- SAP System ID, from the SAP NetWeaver system (for example, NPL)
- SAP client ID, such as 001
SAP NetWeaver instance access The SAP data connector agent uses one of the following mechanisms to authenticate to the SAP system:
- SAP ABAP user/password
- A user with an X.509 certificate (This option requires additional configuration steps)

SAP environment validation steps


Step-by-step instructions for deploying a CR and assigning the required role are available in the Deploying SAP CRs and configuring authorization guide. Determine which CRs need to be deployed, retrieve the relevant CRs from the links in the tables below, and proceed to the step-by-step guide.

Create and configure a role (required)

To allow the SAP data connector to connect to your SAP system, you must create a role. Create the role by deploying CR NPLK900271 or by loading the role authorizations from the MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP file.


Alternatively, you can create a role that has minimal permissions by deploying change request NPLK900268, or loading the role authorizations from the MSFTSEN_SENTINEL_AGENT_BASIC_ROLE_V0.0.1.SAP file. This change request or authorizations file creates the /MSFTSEN/SENTINEL_AGENT_BASIC role. This role has the minimal required permissions for the data connector to operate. Note that if you choose to deploy this role, you might need to update it frequently.

Experienced SAP administrators may choose to create the role manually and assign it the appropriate permissions. In such a case, it is not necessary to deploy the CR NPLK900271, but you must instead create a role using the recommendations outlined in Expert: Deploy SAP CRs and deploy required ABAP authorizations.

SAP BASIS versions Sample CR
Any version NPLK900271: K900271.NPL, R900271.NPL

Retrieve additional information from SAP (optional)

You can deploy additional CRs from the Microsoft Sentinel GitHub repository to enable the SAP data connector to retrieve certain information from your SAP system.

  • SAP BASIS 7.5 SP12 and above: Client IP Address information from security audit log
  • ANY SAP BASIS version: DB Table logs, Spool Output log
SAP BASIS versions Recommended CR Notes
- 750 and later NPLK900202: K900202.NPL, R900202.NPL Deploy the relevant SAP note.
- 740 NPLK900201: K900201.NPL, R900201.NPL

Deploy SAP note (optional)

If you choose to retrieve additional information with the NPLK900202 optional CR, ensure that the following SAP note is deployed in your SAP system, according to its version:

SAP BASIS versions Notes
- 750 SP04 to SP12
- 751 SP00 to SP06
- 752 SP00 to SP02
2641084 - Standardized read access to data of Security Audit Log*

Next steps

After verifying that all the prerequisites have been met, proceed to the next step to deploy the required CRs to your SAP system and configure authorization.