Microsoft Sentinel incident response playbooks for SAP

This article describes how to take advantage of Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities in conjunction with SAP. The article introduces purpose-built playbooks included in the Microsoft Sentinel solution for SAP® applications. You can use these playbooks to respond automatically to suspicious user activity in SAP systems, automating remedial actions in SAP RISE, SAP ERP, SAP Business Technology Platform (BTP) as well as in Azure Active Directory.

The Microsoft Sentinel SAP solution empowers your organization to secure its SAP environment. For a complete, detailed overview of the Sentinel SAP solution, see the following articles:

With the addition of these playbooks to the solution, you can not only monitor and analyze security events in real-time, you can also automate SAP incident response workflows to improve the efficiency and effectiveness of security operations.

The Microsoft Sentinel solution for SAP® applications includes the following playbooks:

  • SAP Incident Response - Lock user from Teams - Basic
  • SAP Incident Response - Lock user from Teams - Advanced
  • SAP Incident Response - Reenable audit logging once deactivated

Use cases

You're tasked with defending your organization's SAP environment. You've implemented Microsoft Sentinel solution for SAP® applications. You've enabled the solution's analytics rule "SAP - Execution of a Sensitive Transaction Code," and you've possibly customized the solution's "Sensitive Transactions" watchlist to include particular transaction codes you wish to screen for. An incident warns you of suspicious activity in one of the SAP systems. A user is trying to execute one of these highly sensitive transactions. You must investigate and respond to this incident.

During the triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Azure AD.

Lock out a user from a single system

As an example of how to bring orchestration and automation to this process, let's build an automation rule to invoke the Lock user from Teams - Basic playbook whenever a sensitive transaction execution by an unauthorized user is detected. This playbook uses Teams' adaptive cards feature to request approval before unilaterally blocking the user.

For more information on configuring this playbook, see this SAP blog post.

Lock out a user from multiple systems

The Lock user from Teams - Advanced playbook accomplishes the same objective, but is designed for more complex scenarios, allowing a single playbook to be used for multiple SAP systems, each with its own SAP SID. The playbook seamlessly manages the connections to all of these systems, and their credentials, using the optional dynamic parameter InterfaceAttributes in the SAP - Systems watchlist (included with the Microsoft Sentinel solution for SAP® applications) and Azure Key Vault. The playbook also allows you to communicate to the parties in the approval process using Outlook actionable messages in addition to—and synchronized with—Teams, using the TeamsChannelID and DestinationEmail parameters in the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist.

For more information on configuring this playbook, and in particular on how to use dynamic parameters in watchlists to manage connections to all your SAP systems, see this SAP blog post.

Prevent deactivation of audit logging

With your mission being to ensure that security coverage of your SAP environment remains comprehensive and uninterrupted, you might be concerned about the SAP audit log—one of the sources of your security information—being deactivated. You want to build an automation rule based on the SAP - Deactivation of Security Audit Log analytics rule, that will invoke the Reenable audit logging once deactivated playbook to make sure that doesn't happen. This playbook also uses Teams, but only to inform security personnel after the fact, since, given the severity of the offense and the urgency of its mitigation, immediate action can be taken with no approval required. Since this playbook also uses Azure Key Vault to manage credentials, the playbook's configuration is similar to that of the previous one. For more information on this playbook and its configuration, see this SAP blog post.

Standard vs. Consumption playbooks

Microsoft Sentinel lets you create instances of these playbooks directly from templates if you're using playbooks based on Azure Logic Apps' Consumption plan. If you have specific requirements for virtual networking (VNET) injection support, you must either use Azure API management as described here in conjunction with your Consumption logic app, or use Standard-plan logic apps.

See the full explanation of the different types of playbooks. Also, see this SAP blog post, in the table under the heading "Creating line of sight to your SAP system for the SOAP request," for the ramifications of choosing each type of logic app.

The process for deploying Standard logic apps generally is more complex than it is for Consumption logic apps, but we've made available a series of shortcuts which allows you to deploy them quickly from the Microsoft Sentinel GitHub repository. Follow the procedure outlined there to deploy the playbooks.

Currently available Standard playbooks in GitHub:

Keep tabs on the SAP playbooks folder in the GitHub repository for more playbooks as they become available. There's also a short introductory video (external link) there to help you get started.

Next steps

In this article, you learned about the playbooks available in the Microsoft Sentinel solution for SAP® applications.