Microsoft Sentinel solution for SAP applications: Deployment overview
Use the Microsoft Sentinel solution for SAP applications to monitor your SAP systems with Microsoft Sentinel, detecting sophisticated threats throughout the business logic and application layers of your SAP applications.
This article introduces you to the Microsoft Sentinel solution for SAP applications deployment.
Solution components
The Microsoft Sentinel solution for SAP applications includes a data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats.
Data connector
The Microsoft Sentinel for SAP data connector is an agent installed as a container on a Linux virtual machine, physical server, or Kubernetes cluster. The agent collects application logs for all of your onboarded SAP SIDs from across the entire SAP system landscape, and then sends those logs to your Log Analytics workspace in Microsoft Sentinel.
For example, the following image shows a multi-SID SAP landscape with a split between production and nonproduction systems, including the SAP Business Technology Platform. All the systems in this image are onboarded to Microsoft Sentinel for the SAP solution.
The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system, using a user and role created specifically for this purpose.
Microsoft Sentinel supports a few options for storing your agent configuration information, including the configuration for your SAP authentication secrets. The decision of which option might depend on where you deploy your VM and which SAP authentication mechanism you use. Supported options are as follows, listed in order of preference:
- An Azure Key Vault accessed through an Azure system-assigned managed identity
- An Azure Key Vault accessed through a Microsoft Entra ID registered-application service principal
- A plaintext configuration file
You can also authenticate using SAP's Secure Network Communication (SNC) and X.509 certificates. While using SNC provides a higher level of authentication security, it might not be practical for all scenarios.
Security content
The Microsoft Sentinel solution for SAP applications includes the following types of security content to help you gain insight into your organization's SAP environment and detect and respond to security threats:
- Analytics rules and watchlists for threat detection.
- Functions for easy data access.
- Workbooks to create interactive data visualization.
- Watchlists for customization of the built-in solution parameters.
- Playbooks that you can use to automate responses to threats.
For more information, see Microsoft Sentinel solution for SAP applications: security content reference.
Deployment flow and personas
Deploying the Microsoft Sentinel solution for SAP applications involves several steps and requires collaboration across multiple teams, including the security, infrastructure, and SAP BASIS teams. The following image shows the steps in deploying the Microsoft Sentinel solution for SAP applications, with relevant teams indicated:
We recommend that you involve all relevant teams when planning your deployment to ensure that effort is allocated and the deployment can move smoothly.
Deployment steps include:
Review the prerequisites for deploying Microsoft Sentinel solution for SAP applications. Some prerequisites require coordination with your infrastructure or SAP BASIS teams.
The following steps can happen in parallel as they involve separate teams, and aren't dependent on each other:
Deploy the Microsoft Sentinel solution for SAP applications from the content hub. This step is handled by the security team on the Azure portal.
Configure your SAP system for the Microsoft Sentinel solution, including configuring SAP authorizations, configuring SAP auditing, and more. We recommend that these steps be done by your SAP BASIS team, and our documentation includes references to SAP documentation.
Connect your SAP system by deploying your data connector agent container. This step requires coordination between your security, infrastructure, and SAP BASIS teams.
Enable SAP detections and threat protection. This step is handled by the security team on the Azure portal.
Extra options include:
SAP data connector agent configuration file
The deployment procedure generates a systemconfig.json file that contains the configuration details for the SAP data connector agent. The file is located in the /sapcon-app/sapcon/config/system directory on your VM. You can use this file to update the configuration of your SAP data connector agent.
Earlier versions of the deployment script, released before June 2023, generated a systemconfig.ini file instead. For more information, see:
Stop SAP data collection
If you need to stop Microsoft Sentinel from collecting your SAP data, stop log ingestion and disable the connector. Then remove the extra user role and any optional CRs installed on your SAP system.
For more information, see Stop SAP data collection.
Related content
For more information, see:
- About Microsoft Sentinel content and solutions.
- Monitor the health and role of your SAP systems
- Update Microsoft Sentinel's SAP data connector agent
Next step
Begin the deployment of the Microsoft Sentinel solution for SAP applications by reviewing the prerequisites: