Редагувати

Поділитися через


Deployment prerequisites for the Microsoft Sentinel solution for SAP applications

This article lists the prerequisites required for deployment of the Microsoft Sentinel solution for SAP applications. Reviewing and ensuring that you have or understand all the prerequisites is the first step in deploying the Microsoft Sentinel solution for SAP applications.

Diagram of the steps included in deploying the Microsoft Sentinel solution for SAP applications, with the prerequisites step highlighted.

Content in this article is relevant for your security, infrastructure, and SAP BASIS teams.

Azure prerequisites

Typically, Azure prerequisites are managed by your security teams.

Prerequisite Description Required/optional
Access to Microsoft Sentinel Make a note of your *workspace ID and primary key for your Log Analytics workspace enabled for Microsoft Sentinel.
You can find these details in Microsoft Sentinel: from the navigation menu, select Settings > Workspace settings > Agents management. Copy the Workspace ID and Primary key and paste them aside for use during the deployment process.
Required
Permissions to create Azure resources At a minimum, you must have the necessary permissions to deploy solutions from the Microsoft Sentinel content hub. For more information, see Prerequisites for deploying Microsoft Sentinel solutions. Required
Permissions to create an Azure key vault or access an existing one Use Azure Key Vault to store secrets required to connect to your SAP system. For more information, see Assign key vault access permissions. Required if you plan to store the SAP system credentials in Azure Key Vault.

Optional if you plan to store them in a configuration file. For more information, see Create a virtual machine and configure access to your credentials.
Permissions to assign a privileged role to the SAP data connector agent Deploying the SAP data connector agent requires that you grant your agent's VM identity with specific permissions to the Microsoft Sentinel workspace, using the Microsoft Sentinel Business Applications Agent Operator role. To grant this role, you need Owner permissions on the resource group where your Microsoft Sentinel workspace resides.

For more information, see Connect your SAP system by deploying your data connector agent container.
Required.
If you don't have Owner permissions on the resource group, the relevant step can also be performed by another user who does have the relevant permissions, separately after the agent is fully deployed.

System prerequisites

Typically, system prerequisites are managed by your infrastructure teams. The following system prerequisites are required for deploying the SAP data connector agent container:

Prerequisite Description
System architecture The data connector component of the SAP solution is deployed as a Docker container.
The container host can be either a physical machine or a virtual machine, can be located either on-premises or in any cloud.
The VM hosting the container does not have to be located in the same Azure subscription as your Microsoft Sentinel workspace, or even in the same Microsoft Entra tenant.
Supported Linux versions The SAP data connector agent is tested with the following Linux distributions:
- Ubuntu 18.04 or higher
- SLES version 15 or higher
- RHEL version 7.7 or higher

If you have a different operating system, you might need to deploy and configure the container manually.

For more information, see Deploy the Microsoft Sentinel for SAP data connector agent container with expert options or open a support ticket.
Virtual machine sizing recommendations Minimum specification, such as for a lab environment:
Standard_B2s VM, with:
- Two cores
- 4-GB RAM

Standard connector (default):
Standard_D2as_v5 VM or
Standard_D2_v5 VM, with:
- Two cores
- 8-GB RAM

Multiple connectors:
Standard_D4as_v5 or
Standard_D4_v5 VM, with:
- Four cores
- 16-GB RAM
Administrative privileges Administrative privileges (root) are required on the container host machine.
Network connectivity Ensure that the container host has access to:
- Microsoft Sentinel
- Azure key vault (in deployment scenario where Azure key vault is used to store secrets
- SAP system via the following TCP ports: 32xx, 5xx13, 33xx, 48xx (when SNC is used), where xx is the SAP instance number.
Software utilities The SAP data connector deployment script installs the following required software on the container host VM (depending on the Linux distribution used, the list might vary slightly):
- Unzip
- NetCat
- Docker
- jq
- curl
Managed identity or service principal The latest version of the SAP data connector agent requires a managed identity or service principal to authenticate to Microsoft Sentinel.

Legacy agents are supported for updates to the latest version, and then must use a managed identity or service principal to continue updating to subsequent versions.

SAP prerequisites

We recommend that your SAP BASIS team verify and ensure SAP system prerequisites. We strongly recommend that any management of your SAP system is carried out by an experienced SAP system administrator.

Prerequisite Description
Supported SAP versions The SAP data connector agent support SAP NetWeaver systems and was tested on SAP_BASIS versions 731 and above.

Certain steps in this tutorial provide alternative instructions if you're working on the older SAP_BASIS version 740.
Required software SAP NetWeaver RFC SDK 7.50 (Download here)
Make sure that you also have an SAP user account in order to access the SAP software download page.
SAP system details Make a note of the following SAP system details:
- SAP system IP address and FQDN hostname
- SAP system number, such as 00
- SAP System ID, from the SAP NetWeaver system (for example, NPL)
- SAP client ID, such as 001
SAP NetWeaver instance access The SAP data connector agent uses one of the following mechanisms to authenticate to the SAP system:
- SAP ABAP user/password
- A user with an X.509 certificate. This option requires extra configuration steps. For more information, see Configure your system to use SNC for secure connections.
SAP role requirements To allow the SAP data connector to connect to your SAP system, you must create an SAP system role. We recommend creating the required system role by deploying the SAP NPLK900271 change request (CR). For more information, see Configure the Microsoft Sentinel role.
Recommended CRs for extra support Deploy recommended CRs on your SAP system to retrieve extra details, such as client IP address and extra logs. For more information, see Configure support for extra data retrieval (recommended).

Plan your ingestion

We recommend that you test your systems to determine the number of logs that each of your SAP systems sends to Microsoft Sentinel. Microsoft Sentinel billing depends on log ingestion size, which in turn depends on factors such as system usage, modules deployed, number of users, running use cases, network traffic, and log types.

For more information, see:

Next step