Configure your SAP system for the Microsoft Sentinel solution
This article describes how to prepare your SAP environment for connecting to the SAP data connector. Preparation differs, depending on whether you're using the containerized data connector agent. Select the option at the top of the page that matches your environment.
This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications.
The procedures in this article are typically performed by your SAP BASIS team.
This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications. While steps that are performed in Microsoft Sentinel require that the solution be installed first, other preparations in the SAP environment can happen in parallel.
Many of the procedures in this article are typically performed by your SAP BASIS team. Some steps include your security team too.
Important
Microsoft Sentinel's agentless data connector for SAP is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Prerequisites
- Before you start, make sure to review the prerequisites for deploying the Microsoft Sentinel solution for SAP applications.
- If you're working with the agentless data connector, some steps are performed in Microsoft Sentinel and require that the solution be installed first.
Configure the Microsoft Sentinel role
To allow the SAP data connector to connect to your SAP system, you must create an SAP system role specifically for this purpose.
To include both log retrieval and attack disruption response actions, we recommend creating this role by loading role authorizations from the /MSFTSEN/SENTINEL_RESPONDER file.
To include log retrieval only, we recommend creating this role by deploying the NPLK900271 SAP change request (CR): K900271.NPL | R900271.NPL
Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the SAP documentation.
Alternately, load the role authorizations from the MSFTSEN_SENTINEL_CONNECTOR file, which includes all the basic permissions for the data connector to operate.
Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see Required ABAP authorizations. Examples in our documentation use the /MSFTSEN/SENTINEL_RESPONDER name.
When configuring the role, we recommend that you:
- Generate an active role profile for Microsoft Sentinel by running the PFCG transaction.
- Use
/MSFTSEN/SENTINEL_RESPONDERas the role name.
Create a role using the MSFTSEN_SENTINEL_READER template, which includes all the basic permissions for the data connector to operate.
For more information, see the SAP documentation on creating roles.
Create a user
The Microsoft Sentinel solution for SAP applications requires a user account to connect to your SAP system. When creating your user:
- Make sure to create a system user.
- Assign the /MSFTSEN/SENTINEL_RESPONDER role to the user, which you'd created in the previous step.
- Make sure to create a system user.
- Assign the MSFTSEN_SENTINEL_READER role to the user, which you'd created in the previous step.
For more information, see the SAP documentation.
Configure SAP auditing
Some installations of SAP systems might not have audit logging enabled by default. For best results in evaluating the performance and efficacy of the Microsoft Sentinel solution for SAP applications, enable auditing of your SAP system and configure the audit parameters. If you want to ingest SAP HANA DB logs, make sure to also enable auditing for SAP HANA DB.
We recommend that you configure auditing for all messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting.
For full monitoring coverage with the agentless data connector, we recommend that you enable monitoring on all client IDs of your monitored SAP systems, including clients 000 and 066.
For more information, see the SAP community and Collect SAP HANA audit logs in Microsoft Sentinel.
Configure your system to use SNC for secure connections
By default, the SAP data connector agent connects to an SAP server using a remote function call (RFC) connection and a username and password for authentication.
However, you might need to make the connection on an encrypted channel or use client certificates for authentication. In these cases, use Smart Network Communications (SNC) from SAP to secure your data connections, as described in this section.
In a production environment, we strongly recommend that your consult with SAP administrators to create a deployment plan for configuring SNC. For more information, see the SAP documentation.
When configuring SNC:
- If the client certificate was issued by an enterprise certification authority, transfer the issuing CA and root CA certificates to the system where you plan to create the data connector agent.
- If you're using the data connector agent, make sure to also enter the relevant values and use the relevant procedures when configuring the SAP data connector agent container. If you're using the agentless data connector, the SNC configuration is done in the SAP Cloud Connector.
For more information about SNC, see Getting started with SAP SNC for RFC integrations - SAP blog.
Configure support for extra data retrieval (recommended)
While this step is optional, we recommend that you enable the SAP data connector to retrieve the following content information from your SAP system:
- DB Table and Spool Output logs
- Client IP address information from the security audit logs
Deploy the relevant CRs from the Microsoft Sentinel GitHub repository, according to your SAP version:
SAP BASIS versions Recommended CR 750 and higher NPLK900202: K900202.NPL, R900202.NPL
When deploying this CR any of the following SAP versions, also deploy 2641084 - Standardized read access to data of Security Audit Log:
- 750 SP04 to SP12
- 751 SP00 to SP06
- 752 SP00 to SP02740 NPLK900201: K900201.NPL, R900201.NPL Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the SAP documentation.
For more information, see the SAP Community and the SAP documentation.
To support SAP BASIS versions 7.31-7.5 SP12 in sending client IP address information to Microsoft Sentinel, activate logging for SAP table USR41. For more information, see the SAP documentation.
Verify that the PAHI table is updated at regular intervals
The SAP PAHI table includes data on the history of the SAP system, the database, and SAP parameters. In some cases, the Microsoft Sentinel solution for SAP applications can't monitor the SAP PAHI table at regular intervals, due to missing or faulty configuration. It's important to update the PAHI table and to monitor it frequently, so that the Microsoft Sentinel solution for SAP applications can alert on suspicious actions that might happen at any time throughout the day. For more information, see:
If the PAHI table is updated regularly, the SAP_COLLECTOR_FOR_PERFMONITOR job is scheduled and runs hourly. If the SAP_COLLECTOR_FOR_PERFMONITOR job doesn't exist, make sure to configure it as needed.
For more information, see Database Collector in Background Processing and Configuring the Data Collector.
Configure SAP BTP settings
In your SAP BTP subaccount, add entitlements for the following services:
- SAP Integration Suite
- SAP Process Integration Runtime
- Cloud Foundry Runtime
Create an instance of Cloud Foundry Runtime, and then also create a Cloud Foundry space.
Create an instance of SAP Integration Suite.
Assign the SAP BTP Integration_Provisioner role to your SAP BTP subaccount user account.
In the SAP Integration Suite, add the cloud integration capability.
Assign the following process integration roles to your user account:
- PI_Administrator
- PI_Integration_Developer
- PI_Business_Expert
These roles are available only after you activate the cloud integration capability.
Create an instance of the SAP Process Integration Runtime in your subaccount.
Create a service key for the SAP Process Integration Runtime and save the JSON contents to a secure location. You must activate the cloud integration capability before creating a service key for SAP Process Integration Runtime.
For more information, see the SAP documentation.
Perform initial connector configuration
This procedure starts in Microsoft Sentinel and requires that the solution be installed before you start.
In Microsoft Sentinel, go to the Configuration > Data connectors page and locate the Microsoft Sentinel for SAP - agent-less (Preview) data connector.
In the Configuration area, expand and follow the instructions in the Initial connector configuration - Run the steps below once: area. These steps will require a mixture of your Security and SAP BASIS teams.
If, after you deploy the Azure resources step 1, the values in the steps 2 and 3 aren't automatically populated, close and re-expand step 1 to refresh the values in steps 2 and 3.
Included in the package is Prerequisite checker iflow. We recommend running this iflow before continuing to the next step to ensure that your SAP system meets the system prerequisites.
To run the tool:
Open the integration package, navigate to the artifacts tab, and select the Prerequisite checker iflow > Configure.
Set the target RFC destination to the SAP system you want to check.
Deploy the iflow as you would otherwise for your SAP systems. For example, use the following sample PowerShell script, modifying the sample placeholder values for your environment:
$cpiEndpoint = "https://my-cpi-uri.it-cpi012-rt.cfapps.eu01-010.hana.ondemand.com" # CPI endpoint URL $credentialsUrl = "https://my-uaa-uri.authentication.eu01.hana.ondemand.com/oauth/token" # SAP authorization server URL $serviceKey = 'sb-12324cd-a1b2-5678-a1b2-1234cd5678ef!g9123|it-rt-my-cpi!h45678' # Process Integration Runtime Service client ID $serviceSecret = '< client secret >' # Your Process Integration Runtime service secret (make sure to use single quotes) $credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$serviceKey`:$serviceSecret")) $headers = @{ "Authorization" = "Basic $credentials" "Content-Type" = "application/json" } $authResponse = Invoke-WebRequest -Uri $credentialsUrl"?grant_type=client_credentials" ` -Method Post ` -Headers $headers $token = ($authResponse.Content | ConvertFrom-Json).access_token $path = "/http/checkSAP" $param = "?startTimeUTC=$((Get-Date).AddMinutes(-1).ToString("yyyy-MM-ddTHH:mm:ss"))&endTimeUTC=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ss"))" $headers = @{ "Authorization" = "Bearer $token" "Content-Type" = "application/json" } $response = Invoke-WebRequest -Uri "$cpiEndpoint$path$param" -Method Get -Headers $headers Write-Host $response.RawContent
Make sure that the prerequisites checker runs successfully before connecting to Microsoft Sentinel.
Scroll further down in the Configuration area, and expand and follow the instructions in the Add monitored SAP Systems - Run the steps below for each monitored SAP system: area for each SAP system you want to monitor.
When you get to step 2. Connect SAP System to Microsoft Sentinel / SOC Engineer, continue with Connect your SAP system to Microsoft Sentinel.
Configure SAP Cloud Connector settings
Install the SAP Cloud Connector. For more information, see the SAP documentation.
Sign in at the cloud connector interface, and add the subaccount using the relevant credentials. For more information, see the SAP documentation.
In your cloud connector subaccount, add a new system mapping to the backend system to map the ABAP system to the RFC protocol.
Define load balancing options and enter your backend ABAP server details. In this step, copy the name of the virtual host to a secure location to use later in the deployment process.
Add new resources to the system mapping for each of the following function names:
RSAU_API_GET_LOG_DATA, to fetch SAP security audit log data
BAPI_USER_GET_DETAIL, to retrieve SAP user details
RFC_READ_TABLE, to read data from required tables
SIAG_ROLE_GET_AUTH, to retrieve security role authorizations
Add a new destination in SAP BTP that points the virtual host you'd created earlier. Use the following details to populate the new destination:
Name: Enter the name you want to use for the Microsoft Sentinel connection
Type
RFCProxy Type:
On-PremiseUser: Enter the ABAP user account you created earlier for Microsoft Sentinel
Authorization Type:
CONFIGURED USERAdditional properties:
jco.client.ashost = <virtual host name>jco.client.client = <client e.g. 001>jco.client.sysnr = <system number = 00>jco.client.lang = EN
Location: Only required when you connect multiple Cloud Connectors to the same BTP subaccount. For more information, see the SAP Documentation.