Microsoft Sentinel solution for SAP applications: Deployment overview
Use the Microsoft Sentinel solution for SAP applications to monitor your SAP systems with Microsoft Sentinel, detecting sophisticated threats throughout the business logic and application layers of your SAP applications.
This article introduces you to the Microsoft Sentinel solution for SAP applications deployment.
Important
Noted features are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Solution components
The Microsoft Sentinel solution for SAP applications includes a data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats.
Data connector
The Microsoft Sentinel solution for SAP applications supports both an agentless data connector and a containerized data connector agent. Both agents collect application logs for all your onboarded SAP SIDs from across the entire SAP system landscape, and then send those logs to your Log Analytics workspace in Microsoft Sentinel.
Select one of the following tabs to learn more:
The Microsoft Sentinel agentless data connector for SAP uses the SAP Cloud Connector and SAP Integration Suite to connect to your SAP system and pull logs from it, as shown in the following image:
By using the SAP Cloud Connector, the agentless data connector profits from already existing setups and established integration processes. This means you don't have to tackle network challenges again, as the people running your SAP Cloud Connector have already gone through that process.
The agentless data connector is compatible with SAP S/4HANA Cloud, Private Edition RISE with SAP, SAP S/4HANA on-premises, and SAP ERP Central Component (ECC), ensuring continued functionality of existing security content, including detections, workbooks, and playbooks.
The agentless data connector ingests critical security logs such as the security audit log, change docs logs and user master data including user roles and authorizations.
Security content
The Microsoft Sentinel solutions for SAP applications include the following types of security content to help you gain insight into your organization's SAP environment and detect and respond to security threats:
- Analytics rules and watchlists for threat detection.
- Functions for easy data access.
- Workbooks to create interactive data visualization.
- Watchlists for customization of the built-in solution parameters.
- Playbooks that you can use to automate responses to threats.
For more information, see Microsoft Sentinel solution for SAP applications: security content reference.
Deployment flow and personas
Deploying the Microsoft Sentinel solutions for SAP applications involves several steps and requires collaboration across multiple teams, differing depending on whether you're using the agentless data connector or a data connector agent. Select one of the following tabs to learn more:
Deploying the Microsoft Sentinel solutions for SAP applications involves several steps and requires collaboration across your security and SAP BASIS teams. The following image shows the steps in deploying the Microsoft Sentinel solutions for SAP applications, with relevant teams indicated:
We recommend that you involve both teams when planning your deployment to ensure that effort is allocated and the deployment can move smoothly.
Deployment steps include:
Review the prerequisites for deploying the SAP agentless data connector.
Deploy the SAP applications solution from the content hub. This step is handled by the security team on the Azure portal.
Configure your SAP system for the Microsoft Sentinel solution, including configuring SAP authorizations, configuring SAP auditing, and more. We recommend that these steps be done by your SAP BASIS team, and our documentation includes references to SAP documentation. Some of the procedures in this step can be done by the SAP BASIS team before installing the solution.
Connect your SAP system using an agentless data connector with the SAP Cloud Connector. This step is handled by your security team on the Azure portal, using information provided by your SAP BASIS team.
Enable SAP detections and threat protection. This step is handled by the security team on the Azure portal.
Related content
For more information, see:
- About Microsoft Sentinel content and solutions.
- Monitor the health and role of your SAP systems
- Update Microsoft Sentinel's SAP data connector agent
Next step
Begin the deployment of the Microsoft Sentinel solution for SAP applications by reviewing the prerequisites: