Protect critical information within SAP systems against cyberattacks
Published Aug 02 2022 05:40 AM 3,026 Views

SAP systems and applications handle massive volumes of business-critical data that is hosted on cloud or on-premises infrastructure. The SAP ecosystem is complex and difficult for security operations (SecOps) teams to effectively monitor and protect against growing threats.  A breach of the SAP system could result in data loss, disruption to business processes, loss of revenue and major reputation damage.


Microsoft Sentinel solution for SAP allows you to monitor, detect, and respond to suspicious activities within the SAP ecosystem, protecting your sensitive data against sophisticated cyberattacks. With Microsoft Sentinel solution for SAP you can:

  • Monitor all SAP system layers - gain visibility across business logic, application, database, and operating system layers with built-in investigation and threat detection tools
  • Detect and automatically respond to threats - discover suspicious activity including privilege escalation, unauthorized changes, sensitive transactions, and suspicious data downloads with out-of-the-box detection capabilities
  • Customize based on your needs - build your own threat detection solutions to monitor specific business risks to extend built-in security content

Deployment details

To ingest SAP logs into Microsoft Sentinel, an SAP data connector agent (deployed on a VM or a Kubernetes/AKS cluster) connects to an SAP ABAP server using remote-function-calls (RFC) connection and a user's username and password for authentication. The connection between the agent and SAP is over an encrypted channel when required using Secure Network Connection (SNC), and client certificates for authentication.



Figure1: Deployment of the SAP data connector agent


Once the data is ingested into Microsoft Sentinel a set of comprehensive out-of-the-box capabilities leverages the valuable data to detect threats within SAP systems. You can also ingest infrastructure logs into Microsoft Sentinel from first- and third-party sources (virtual machines, firewalls, AAD and more) within the SAP environment using standard agents. These flexible deployment options allow to traverse difficult firewall configurations and connect to NetWeaver capable SAP systems in Azure, and other clouds including SAP’s own managed services in the cloud. This spans the entire SAP ecosystem from the infrastructure, up to the application level allowing you to detect, cross-correlate, triage and respond to threats efficiently.

New offer details

We are proud to announce that the Microsoft Sentinel solution for SAP will be generally available with a six-month free promotion starting in August 2022. Billing will start on February 1, 2023, as an add-on charge in addition to the existing Microsoft Sentinel consumption-billing model. Please see offer details and Microsoft Sentinel pricing for more information.


The generally available solution includes innovation to deliver differentiated capabilities to protect the SAP environment.


SAP Data Connector: The data connector provides the ability to fetch SAP data constantly using NetWeaver integration (RFC calls) and can support any SAP NetWeaver system. The data connector collects dozens of log files that includes the SAP security audit logs, ChangeDocuments, users' authorizations, spool logs, application logs, ChangeRequest logs, and more for monitoring business and application risks.


The data layer within the solution includes built-in functions to simplify accessing the SAP data, as an example we could use the SAPUsersGetPrivileged function to retrieve a list of privileged users and incorporate this function in detections.




Figure 2: A list of privileged users from the SAP master data using built-in function


Rich Analytic rules: Analytic rules capable of detecting hundreds of different suspicious SAP events are provided along with watchlists that enable fine tuning of the rules without having to modify the KQL queries. The rule base gets constantly updated and covers use cases such as sensitive downloads, usage of break-glass users, defense evasion such as deletion of audit data, brute force attacks, persist attempts to create users or services within SAP, fine grained detection of direct data access attempts, and more. The analytic rules map SAP entities and tie them together with shared entities for cross correlation.



Figure 3: investigation graph with SAP related entities



chaitra_satish_1-1659333322358.pngFigure 4: Built-in analytic rule for detecting access to sensitive data


Scenario specific workbooks: Built-in workbooks help incident investigation by visualizing the SAP data. The workbooks are based on scenarios including initial access attempts to bypass SAP Security Mechanisms, data exfiltration and Suspicious Privileges Operations. Also included is a workbook to investigate the SAP security audit log.




Figure 5: SAP Security audit log browser workbook


Automated response using playbooks: Use Microsoft Sentinel playbooks and the built-in LogicApp connector to act upon security incidents with automated responses within the SAP system. For example:

1.       A break-glass user logs in 

2.       Microsoft Sentinel sends the SAP teams channel a notification and asks if that usage is expected 

3.       If the team answers NO that this login is not expected; the user is immediately blocked & logged off the system using the SAP LogicApp connector.




Figure 6:  Response flow with back-to-SAP BAPI calls, locking a user


See here to learn more on how to use Microsoft Sentinel SOAR capabilities with SAP.


SAP enriched entity insights: Microsoft Sentinel’s entity mapping capabilities along with it’s built-in entity insight feature can provide SOC engineers information about every host or user in the system - whether they use SAP, their recent actions, and more including signals coming from the SAP infrastructure layer (VMs, networks, etc.).






Figure 7: SAP Host entity insights


Additionally, DBTableData logs, SapControl interface data sources, built-in anomaly-based detection rules and several experimental detections released lately are still in preview and are expected to be generally available later on. Please note that all preview features appear with a preview tag in our documentation.


Learn More

Microsoft is committed to empowering our customers with security tools and platforms to enable critical protection for your organization and users. To learn more about Microsoft Sentinel solution for SAP please refer to:



















1 Comment
Version history
Last update:
‎Aug 01 2022 03:59 PM
Updated by: