Edit

Share via

Configure your SAP system for the Microsoft Sentinel solution

  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

This article describes how to prepare your SAP environment for connecting to the SAP data connector. Preparation differs, depending on whether you're using the containerized data connector agent. Select the option at the top of the page that matches your environment.

This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications.

Diagram of the deployment flow for the Microsoft Sentinel solution for SAP applications, with the preparing SAP step highlighted.

The procedures in this article are typically performed by your SAP BASIS team. If you're using the agentless solution, you might also need to involve your security team.

Important

Microsoft Sentinel's Agentless solution is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the Agentless solution also requires registration and is only available to approved customers and partners during the preview period. For more information, see Microsoft Sentinel for SAP goes agentless .

Prerequisites

Configure the Microsoft Sentinel role

To allow the SAP data connector to connect to your SAP system, you must create an SAP system role specifically for this purpose.

  • To include both log retrieval and attack disruption response actions, we recommend creating this role by loading role authorizations from the /MSFTSEN/SENTINEL_RESPONDER file.

  • To include log retrieval only, we recommend creating this role by deploying the NPLK900271 SAP change request (CR): K900271.NPL | R900271.NPL

    Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the SAP documentation.

    Alternately, load the role authorizations from the MSFTSEN_SENTINEL_CONNECTOR file, which includes all the basic permissions for the data connector to operate.

    Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see Required ABAP authorizations. Examples in our documentation use the /MSFTSEN/SENTINEL_RESPONDER name.

When configuring the role, we recommend that you:

  • Generate an active role profile for Microsoft Sentinel by running the PFCG transaction.
  • Use /MSFTSEN/SENTINEL_RESPONDER as the role name.

Create a role using the MSFTSEN_SENTINEL_READER template, which includes all the basic permissions for the data connector to operate.

For more information, see the SAP documentation on creating roles.

Create a user

The Microsoft Sentinel solution for SAP applications requires a user account to connect to your SAP system. When creating your user:

  • Make sure to create a system user.
  • Assign the /MSFTSEN/SENTINEL_RESPONDER role to the user, which you'd created in the previous step.
  • Make sure to create a system user.
  • Assign the MSFTSEN_SENTINEL_READER role to the user, which you'd created in the previous step.

For more information, see the SAP documentation.

Configure SAP auditing

Some installations of SAP systems might not have audit logging enabled by default. For best results in evaluating the performance and efficacy of the Microsoft Sentinel solution for SAP applications, enable auditing of your SAP system and configure the audit parameters. If you want to ingest SAP HANA DB logs, make sure to also enable auditing for SAP HANA DB.

We recommend that you configure auditing for all messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting.

For more information, see the SAP community and Collect SAP HANA audit logs in Microsoft Sentinel.

Configure your system to use SNC for secure connections

By default, the SAP data connector agent connects to an SAP server using a remote function call (RFC) connection and a username and password for authentication.

However, you might need to make the connection on an encrypted channel or use client certificates for authentication. In these cases, use Smart Network Communications (SNC) from SAP to secure your data connections, as described in this section.

In a production environment, we strongly recommend that your consult with SAP administrators to create a deployment plan for configuring SNC. For more information, see the SAP documentation.

When configuring SNC:

  • If the client certificate was issued by an enterprise certification authority, transfer the issuing CA and root CA certificates to the system where you plan to create the data connector agent.
  • If you're using the data connector agent, make sure to also enter the relevant values and use the relevant procedures when configuring the SAP data connector agent container. If you're using the agentless solution, the SNC configuration is done in the SAP Cloud Connector.

While this step is optional, we recommend that you enable the SAP data connector to retrieve the following content information from your SAP system:

  • DB Table and Spool Output logs
  • Client IP address information from the security audit logs

  1. Deploy the relevant CRs from the Microsoft Sentinel GitHub repository, according to your SAP version:

    SAP BASIS versions Recommended CR
    750 and higher NPLK900202: K900202.NPL, R900202.NPL

    When deploying this CR any of the following SAP versions, also deploy 2641084 - Standardized read access to data of Security Audit Log:
    - 750 SP04 to SP12
    - 751 SP00 to SP06
    - 752 SP00 to SP02
    740 NPLK900201: K900201.NPL, R900201.NPL

    Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the SAP documentation.

    For more information, see the SAP Community and the SAP documentation.

  2. To support SAP BASIS versions 7.31-7.5 SP12 in sending client IP address information to Microsoft Sentinel, activate logging for SAP table USR41. For more information, see the SAP documentation.

Verify that the PAHI table is updated at regular intervals

The SAP PAHI table includes data on the history of the SAP system, the database, and SAP parameters. In some cases, the Microsoft Sentinel solution for SAP applications can't monitor the SAP PAHI table at regular intervals, due to missing or faulty configuration. It's important to update the PAHI table and to monitor it frequently, so that the Microsoft Sentinel solution for SAP applications can alert on suspicious actions that might happen at any time throughout the day. For more information, see:

If the PAHI table is updated regularly, the SAP_COLLECTOR_FOR_PERFMONITOR job is scheduled and runs hourly. If the SAP_COLLECTOR_FOR_PERFMONITOR job doesn't exist, make sure to configure it as needed.

For more information, see Database Collector in Background Processing and Configuring the Data Collector.

Configure SAP BTP settings

  1. In your SAP BTP subaccount, add entitlements for the following services:

    • SAP Integration Suite
    • SAP Process Integration Runtime
    • Cloud Foundry Runtime

  2. Create an instance of Cloud Foundry Runtime, and then also create a Cloud Foundry space.

  3. Create an instance of SAP Integration Suite.

  4. Assign the SAP BTP Integration_Provisioner role to your SAP BTP subaccount user account.

  5. In the SAP Integration Suite, add the cloud integration capability.

  6. Assign the following process integration roles to your user account:

    • PI_Administrator
    • PI_Integration_Developer
    • PI_Business_Expert

    These roles are available only after you activate the cloud integration capability.

  7. Create an instance of the SAP Process Integration Runtime in your subaccount.

  8. Create a service key for the SAP Process Integration Runtime and save the JSON contents to a secure location. You must activate the cloud integration capability before creating a service key for SAP Process Integration Runtime.

For more information, see the SAP documentation.

Configure SAP Cloud Connector settings

  1. Install the SAP Cloud Connector. For more information, see the SAP documentation.

  2. Sign in at the cloud connector interface, and add the subaccount using the relevant credentials. For more information, see the SAP documentation.

  3. In your cloud connector subaccount, add a new system mapping to the backend system to map the ABAP system to the RFC protocol.

  4. Define load balancing options and enter your backend ABAP server details. In this step, copy the name of the virtual host to a secure location to use later in the deployment process.

  5. Add new resources to the system mapping for each of the following function names:

    • RSAU_API_GET_LOG_DATA, to fetch SAP security audit log data

    • BAPI_USER_GET_DETAIL, to retrieve SAP user details

    • RFC_READ_TABLE, to read data from required tables

  6. Add a new destination in SAP BTP that points the virtual host you'd created earlier. Use the following details to populate the new destination:

    • Name: Enter the name you want to use for the Microsoft Sentinel connection

    • Type RFC

    • Proxy Type: On-Premise

    • User: Enter the ABAP user account you created earlier for Microsoft Sentinel

    • Authorization Type: CONFIGURED USER

    • Additional properties:

      • jco.client.ashost = <virtual host name>

      • jco.client.client = <client e.g. 001>

      • jco.client.sysnr = <system number = 00>

      • jco.client.lang = EN

    • Location: Only required when you connect multiple Cloud Connectors to the same BTP subaccount. For more information, see the SAP Documentation.

Configure SAP Integration Suite settings

Create a new OAuth2 client credential to store the connection details for the Microsoft Entra ID app registration that you'd created earlier.

When creating the credential, enter the following details:

  • Name: LogIngestionAPI

  • Token Service URL: https://login.microsoftonline.com/<your Microsoft Entra ID tenant ID>/oauth2/v2.0/token

  • Client ID: <your app registration client ID>

  • Client Authentication: Send as body parameter

  • Scope: https://monitor.azure.com//.default

  • Content Type: application/x-www-form-urlencoded

Import and deploy the Microsoft Sentinel solution for SAP package

  1. Download the Microsoft Sentinel solution for SAP package from https://aka.ms/SAPAgentlessPackage.

  2. Import the downloaded package to SAP Integration Suite.

  3. Open the Microsoft Sentinel solution for SAP package and browse to the artifacts.

  4. Select Send security logs to Microsoft - application layer artifact.

  5. Select Configure and then enter your DCR details:

    • LogsIngestionURL the Ingestion URL from the DCR's DCE, as saved earlier.
    • DCRImmutableId: The DCR's immutable ID, as saved earlier.

  6. Select Deploy to deploy the i-flow using SAP Cloud Integration as the runtime service.

Next step

Connect your SAP system to Microsoft Sentinel