Install a Microsoft Sentinel solution for SAP applications
The Microsoft Sentinel solutions for SAP applications include an SAP data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats. Installing your solution is a required step before you can configure your data connector agent container.
Microsoft Sentinel supports both a containerized data collector agent and an agentless solution. Select the deployment option at the top of the page that matches your environment.
Content in this article is relevant for your security team.
Important
Microsoft Sentinel's Agentless solution is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the Agentless solution also requires registration and is only available to approved customers and partners during the preview period. For more information, see Microsoft Sentinel for SAP goes agentless .
Prerequisites
To deploy a Microsoft Sentinel solution for SAP applications from the content hub, you need:
- A Log Analytics workspace enabled for Microsoft Sentinel.
- Read and write permissions to the workspace. For more information, see Roles and permissions in Microsoft Sentinel.
Make sure that you also review the prerequisites for deploying Microsoft Sentinel solution for SAP applications, especially Azure prerequisites.
Install the solution from the content hub
Installing the Microsoft Sentinel SAP applications solution makes the Microsoft Sentinel for SAP data connector available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the SAP -Audit Controls workbook and SAP-related analytics rules.
In the Microsoft Sentinel Content hub, search for SAP applications to install the solution with the containerized data connector agent on your Log Analytics workspace enabled for Microsoft Sentinel.
On the Microsoft Sentinel solution for SAP applications page, select Create to define deployment settings. For example:
On the Basics tab, under Project details, select the Subscription and Resource group where you want to install the solution.
Under Instance details, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.
If you're working with the Microsoft Sentinel solution for SAP applications in multiple workspaces, select Some of the data is on a different workspace, and then define your target workspace, your SOC workspace, and SAP workspace. For example:
For example:
Select Review + create or Next to browse through the solution components. When you're ready, select Create
The deployment process can take a few minutes. After the deployment is finished, you can view the deployed content in Microsoft Sentinel.
Tip
If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select Some of the data is on a different workspace. In such cases, for more information, see SAP and SOC data maintained in the same workspace.
Installing the Microsoft Sentinel SAP Agentless solution makes the agentless Microsoft Sentinel for SAP available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the SAP -Audit Controls workbook and SAP-related analytics rules, a data collection endpoint, and a data collection rule (DCR).
In the Microsoft Sentinel Content hub, search for SAP Agentless (Preview) to install the solution with the agentless data connector on your Log Analytics workspace enabled for Microsoft Sentinel.
On the Sentinel Solution for SAP (Agentless) (preview) page, select Create to define deployment settings.
On the Basics tab, under Project details, select the Subscription and Resource group where you want to install the solution.
Under Instance details, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.
Select Review + create or Next to browse through the solution components. When you're ready, select Create
The deployment process can take a few minutes. After the deployment is finished, you can view the deployed content in Microsoft Sentinel.
In the Microsoft Sentinel Configuration > Data connectors page, locate and select the SAP ABAP and S/4 via cloud connector (Preview) data connector.
On the SAP ABAP and S/4 via cloud connector (Preview) page, in the Configuration area, select Deploy push connector resources to deploy a data collection rule (DCR) and Microsoft Entra ID app registration to your subscription.
Once deployed, note the following values for later use:
- Immutable ID
- Logs Ingestion URL
- Tenant ID
- Entra Application ID
- Entra Application Secret
Important
Make sure to complete all SAP deployment steps in Configure your SAP system for the Microsoft Sentinel solution before selecting Add connection to create the connector. The SAP iflow must be fully configured and deployed before you can connect your SAP system to Microsoft Sentinel.
For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.
View deployed content
When the deployment is finished, display your new content by browsing again to the Microsoft Sentinel for SAP applications solution from the Content hub. Alternatively:
For the built-in SAP workbooks, in Microsoft Sentinel, go to Threat Management > Workbooks > Templates.
For a series of SAP-related analytics rules, go to Configuration > Analytics Rule templates.
Your data connector doesn't appear as connected until you configure your data connector and complete the connection.
Next step
Related content
For more information, see Microsoft Sentinel solution for SAP applications: security content reference.