Enable SAP detections and threat protection
While deploying a Microsoft Sentinel data collector and solution for SAP provides you with the ability to monitor SAP systems for suspicious activities and identify threats, extra configuration steps are required to ensure the solution is optimized for your SAP deployment. This article provides best practices for getting started with the security content delivered with the Microsoft Sentinel solution for SAP applications, and is the last step in deploying the SAP integration.
Content in this article is relevant for your security team.
Important
Some components of the Microsoft Sentinel solution for SAP applications are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Prerequisites
Before configuring the settings described in this article, you must have a Microsoft Sentinel SAP solution installed and a data connector configured.
For more information, see Deploy the Microsoft Sentinel solution for SAP applications from the content hub and Deploy Microsoft Sentinel solution for SAP applications.
Start enabling analytics rules
By default, all analytics rules in the Microsoft Sentinel solution for SAP applications are provided as alert rule templates. We recommend a staged approach, where you use the templates to create a few rules at a time, allowing time for fine-tuning each scenario.
We recommend starting with the following analytics rules, which are considered to be simpler to test:
- Change in Sensitive privileged user
- Sensitive privileged user logged in
- Sensitive privileged user makes a change in other user
- Sensitive Users Password Change and Login
- Client Configuration Change
- Function Module tested
For more information, see Built-in analytics rules and Threat detection in Microsoft Sentinel.
Configure watchlists
Configure your Microsoft Sentinel solution for SAP applications by providing customer-specific information in the following watchlists:
Watchlist name | Configuration details |
---|---|
SAP - Systems | The SAP - Systems watchlist defines the SAP systems that are present in the monitored environment. For every system, specify: - The SID - Whether it's a production system or a dev/test environment. Defining this in your watchlist doesn't affect billing, and only influences your analytics rule. For example, you might want to use a test system as a production system while testing. - A meaningful description Configured data is used by some analytics rules, which might react differently if relevant events appear in a development or a production system. |
SAP - Networks | The SAP - Networks watchlist outlines all networks used by the organization. It's primarily used to identify whether or not user sign-ins originate from within known segments of the network, or if a user's sign-in origin changes unexpectedly. There are many approaches for documenting network topology. You could define a broad range of addresses, like 172.16.0.0/16, and name it Corporate Network, which is good enough for tracking sign-ins from outside that range. However, a more segmented approach, allows you better visibility into potentially atypical activity. For example, you might define the following segments and geographical locations: - 192.168.10.0/23: Western Europe - 10.15.0.0/16: Australia In such cases, Microsoft Sentinel can differentiate a sign-in from 192.168.10.15 in the first segment from a sign-in from 10.15.2.1 in the second segment. Microsoft Sentinel alerts you if such behavior is identified as atypical. |
SAP - Sensitive Function Modules SAP - Sensitive Tables SAP - Sensitive ABAP Programs SAP - Sensitive Transactions |
Sensitive content watchlists identify sensitive actions or data that can be carried out or accessed by users. While several well-known operations, tables, and authorizations are preconfigured in the watchlists, we recommend that you consult with your SAP BASIS team to identify the operations, transactions, authorizations and tables are considered to be sensitive in your SAP environment, and update the lists as needed. |
SAP - Sensitive Profiles SAP - Sensitive Roles SAP - Privileged Users SAP - Critical Authorizations |
The Microsoft Sentinel solution for SAP applications uses user data gathered in user data watchlists from SAP systems to identify which users, profiles, and roles should be considered sensitive. While sample data is included in the watchlists by default, we recommend that you consult with your SAP BASIS team to identify the sensitive users, roles, and profiles in your organization and update the lists as needed. |
After the initial solution deployment, it might take some time until the watchlists are populated with data. If you open a watchlist for editing and find that it's empty, wait a few minutes and try again.
For more information, see Available watchlists.
Use a workbook to check compliance for your SAP security controls
The Microsoft Sentinel solution for SAP applications includes the SAP - Security Audit Controls workbook, which helps you check compliance for your SAP security controls. The workbook provides a comprehensive view of the security controls that are in place and the compliance status of each control.
For more information, see Check compliance for your SAP security controls with the SAP - Security Audit Controls workbook(Preview).
Next step
There's a lot more content to discover for SAP with Microsoft Sentinel, including functions, playbooks, workbooks, and more. This article highlights some useful starting points, and you should continue to implement other content to get the most out of your SAP security monitoring.
For more information, see:
- Microsoft Sentinel solution for SAP applications - functions reference
- Microsoft Sentinel solution for SAP applications: security content reference.
Related content
For more information, see: