Community
Enterprise Resource Planning Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Microsoft Sentinel for SAP goes agentless

Martin-Pankraz
SAP Champion
SAP Champion
‎2024 Dec 17 7:53 AM
9,210
What a title during Agentic AI times 😂

📢UPDATE: Agentless reached GA! See details here.

Dear community,

Bringing SAP workloads under the protection of your SIEM of choice is a primary concern for many customers out there.

The window for defenders is small

“Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” (SAP SE + Onapsis, Apr 6 2024)

Having a turn-key solution as much as possible leads to better adoption of SAP security. Agents running in Docker containers, Kubernetes, or other self-hosted solutions are not for everyone.

Microsoft Sentinel for SAP’s latest capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Bazinga💥

 

Meet agentless🤖  

The new integration path leverages SAP Integration Suite to connect Microsoft Sentinel with your SAP systems. The Cloud integration capability of SAP Integration Suite speaks all relevant protocols, has connectivity into all the places where your SAP systems might live, is strategic for most SAP customers, and is fully SAP RISE compatible by design.

Best of all: The already existing SAP security content (detections, workbooks, and playbooks) in Microsoft Sentinel continues to function the same way as it does for the Docker-based collector agent variant.

MartinPankraz_1-1733905028186.png

During the private preview we saw drastically reduced deployment times for SAP customers being less familiar with Docker, Kubernetes and Linux administration. Cherry on the cake: the network challenges don’t have to be tackled again. The people running your SAP Cloud Connector went through that process a long time ago. 🤘SAP Basis rocks🤘

 

Ok, hook me up!

Customers on SAP NetWeaver 750+ may simply create additional configuration on their SAP Cloud Connector. A small set of RFC function modules are required to be reachable from SAP Integration Suite. Verify from the Sentinel documentation for the latest info.

Depending on your SAP version, you might need to install SAP note 3054326 to enable the remote call of the audit log API

MartinPankraz_2-1733905028204.png

Move on to the Destination maintenance view on your Subaccount on SAP Business Technology Platform. Add an RFC connection matching the details of your SAP Cloud Connector configuration. Consult SAP’s official documentation for more details.

 

MartinPankraz_3-1733905028220.png

Finish the exercise by providing a user on SAP with the required authorizations to call the mentioned remote function modules. Find a transport to bring a pre-configured role here for your convenience.

Everyone else below SAP NetWeaver 750, reach out to us to talk more details for older AS ABAP releases. Given the audit log API evolution, a different configuration for the integration package is required.

Community Extensions - Because Security is a Team Sport 🤝

The Microsoft Sentinel for SAP journey doesn't stop with official Microsoft offerings in SAP Integration Suite! We are expanding the proven community track to the agentless approach. Build on top of the platform to further enhance your SAP security operations tailored to your needs.

Partners, ISVs, and first and foremost customers are invited to share, contribute, and request additional artifacts.

MartinPankraz_0-1745571623740.png

 

Check out the Sentinel For SAP Community repository where you'll find the first set of Integration templates for you to build upon for additional security workflows.

What is already there?

The solution package features an SAP Integration Suite integration flow for SOAR use cases. With that you may re-use the same integration approach that the agentless data connector uses. This means requesting SAP user blocks or SAP audit log reactivation can now be done without any additional proxies like Microsoft On-premises-Data-Gateway, separate virtual network injection or the likes. Not too bad, huh?

I especially love seeing customers and partners contributing their expertise to make SAP environments more secure for everyone. This is what community is all about!

Thoughts on production readiness

SAP Integration Suite and SAP Cloud Connector are among the most used SAP Cloud components for decades now and are completely ready for prime time as they say.

The new agentless offering of the Microsoft Sentinel for SAP solution is currently in preview but reuses fully mature capabilities and leverages existing security content. It will be expanded based on your feedback and requirements.

The integration marks your steppingstone to bring your SAP threat signals into the Unified Security Operations in the Microsoft Defender Portal – a combination of Defender XDR and Sentinel – that looks beyond SAP at your whole IT estate.

Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4HANA on-premises. So, you are all good to go 😎

 

Final Words

That’s a wrap 🌯. You learned today:

  • All there is to know about going agentless with the Microsoft Sentinel for SAP solution,
  • Where to find community extensions to the official Microsoft integration package to extend with your own flows on SAP Integration Suite,
  • How important it is to bring SAP under the protection of your central SIEM, and that
  • Leveraging existing SAP integration components gets you up and running securely, SAP RISE future proof, and in no time.

Get started from here.

#Kudos to the amazing Sentinel team!

 

Cheers

Martin