👉🏿back to blog series or to GitHub repos UPDATE: Consider the new out-of-the-box SAP disrupt capability⛔ instead of the LogicApps. UPDATE: Anyone using the Central User Administration (CUA) for global user access management consider using the function module SUSR_BAPI_USER_LOCK. Verify the lock behavior settings in the SAP transaction SCUM reflect your desired locking strategy (local on the child SID and client or global across all the SAP child systems) |
Dear community,
Are you ready to learn how to apply plug-and-play automation to block compromised SAP users based on suspicious activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD?
This blog has you covered with all the steps required to start kicking 🤸🏾♂️ compromised users. As a byproduct to that rewarding experience your landscape becomes more secure. But we are here mostly for the kicking 🏌🏻.
To get into the right mood, read below lyrics inspired by a famous pop song. Can you guess which one?
I used to run scared from every cyber threat, But now I'm standing strong with SOAR and SAP, you bet! Microsoft Sentinel's got my back, every day and night, My ERP's on lock, my data's out of sight! With automation and response at lightning speed, I'm roaring with confidence; my business is guaranteed to succeed! 'Cause I am a champion, and you're gonna hear me SOAR Oh-oh-oh-oh-oh.
There you have it. Now you’re stuck with that educational jingle like I am. By the way, SOAR doesn’t have anything to do with fireworks rising into the night sky – just saying, for those of you who guessed the correct artist but wrong pop song. We will get back to that later, no worries. Back to business…
I am building upon the prior blog posts about SAP and SOAR by amit.lal6 and Naomi Christis that leveraged the same user blocking scenario but used a gateway component for on-premises connectivity, SAP RFC interface, and GitHub hosted sources for the automation.
and refers to acting on security signals. As you might know from the previous post: Sentinel functions both as a Security Information and Event Management (SIEM) tool and SOAR solution. So, it can monitor and analyze security events in real-time while automating incident response workflows to improve the efficiency and effectiveness of security operations.
Today’s post showcases the end-to-end scenario using a playbook that is being shipped by the SAP solution in Microsoft Sentinel right away.
Yes, you heard that right – configuration only! No development needed. |
A user attempted to execute a sensitive transaction within SAP, triggering a detection on Sentinel. Sentinel warns us about this suspicious behavior by triggering an incident which we need to investigate further!
🛈 Note: See this video for a small detour to gain a broader overview of multi-staged attacks with file download from SAP and investigation hints identifying hacker groups.
As part of the security signal triage process, you may choose to kick out 🤸🏾♂️ 💥 this problematic user from ERP, SAP Business Technology Platform, or even Azure AD – a little drastic you might say. Hence, there is the out-of-the-box option on the playbook template provided by Sentinel for a Microsoft Teams driven approval process. It is up to you to employ this extra step or act automatically and ask for forgiveness afterwards 😉
Fig.1 Sentinel card with SAP incident in Microsoft Teams offering user block scenarios
As you can see above our guinea pig user Nestor had the audacity 😤 to open SAP transaction SE80.
For this sample, I added transaction SE80 to the sensitive transactions watchlist “SAP - Execution of a Sensitive Transaction Code” on Sentinel. Therefore, opening SE80 raises now an alert each time “Nestor the brave” opens it. SE80 is not very sensitive though – at least outside of production. It is a means of easily triggering an incident.
See the list of analytic rules for additional scenarios on the Sentinel content hub. My personal favourite is “Deactivation of security audit log”. But I am saving that one for part 3 of the series. Back to our watchlist and SE80.
Fig.2 Screenshot from Sentinel watchlist containing entry for SE80
See below the step-by-step flow of the scenario as “coded” into the shipped Sentinel playbook.
Adapt scenario completely to your liking. Fancy Service Now or SAP Build |
In our case today, the playbook automation is centred around adaptive cards in Teams Channels (see step 5 below). Sentinel supplies the incident information and triggers the playbook in-time to act on the information provided. The provided playbook comes with a workflow orchestrating below actions.
Fig.3 SAP user block scenario overview orchestrated by Azure Logic App
Till today the RFC for BAPI_USER_LOCK (or SUSR_BAPI_USER_LOCK for SID global lock) is the most efficient way to programmatically lock a backend user.
However, for a uniform solution that would be applicable to C/4HANA, |
Checking the SAP API Hub… ⏳the common denominator for user actions like “block” is SOAP.
🛈Note: For Cloud-only scenarios beyond the user-blocking and where available the go-to interface would be OData.
To reach the SOAP service on your SAP systems anywhere, establish line-of-sight 👀.
I’d like to mention Azure Virtual Network (VNet) injection capabilities and reverse-connect gateways like the SAP Cloud Connector or the Microsoft On-Premises Data Gateway to make that happen. See Amit’s post for more details about the path via on-premises data gateway and RFC requests.
This post focusses on Azure PaaS components and APIs instead. This approach brings the added benefit of isolated and secure networking through Azure VNet integration, native Microsoft backbone usage and managed resources across the board.
See below a detailed flow with three different connectivity options (A,B,C): private VNet injected API Management and/or Azure Logic App (aka playbook) or SAP Integration Suite.
Fig.4 Illustration of workflow connectivity from Sentinel to SAP backend
Microsoft Sentinel supplies the SAP incidents to the workflow layer before being processed by the SOAP service (sequence depicted by the numbers 1-3).
Note that option C requires a Logic App to receive the Sentinel incident before passing it on via http action to an SAP iFlow on Integration Suite. You are chaining the two workflow engines so to speak.
Choose the deployment flavour based on your needs (A, B, or C):
Logic App (Consumption) A | Logic App (Standard) B | SAP Integration Suite C | |
Tenant model | multi | Single, isolated | multi |
Scalability | serverless | App Service Plan with Auto-scale or manual scale | Auto-scale |
Business process type | Single workflow | Mix of many stateful or stateless workflows per resource | Single workflow per resource (iFlow) |
Private Networking | Requires Azure API Management, or MSFT On-Premises Data Gateway, or SAP Integration Suite for private SAP access | Native VNet injection | SAP Private Link for Azure or SAP Cloud Connector required for private SAP access |
Public Workflow endpoint required | Yes | No, fully private possible | Yes |
Pricing | Pay-per-execution | App Service Plan SKU | CPEA, PAYG, Subscription |
XML transformations for the SOAP request and response are handled with built-in tasks on SAP Integration Suite, Logic Apps, or Azure API Management liquid templates.
See the specifics for the SOAP setup with BAPI_USER_LOCK RFC on my blog. It shows you around and gives guidance to retrieving the WSDL and where to find the SOAP access URL on SAP SOAMANAGER.
Below description for the serverless option of Logic Apps focuses on Azure API Management but you may also implement this with SAP BTP components like SAP Integration Suite, SAP Build Process Automation and SAP Bridge Framework to generate the cards for Microsoft Teams for more details.
SSL handshake and certificate trust is taken care of on the API Management layer. See configuration details here. Alternatively, disable trust chain verification for PoC type implementations (APIs -> Backends -> Validate Certificat Chain).
In case you don’t want to use an additional API component at all, skip over to the next section “Flavour B” for a Logic-App-only solution.
Ruling in favor of API Management? Have a look at this blog post - especially the lower section - showing in detail how to add this particular SOAP service to API Management before continuing here.
See the setup guide on our Sentinel GitHub repos or follow below steps for a custom approach.
🛈Note: You may change Azure Logic App type from Consumption to Standard using the Visual Studio Code extension. Compared to the playbook low code experience so far, that would be considered a pro code effort. See the Microsoft docs for details.
Fig.5 Screenshot of Logic App plan type selection and App Service plan selection
I recommend waiting to setup “Access restriction” till you have finished your initial integration test. As soon as the playbook is limited to communication with Sentinel, you can only debug the workflow from within the VNet. Meaning you require local network access through Jumpboxes, Azure Bastion service, or VPNs etc.
Fig.6 Screenshot of VNet integration and access restriction configuration
Once you progress to Access restriction pick the "AzureSentinel" service tag as target for the allow-list
Fig.7 Screenshot of adding Sentinel to the playbook allow list
🛈 Use the setup guide on our GitHub repos if you want to use Logic Apps (Standard) with VNet injection capability. These playbooks are not listed on the Sentinel template gallery as of today. |
Fig.8 Screenshot of SAP playbook create experience on Sentinel
Retrieve the info for the required parameters. They serve as fallback in case the raised alert automation with dynamic parameters isn’t configured by you yet. See the advanced playbook guidance for that.
A simple approach for the Microsoft Teams IDs involves extracting it from the sharable link URL from the target channel as shown below. Be aware they are URL encoded (I like DevToys for URL decoding but any decoder will do)! See this article for further options like the Microsoft Graph API to get the Teams IDs.
https://teams.microsoft.com/l/channel/19%3aa38680470d95481685c064f36a146e24%40thread.tacv2/General?groupId=c1eedb2a-3a35-4f0e-98e3-898c2d5e907c&tenantId= |
Fig.9 Screenshot of Teams IDs extraction from deep link
Your extracted values in JSON format should look something like this:
{"channelID":"19:a38680470d95481685c064f36a146e24@thread.tacv2","teamID":"c1eedb2a-3a35-4f0e-98e3-898c2d5e907c"}
The playbook ships with managed identity setup for Sentinel. Watch out for the role assignment of the managed identity of your Logic App (Settings -> Identity -> System assigned -> Azure Role Assignments). Verify suitable Sentinel Roles in case you get authorization errors on the Incident-Update steps of the workflow. Currently “Microsoft Sentinel Responder” on resource group level where Sentinel lives, does the trick.
Be aware of the token caching and lifetime intervals. For quick initial integration tests, I recommend using a named-user to avoid waiting for managed identity role changes becoming active.
Fig.10 Screenshot of Sentinel connector sign-in on the Azure Logic App
Speaking of easily getting started: If you like a simpler static approach for the Teams Connector, you may use the name-based browse experience on the playbook instead. I highly recommend the parameterized approach though for easier maintenance!
Fig.11 Screenshot of simpler Teams Channel configuration without sharable parameters
🛈Note: The advanced version of this playbook goes one step further with dynamic configurable Teams targets, secure credential store in Azure Key Vault, and SOAP service by audit class and SAP SID in Sentinel. That aspect has been skipped in the basic version of the playbook for a simpler start with this integration pattern.
Flavour B treats the SOAP request as raw http XML message, whereas flavour A using Azure API Management translates between JSON and XML simplifying the interaction on the playbook. See below resources to finalize the trust setup between the VNet injected Logic App and SAP for the SOAP service requests.Fig.12 Screenshot of configuration of flavour B with XML based SOAP request
🛈Note: Configure DNS for SAP hostname resolution and import root CA public keys for the POST request. Otherwise, SSL and certificate validation will not work. For initial testing with private IPs like in my screenshot below use the http endpoint instead. Verify soap node from SICF transaction and configure no-ssl when creating the SOAP binding via SOAMANAGER for that.
Easiest option to identify the minimal authorizations for any of your own |
Verify dynamic parameter “auth/auth_user_trace” is enabled via transaction RZ11.
See below trace for my advanced user-blocking setup. The SOAP enabled RFC called TH_DELETE_USER has been added to end active sessions after blocking of the SAP user through BAPI_USER_LOCK. After all locking is not enough if your audacious SAP user is still logged in 😉 See this part of this series for more details about the session kill.
Fig.13 Screenshot from SAP authorization trace for user lock
Ready to roll with an integration test ➰🎲 Assign the playbook to analytic rule like “SAP – Execution of a sensitive Transaction Code”. Find that section under Configuration -> Analytics -> Rule Templates. Edit the rule using the three dots … on the right and assign your playbook as automation target for detected executions of sensitive transactions.
Fig.14 Screenshot of playbook association with analytical sentinel rule
Go on… kick off your trigger. I will wait ⌛🐧
If you followed my sample, you may open transaction SE80, since it is maintained on the watchlist as outlined in fig. 2. You will need some patience, because the SAP log ingestion runs on a schedule every 2-3 mins. I know it is hard to wait. How about completing the song from the intro? 🎙️
Verify the playbook has been triggered, posted your Microsoft Teams message on your configured channel (see fig.1) and blocked your SAP user – after all LOCKME asked for it audaciously accessing SE80 😤.
Fig.15 Illustration of verification of the workflow run on the playbook showing the SAP user lock response
The same is true for flagging false positives!
This way Sentinel learns to identify benign incidents going forward and |
Fig.16 Screenshot of updated close reason on Sentinel fed with comment from Teams
Fig.17 Screenshot of successful lock reply message within the context of a Teams thread
Once the security folks acted upon the card presented in Teams, the card updates and the playbook responds with flow messages on the same thread. This workflow feedback gives conversation-aware insight to the SAP security person if the blocking request went successful or not.
That’s it for the configuration of blocking SAP ERP users 🎉
Above described process stays the same. You need to configure another API call to target the BTP service of your choice to disable the user. Options range from SAP Cloud Identity Services – Identity Authentication (IAS) to the SAP Authorization and Trust Management Service (XSUAA).
Below steps to block a user refer to the XSUAA acting on a single BTP subaccount. In case your BTP estate is fully configured to use IAS across the board, blocking the user there would be more impactful.
Learn more about how to create a service key and OAuth2 client credentials grant with BTP services here.
Learn more about the user authentication API for the XSUAA via the Cloud Foundry UAA docs here.
The If-match header and ETag handling shown below is required by the PATCH operation of the XSUAA API to update the user attribute called “active”.
Fig.18 Illustration of BTP API configuration on the playbook to disable a user
This one is even simpler because Azure AD has its own connector on the playbooks. A single step using the “Update user” action will do 😎 Be aware that this step requires extensive Azure AD admin rights, which are often hard to get.
Fig.19 Screenshot of Azure AD connector setup to disable a user
Fine-tuning the incident triage process and automation is key. |
Otherwise, you will be singing the other song you guessed wrongly at the beginning, drowning in myriads of incidents and adaptive cards flooding your Teams channel. That would sound something like this...
Sentinel – Oh Baby, you’re a firework! 🎉🎆
Based on recent customer conversations we released an additional playbook for SAP Audit-Log re-activation. A suitable detection would be the pre-configured analytic rule “SAP - Deactivation of Security Audit Log”. Speaking, isn’t it? See part 3 for details.
Anyone curious about malicious Sentinel collector agent tempering detection and avoiding false positives? You don’t want to get mad during SAP maintenance windows, do you? See part 4 for that.
Looking to you to request additional scenarios and share your own as Pull Requests on GitHub. Reach out to me for a detailed discussion.
Design your own adaptive card for Microsoft Teams and/or Actionable Message for M365 using the online designer. Get started from here.
Use the setup guide on our GitHub repos if you want to use Logic Apps (Standard) with VNet injection capability. These playbooks of this type are not listed on the Sentinel template gallery as of today.
That’s a wrap 🌯you saw today how to surface critical events from SAP RISE and non-RISE to your security team with immediate remediation actions. That brings down the time till a compromised user gets locked out of your environment substantially. Not too bad, huh?
To make that happen we looked at SAP SOAP interfaces exposed via private networking, API Management and SAP Integration Suite. Microsoft Sentinel leveraged Microsoft Teams to enable your security operations folks with pre-configured playbooks.
The basic playbook showcased in this post gets you started quickly, but only the advanced version of it gets you true coverage. Check it out on the 👉 second part of this blog series.
Find your way back to the intro of this blog series here.
Got an SAP threat at your hands that needs automatic remediation like you saw today? Overall, this integration pattern is applicable to any SAP API. Let me know in the comments or reach out directly.
#Kudos to Sebastian Ullrich, Ofer Inbar, and Naomi Christs for speeding me up big time in releasing these materials😊 Find Naomi's introduction into the topic on the TechCommunity.
Cheers
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 |