In this Article we will discuss about the Service “Azure Sentinel for SAP Solutions” delivered by Microsoft and how we can take benefit from this service.

Microsoft Sentinel is a scalable, cloud-native solution that provides:

• Security information and event management (SIEM)
• Security orchestration, automation, and response (SOAR)

Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.

Microsoft Sentinel is your bird’s-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

Deployment and Configuration:

1. Prerequisites-

Step 1 – Deploy below mentioned TR in S/4 Hana system.

•  NPLK900271 – After importing this TR you will get role –/MSFTSEN/SENTINEL_CONNECTOR which needs to be assigned to Technical User in SU01 to allow the SAP data connector to connect to your SAP system.
• NPLK900202 – After importing this TR you will get role – /MSFTSEN/SENTINEL_AGENT_BASIC which needs to be assigned to Technical User in SU01 to allow the SAP data connector to connect to your SAP system. (This role has the minimal required permissions for the data connector to operate)
• Go to transaction STMS_IMPORT transaction and import the mentioned TR’s.
• 
• Go to transaction PFCG and generate the mentioned role.
• Create a Technical System User in SU01 (Say =”SENTINEL”)

 Step 2 – Configure Auditing

• Go to transaction RSAU_CONFIG
• In the Security Audit Log screen, select Parameter under Security Audit Log Configuration section in Configuration tree.
• If the Static security audit active checkbox is marked, system-level auditing is turned on. If it isn’t, select Display <-> Change and mark the Static security audit active checkbox.

• Select Save to save the changes. Auditing will be activated only after the server is rebooted.

• Right-click Static Configuration and select Create Profile and Specify a name for the profile in the Profile/Filter Number field.
• Mark the Filter for recording active checkbox, In the Client & User field, enter *.
• Under Event Selection, choose Classic event selection and select all the event types in the list and click on Save.
• You’ll see that the Static Configuration section displays the newly created profile. Right-click the profile and select Activate. In the confirmation window select Yes to activate the newly created profile.

2. Create a Workspace for Microsoft Sentinel -:

• Login to you azure account and search Microsoft Sentinel in search box and open it.

• Click on Create a new Workspace.

• Enter resource group, Name, Region and click on Review + Create.

3. Create Managed Identities –

• Search managed identities on azure portal and click on create.

• Enter resource group, Name, Region and click on Review + Create.

4. Create Key Vault – 

• Click on Create.

• Enter Resource group.

• Enter Key Vault name, region.

• Select Review + create. Now open the created key vault.

• Go to Access policies and create it.
• 
• Select all secret permission and click on Next. (For minimal permission Select = Get, List & Set)

• Select the VM name of the system.

• Now select managed Identity which you had created earlier for sentinel.

• Now select the User Name and then click on Review + create.

• Go to the VM where we have deployed the data collector agent and click on identity to assign the managed identity created above under user assigned.

5. Deploy the data connector agent: 

• Deploy the data connector agent on SUSE/Linux Virtual machine on below command –

wget -O sapcon-sentinel-ui-agent-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-ui-agent-kickstart.sh && bash ./sapcon-sentinel-ui-agent-kickstart.sh –guid 744a1768-9eb7-44bb-9d04-d4fe86d4e8d3 –keymode kvmi –kvaultname XYZSENTINELVAULT(Vault name)–sdk “/media/nwrfc750P_12-70002752.zip” –agent-name XYZCOLLECTORAGENT(Collector agent Name) –ui-agent –preview

• Start Collector agent –

• Navigate to Microsoft Sentinel and click on Data Connectors under Configuration.

• Click on Microsoft Sentinel for SAP.

• Click on Open Connector page.

• Click on Add new agent.

• Enter the above-mentioned details and Click on Create.

6. Configure an SAP system and assign it to a collector agent: –

• Once Data Connector Agent is deployed click on “Add new System” to add to your SAP System

• Click on Add new system and the details like FQDN, System ID, System Number, Client ID and click on Next: Authentication.

• Enter SAP Technical User credentials which you had created in above step.

• After adding the system, it will take 10-15 min for getting the data of SAP system using Collector agent.

• Open Microsoft sentinel and click on overview to get gets events/alerts in the page for default SAP Workbook templates like “ABAPAuditLog”, “ABAPJobLog”, “ABAPSpoolLog” etc.

• For ABAP Audit log just run the query and it’s fetched the data from System.

• For ABAP SpoolLog :-

Reference Link –

https://learn.microsoft.com/en-us/azure/sentinel/overview

Conclusion –

In this blog post, we have gone through integrating Microsoft Azure Sentinel for SAP Solutions for SAP S/4 HANA 2020 FPS02.

I have come to the end of this Blog Post. Hope this will be beneficial for you!!