Revolutionize your SAP Security with Microsoft Sentinel’s SOAR Capabilities

First and foremost, big kudos to Martin for crafting this amazing playbook and co-authoring this blogpost.
Be sure to check out his SAP-focused blog for more In-Depth Insights!

Furthermore, if you'd rather the playbook and explanation in action instead of going through this blog post, be sure to watch the accompanying YouTube video.

The purpose of this blog post is to demonstrate how the SOAR capabilities of Sentinel can be utilized in conjunction with SAP by leveraging Microsoft Sentinel Playbooks/Azure Logic Apps to automate remedial actions in SAP systems or SAP Business Technology Platform (BTP).

Before we dive into the details of the SOAR capabilities in the Sentinel SAP Solution, let's take a step back and take a very quick run through of the Sentinel SAP Solution.
The Microsoft Sentinel SAP solution empowers organizations to secure their SAP environments by providing threat monitoring capabilities. By seamlessly collecting and correlating both business and application logs from SAP systems, this solution enables proactive detection and response to potential threats. At its core, the solution features a specialized SAP data-connector that efficiently handles data ingestion, ensuring a smooth flow of information. In addition, an extensive selection of content, comprising analytic rules, watchlists, parsers, and workbooks, empowers security teams with the essential resources to assess and address potential risks.
In a nutshell: With the Microsoft Sentinel SAP solution, organizations can confidently fortify their SAP systems, proactively safeguarding critical assets and maintaining a vigilant security posture.

For a complete (and detailed) overview of what is included in the Sentinel SAP solution content, see Microsoft Docs for Microsoft Sentinel SAP solution

Now back to the SOAR capabilities! About a year ago, we published a blog post titled “How to use Microsoft Sentinel's SOAR capabilities with SAP“, which discussed utilizing playbooks to react to threats in your SAP systems.

The breakthrough which the blogpost talked about was the use of Sentinel's SOAR (Security Orchestration and Automated Response) capabilities on top of the Sentinel SAP Solution.
This means that we can not only monitor and analyze security events in real-time, we can also automate SAP incident response workflows to improve the efficiency and effectiveness of security operations.

In the previous blog post, we discussed blocking suspicious users using a gateway component, SAP RFC interface, and GitHub hosted sources.

In this post, we showcase the same end-to-end scenario using a playbook that is part of the OOB content of the SAP Sentinel Solution.

And rest assured, no development is needed – it's all about configuration! This approach significantly reduces the integration effort, making it a smooth and efficient process!

Overview & Use case 

Let me set the scene: you're the of your company's precious SAP systems, tasked with keeping them safe. Suddenly Sentinel warns you that someone is behaving suspiciously on one of the SAP systems. A user is trying to execute a highly sensitive transaction in your system. Thanks to your customization of the OOB “Sensitive Transactions” watchlist and enablement of the OOB rule “SAP – Execution of a Sensitive Transaction Code”, you're in the loop whenever the sensitive transaction SE80 is being executed. You get an instant warning, and now it's time to investigate the suspicious behavior.

Sensitive Transactions watchlist with an entry for SE80Sensitive Transactions watchlist with an entry for SE80

As part of the security signal triage process, it might be decided to take action against this problematic user and to (temporarily) kick-out them out from ERP, SAP Business Technology Platform or even . To accomplish this, you can use the automatic remediation steps outlined in the OOB playbook “SAP Incident handler- Block User from Teams or Email”.

Screenshot for the OOB SAP playbookScreenshot for the OOB SAP playbook

By leveraging an rule and the out-of-the-box playbook, you can effectively respond to potential threats and ensure the safety and security of your systems. Specifically, in this blog post, we will use the playbook to promptly react to the execution of the sensitive transaction SE80, employing to mitigate any risks that may arise.

Now, it's time to dive deeper into this OOB playbook! Let's examine it closely to better understand how it works and how it can be used in your environment.

Deep dive into the playbook

To start off, we'll break down the scenario into a flow.

Overview of the SAP user block scenarioOverview of the SAP user block scenario

The core of this playbook revolves around adaptive cards in Teams (see step 5 in the overview diagram), and relies on waiting for a response from engineers. As we covered earlier, Sentinel detects a suspicious transaction being executed (steps 1-4), and an automation rule is set up as a response to the “SAP – Execution of a Sensitive Transaction Code” analytic rule. This sets everything in motion, and the adaptive cards in Teams play a crucial role in facilitating communication between the system and the engineers.

Adaptive card for a SAP incident offering to block the suspicious userAdaptive card for a SAP incident offering to block the suspicious user

As demonstrated in the figure above (which correspond to step 5 in the flow), engineers are presented with the option to block the suspicious user (Nestor in this case!) on SAP ERP, SAP BTP or on .

Let's dive into this part of the playbook design to see how it works behind the scenes.:

Screenshot for block user action in the playbookScreenshot for block user action in the playbook

In the screenshot  you'll notice three distinct paths for the “block user” action, each influenced by the response received in Teams. Of particular interest in this blog is the scenario where blocking a user on SAP ERP is required. This task is achieved through SOAP, providing an efficient means to programmatically lock a backend user using RFC (specifically BAPI_USER_LOCK).
When it comes to sending SOAP requests to SAP, there are various options available. Martin's blog post provides a comprehensive explanation of these options, offering detailed technical insights and considerations. To avoid duplicating information, I encourage you to head over there for valuable insights on sending the SOAP requests.

When reacting to the adaptive cards, we recommend providing a clear and meaningful comment when blocking a user. This comment will be shared back to Sentinel for auditing and helping security operations understand your decision. The same applies when flagging false positives, as it helps Sentinel learn and differentiate between real threats and harmless incidents in the future. 

Screenshot of updated close reason on Sentinel fed with comment from TeamsScreenshot of updated close reason on Sentinel fed with comment from Teams

And there you have it, a lightning-fast rundown of how (parts of) this amazing playbook works!

Final words

And that's a wrap for this blog post!

But hold on, don't leave just yet, we've got some important closing statements for you:

  • Remember that you have the flexibility to customize this playbook to fit your specific needs. Feel free to delete, add, or modify steps as necessary. We encourage you to try it out on your own and see how it works in your environment!
  • For those who want to dive even deeper into the technical details (especially regarding SAP), be sure to check out Martin's blog post. As the expert who designed this playbook, he provides an in-depth explanation of configure SAP SOAP interfaces, the authorizations for the target Web Service and RFC and much more! Trust me, it's a fascinating read and you're sure to learn a lot!
  • On a related note, Martin has also created another playbook that automatically re-enables the audit trail to prevent accidental turn-offs. This playbook is now accessible through the content hub as well.
  • If you'd like to this blog post come to life through a video, please head over to “SAP Security with Microsoft Sentinel's SOAR Capabilities” on Youtube .
  • And finally, for those who made it all the way to the end, we hope you enjoyed reading this blog post as much as we enjoyed writing it. Now go forth and automate your security like a boss!


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.