What’s new: Sentinel Solution for SAP BTP


In today's digital landscape, low-code development platforms have become increasingly popular among businesses looking to accelerate their application development processes. However, with the convenience and speed that these platforms offer, there are also security risks that organizations must consider.

SAP Business Technology Platform (BTP) is a cloud-based solution that provides a wide range of tools and services for developers to build, run, and manage applications. One of the key features of SAP BTP is its low-code development capabilities. Low-code development allows developers to create applications quickly and efficiently by using visual drag-and-drop interfaces and pre-built components, rather than writing code from scratch.

When it comes to low-code platforms, one key concern is the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.

Today we are excited to announce the Sentinel Solution for SAP BTP, an independent security solution in Content Hub that can help our customers detect and respond to threats in SAP BTP running in Cloud Foundry environments.

New out of box content:

In this first release, we have incorporated a data connector that enables customers to connect their BTP subaccount to Sentinel via  Audit Log service for SAP BTP API. Along with that, we are introducing five new analytics rules and a workbook to enhance your experience. To delve deeper into the features and better understand the type of threats that are identified, let's explore each of these in more detail.

Analytics rules for SAP BTP

We created built-in detections for identity management and low-code application development scenarios using the Trust and Authorization Provider and Business Application Studio (BAS) event sources in BTP.



Each SAP BTP subaccount has its own local identity store, which must be closely managed to avoid unauthorized access to the environment after an employee leaves the organization or changes roles. Additionally, an organization may use multiple subaccounts to host their workloads, which can make it difficult to govern identities across each one.

To address the challenges of complex identity access management across subaccounts, it is common practice to deploy a federated identity provider such as Azure or SAP's own Identity service (IAS). The “BTP – Trust and authorization Identity Provider monitor” rule notifies the Security Operations Center (SOC) of changes to this configuration, helping to detect potentially malicious actions that could be used to gain control of the identities in a subaccount. In addition to this, other critical identity actions such as mass user deletion events and changes to sensitive privileged system role collections can be detected.

BAS, or Business Application Studio, is the low code development environment that is used to build applications on SAP BTP. We can help customers secure this workload by detecting suspicious login activity, such as reconnaissance, and attempts to gain unauthorized access to a BAS workspace. The “BTP – Malware detected in BAS dev space” rule uses SAP's built-in malware engine to detect malicious files found in the source workspace.

SAP BTP Workbook

Sentinel Workbooks are a powerful feature that helps the analyst to visualize patterns or areas of interest to pivot during an investigation.

The BTP Activity Workbook provides a dashboard overview of subaccounts, helping analysts identify the most active accounts and the kind of data being ingested. It also displays subaccount sign-in activity, helping analysts identify spikes and trends that may be associated with sign-in failures in BAS. Analysts can also compare the timeline of the activity to security alerts raised in BTP, helping them search for any correlation between the two.


The Identity Management tab, shown in the screenshot below, displays a grid of identity management events, such as user and security role changes, in a human-readable format. The search bar lets you quickly find specific changes.


Getting started

The Microsoft Sentinel solution for SAP BTP is currently offered under a limited preview. To gain early access to the solution in Content Hub, follow the steps below.

  1. To get started, first complete the sign-up form so that we can provision your subscription with access to the preview. Click here to access the sign-up form. We'll provide confirmation via email once your subscription is active.

  1. You'll also need a SAP BTP account to get started. If you don't have an account already, it's easy to sign-up for the trial directly with SAP.

  1. Once you have a login, follow the steps as outlined by SAP, this will involve adding the Audit Log Management Service from the Service Marketplace as shown in the screenshot.


  1. Create an instance of the Audit Log Management Service in the sub account.


  1. Create a service key and record the following details as shown in the screenshot. These are required to deploy the data connector.


  1. Now that you have your BTP connection details, you can install the Microsoft Sentinel Solution for SAP BTP.  Login to the azure portal with the solution preview feature flag: https://portal.azure.com/?feature.loadTemplateSolutions=true

  2. Navigate to the content hub blade in your Sentinel workspace, search for BTP in the search bar, choose the solution titled “SAP BTP pP” and click “Install” and then “Create” in the next screen.


  1. Choose the resource group and the Sentinel workspace in which you want to deploy the solution and hit next until you pass validation and hit “Create”.


  1. Once the solution deployment is complete go back to your Sentinel workspace, search for the BTP data connector in the data connectors gallery, hit “Open connector page” and follow the data connector configuration instructions: 


  2. Once all above configuration steps are completed successfully validate that BTP logs are flowing to the Sentinel workspace:

    1. Login to your BTP subaccount and run a few activities that would generate logs (logins, adding users, changing permissions, changing settings, etc)

    2. Allow 20-30 minutes for the logs to start flowing.

    3. Confirm in the SAP BTP connector page that data is received.

    4. You can also query directly the “SAPBTPAuditLog_CL” table.

  3. Enable the workbook and the analytics rules that are provided as part of the solution by following these guidelines.

You are done with deploying the solution. Now you are ready to start monitoring and detecting threats on your SAP BTP subaccounts!

Next steps:

We are very keen to hear from our customers and direct engagement to help improve the product. Don't hesitate to reach out and let us know your suggestions at sentinel4sap@microsoft.com

Did you know that customers, Microsoft partners and Microsoft MVPs can join our Microsoft Security Customer Connection Program (CCP) communities to share their feedback and insights on our roadmaps, designs, and private preview features for our security products, including Microsoft Sentinel?

Learn more about our Security Customer Connection Program communities, and join, at The New Microsoft Security Customer Connection Program (CCP) – Microsoft Community Hub


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.