SECURiMENT / Cyber Security Soltutions - Securiment Blog Article How to Integrate SAP with Microsoft Sentinel

05 Jun 2024

How to Integrate SAP with Microsoft Sentinel

1 Introduction

Critical business data is usually stored in business applications. IT infrastructure facilitates business and business applications. Many vendors offer solutions to protect endpoints, identities, and infrastructure like OSs, Databases, etc., but very few address the challenge of business application security. Business application security monitoring is one of the mature organizations' most significant pain points. ERP solutions like SAP serve as the backbone of big enterprises with business modules like finance, procurement, warehouse management, HR, Project Management, etc. The average criticality rating of most of these modules is high confidentiality and integrity. This not only requires secure implementation but also continuous monitoring of risks. Enterprises that run systems like SAP usually have multiple vendors for business needs, and they also have security monitoring solutions for infrastructure monitoring. Centralized security monitoring will be ideal for monitoring infrastructure like FW, routers, switches, OS, and applications like SAP within one system so you can correlate lateral movement from infra to applications. In this article, we will explain the monitoring of SAP using Azure-based cloud-native SIEM Microsoft Sentinel. This can serve as a governance solution for SAP, just like IAG or GRC.

The Microsoft Sentinel solution for SAP applications is a Microsoft Sentinel solution that you can use to monitor your SAP systems. Use the solution to detect sophisticated threats throughout the business logic and application layers of your SAP applications. The solution includes the following components:

The Microsoft Sentinel for SAP data connector for data ingestion.

Analytics rules and watchlists for threat detection.

Functions that you can use for easy data access.

Workbooks that you can use to create interactive data visualization.

Watchlists for customization of the built-in solution parameters.

Playbooks that you can use to automate responses to threats.

2 Architecture

Below, you can see the architecture for the SAP integration with Microsoft Sentinel.

securiment.com How to Integrate SAP with Microsoft Sentinel

2.1 SAP - S4

SAP S/4HANA (SAP Business Suite 4 (generation) for SAP High-performance ANalytic Appliance = SAP S4 HANA.) is a versatile enterprise resource planning (ERP) suite that is used by organizations across various industries and sectors for a wide range of business purposes.

Its primary functions and use cases include:

Core Business Operations: SAP S/4HANA serves as the backbone of an organization's core business operations. It provides modules for financial accounting, procurement, inventory management, manufacturing, sales, human resources, and more. These modules help manage day-to-day business processes efficiently.

Financial Management: It offers comprehensive financial management capabilities, including financial accounting, management accounting, financial planning, and financial reporting. It helps organizations manage their financial data, close books faster, and make data-driven financial decisions.

Supply Chain Management: SAP S/4HANA includes modules for supply chain management, allowing organizations to optimize their supply chain processes, manage inventory, and improve demand forecasting. It helps streamline the flow of goods and services from suppliers to customers.

Sales and Customer Relationship Management: S/4HANA enables organizations to manage sales orders, customer information, and interactions. It provides insights into customer behavior and preferences, helping businesses tailor their offerings to customer needs.

Manufacturing and Production: Manufacturing companies use S/4HANA to optimize production processes, monitor equipment and quality control, and manage bills of materials. It aids in improving manufacturing efficiency and quality.

Human Resources: The software includes human resources management capabilities, helping organizations manage employee data, payroll, recruitment, and talent management. It also supports workforce planning and development.

Project Management: S/4HANA can be used for project management and portfolio management. It helps organizations plan, execute, and track projects, ensuring they are delivered on time and within budget.

Analytics and Reporting: S/4HANA's in-memory database allows for real-time analytics and reporting. Organizations can gain insights into their data, generate dashboards and reports, and make data-driven decisions.

Compliance and Governance: It supports governance, risk, and compliance (GRC) functions, helping organizations adhere to regulatory requirements and internal policies. This is crucial for industries with strict compliance standards.

Industry-Specific Functionality: SAP S/4HANA provides industry-specific solutions for various sectors, including retail, healthcare, utilities, oil and gas, and more. These solutions cater to the unique needs of each industry.

Digital Transformation: Organizations often use S/4HANA as part of their digital transformation efforts. It enables them to leverage technologies like the Internet of Things (IoT), artificial intelligence (AI), and machine learning (ML) to innovate and improve their operations.

Cloud and On-Premises Deployment: S/4HANA is available for both cloud and on-premises deployment, giving organizations flexibility in running their ERP system.

In summary, SAP S/4HANA is a comprehensive ERP solution supporting various business functions and industries. It streamlines operations, improves efficiency, provides insights, and adapts to the evolving business landscape, making it a crucial tool for many organizations seeking to stay competitive and grow.

To ensure the connectivity with SP S4, ensure the following information is noted.

ABAP Server Host Name :sap-s4.sap.com

SAP System Number (Instance Number): 00

SAP System ID: PS4

SAP Client ID: 400

The SAP software development kit (SDK) will also be required late on. You can download the SAP NetWeaver SDK from https://aka.ms/sap-sdk-download

The SAP SDK is available for both windows and Linux, make sure to choose relevant to your OS.

2.1.1 SAP User for Sentinel

Ensure that a sentinel user in S4 is created for reading logs with the right permissions. Use the article to create the user and assign permissions Configure SAP authorizations and deploy optional SAP Change Requests (CRS) - Microsoft Sentinel | Microsoft Learn

2.1.2 SAP S4 Audit Configuration

Ensure that the right level of auditing is configured at S4 so that all the SAP threat detection can work. To configure auditing use the link below

Enable and configure SAP auditing for Microsoft Sentinel | Microsoft Learn

2.2 Azure VM

The Microsoft Sentinel for SAP data connector is an agent installed on the Azure Virtual machine. It can also be installed on physical servers, on-prem VM, and Kubernetes clusters. The virtual machine can have a public endpoint, but that is not the best idea from a security standpoint. The Azure VM should ideally have a private endpoint according to the organization landing zone, FW configuration, and DNS.

The Azure VM should have a managed identity that can be used to grant permission to read user names and passwords from the Azure Key Vault. The role assigned to the Azure VM managed identity on Azure Key Vault will be Key Vault Secrets User

The Azure VM managed identity will also be used to send logs to the Sentinel. This also means the managed identity should have the right permission. The managed identity needs the following roles

Microsoft Sentinel Business Application Agent Operator

Reader

These roles will be available at the resource group level of Microsoft Sentinel.

It is very important to note that in our architecture, the Azure VM is in a different subscription, and Microsoft Sentinel is in a different subscription. It is also possible to place the Azure Virtual Machine in the same subscription as Microsoft Sentinel. You can install Red Hat on the virtual machine. Once the VM is up and running, test whether you can reach SAP S4. You should be able to ping it and telnet at port 3200 or 3300.

2.3 Azure Key Vault

Create a key vault in the same subscription as the virtual machine. This is not a limitation for a multi-subscription scenario, but it is how we have adopted our architecture. The role assigned to the Azure VM managed identity on Azure Key Vault will be Key Vault Secrets User

2.4- Install agent to the virtual machine

In the nest step you will be deploying agent by running a sapcon-sentinel-kickstart.sh script.

This kick-start script will create an application container with the name you will provide, in our design, it is PS4. The PS4 application will use the VM managed identity to access the key vault. The kick-start script at the start of installing the application will ask you for the ABAP server hostname, System Number, System ID, Client ID, and the sentinel user you will have created in the APAP server. The kick-start script will store the sentinel user credential in the key vault, which will be accessed later for log ingestion.

The kick-start script also asks for a Microsoft Sentinel workspace ID and private key. These will be stored in the key vault for use later when the application (PS4 container) needs to access Microsoft Sentinel to persist SAP logs.

Below is the view of key vault secret.

Once the script finishes installing Sentinel connector for SAP on a docker, it will be a container running the connector with the name of the system, and below are the commands you can use to look into it

View logs: docker logs sapcon-PS4

View logs continuously: docker logs -f sapcon-PS4

Stop the connector: docker stop sapcon-PS4

Start the connector: docker start sapcon-PS4

Once the connector installation is finished and successful, after some time, you will see a data connector is running status at sentinel