Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Deploying the Microsoft Sentinel data collector and solution for SAP lets you monitor SAP systems for suspicious activities and identify threats. However, extra configuration steps are needed to optimize the solution for your SAP deployment. Configure the security content delivered with the Microsoft Sentinel solution for SAP applications as the final step in deploying the SAP integration.
Important
The data connector agent for SAP is being deprecated and will be permanently disabled by September 14th 2026. We recommend that you migrate to the agentless data connector. Learn more about the agentless approach from our blog post.
Content in this article is relevant for your security team.
Prerequisites
Before you configure the settings described in this article, make sure you have:
- A Microsoft Sentinel SAP solution installed
- A data connector configured
For more information, see Deploy the Microsoft Sentinel solution for SAP applications from the content hub and Deploy Microsoft Sentinel solution for SAP applications.
Tip
Use the blog series "How to successfully evaluate the SAP for Sentinel solution and implement it in production" for a detailed walk through with best practices.
Start enabling analytics rules
By default, all analytics rules in the Microsoft Sentinel solution for SAP are provided as alert rule templates. We recommend a staged approach. Use the templates to create a few rules at a time, and allow time to fine-tune each scenario.
Start with the following analytics rules, which are simpler to test:
- Change in Sensitive privileged user
- Sensitive privileged user logged in
- Sensitive privileged user makes a change in other user
- Sensitive Users Password Change and Login
- Client Configuration Change
- Function Module tested
For more information, see Built-in analytics rules and Threat detection in Microsoft Sentinel.
Configure watchlists
Configure your Microsoft Sentinel solution for SAP applications by providing customer-specific information in the following watchlists:
| Watchlist name | Configuration details |
|---|---|
| SAP - Systems | The SAP - Systems watchlist defines the SAP systems that are present in the monitored environment. For every system, specify: - The SID - Whether it's a production system or a dev/test environment. Defining this in your watchlist doesn't affect billing, and only influences your analytics rule. For example, you might want to use a test system as a production system while testing. - A meaningful description Configured data is used by some analytics rules, which might react differently if relevant events appear in a development or a production system. |
| SAP - Networks | The SAP - Networks watchlist outlines all networks used by the organization. It's primarily used to identify whether or not user sign-ins originate from within known segments of the network, or if a user's sign-in origin changes unexpectedly. There are many approaches for documenting network topology. You could define a broad range of addresses, like 172.16.0.0/16, and name it Corporate Network, which is good enough for tracking sign-ins from outside that range. However, a more segmented approach, allows you better visibility into potentially atypical activity. For example, you might define the following segments and geographical locations: - 192.168.10.0/23: Western Europe - 10.15.0.0/16: Australia In such cases, Microsoft Sentinel can differentiate a sign-in from 192.168.10.15 in the first segment from a sign-in from 10.15.2.1 in the second segment. Microsoft Sentinel alerts you if such behavior is identified as atypical. |
| SAP - Sensitive Function Modules SAP - Sensitive Tables SAP - Sensitive ABAP Programs SAP - Sensitive Transactions |
Sensitive content watchlists identify sensitive actions or data that can be carried out or accessed by users. While several well-known operations, tables, and authorizations are preconfigured in the watchlists, we recommend that you consult with your SAP BASIS team to identify the operations, transactions, authorizations and tables are considered to be sensitive in your SAP environment, and update the lists as needed. |
| SAP - Sensitive Profiles SAP - Sensitive Roles SAP - Privileged Users SAP - Critical Authorizations |
The Microsoft Sentinel solution for SAP applications uses user data gathered in user data watchlists from SAP systems to identify which users, profiles, and roles should be considered sensitive. While sample data is included in the watchlists by default, we recommend that you consult with your SAP BASIS team to identify the sensitive users, roles, and profiles in your organization and update the lists as needed. |
After the initial solution deployment, it might take some time until the watchlists are populated with data. If you open a watchlist for editing and find that it's empty, wait a few minutes and try again.
For more information, see Available watchlists.
Use a workbook to check compliance for your SAP security controls
The Microsoft Sentinel solution for SAP applications includes the SAP - Security Audit Controls workbook, which helps you check compliance for your SAP security controls. The workbook provides a comprehensive view of the security controls that are in place and the compliance status of each control.
For more information, see Check compliance for your SAP security controls with the SAP - Security Audit Controls workbook.
Related content
The SAP solution for Microsoft Sentinel includes more content, such as functions, playbooks, and workbooks. Use the links below as starting points. Add more content over time to get the most from your SAP security monitoring.
Explore SAP solution reference content:
- Microsoft Sentinel solution for SAP applications - functions reference
- Microsoft Sentinel solution for SAP applications: security content reference.
Monitor and maintain your SAP integration: