Find your way to our central blog series entry here.
Co-authored by Martin Pankraz (SAP Security PM, Microsoft) & @krishnarajapantula
Dear community,
The wait is over. Finally, RISE on AWS, RISE on GCP and customers on any platform can be protected with Microsoft Sentinel Solution for SAP with SAP LogServ. How is that different from RISE on Azure, you are asking?
Well, Azure customers have a native LogServ data pipeline with turn-on experience where SAP does the heavy lifting for you. Customers in other hyperscalers’ can still profit from Microsoft Sentinel for SAP integration using the python-based log forwarder provided by SAP ECS. It has a dedicated Microsoft Sentinel for SAP module.
Architecture Overview with RISE on AWS sample
Architecture Overview with RISE on GCP sample
- SAP RISE customers who subscribed to LogServ, should install SAP LogServ (RISE), S/4 HANA Cloud Private Edition from Microsoft Sentinel Content Hub. Use the Data Connectors screen to deploy the connector – either from classic Azure Portal or the new view on the Defender Portal.
- The connector deployment tries to create all resources in one go. Among them a Microsoft Entra ID app registration. In case the user doing the deployment has not enough rights, this process needs to be split up. Click the button anyways, which finalizes the creation of the Data Collection Endpoint and Data Collection Rule in the same resource group as your Log Analytics Workspace.
- Take note of the fields generated. They will be required for the log forwarder config.
- If needed, in a second step create your app registration, supply a secret, and assign that Entra ID app id to the Data Collection rule with the role “Monitoring Metrics Publisher“.
2. Once installed the customer should reach out to their:
- ECS CDM or ECS TSM to share log forwarder onboarding details. CDM and TSM's can find Sentinel onboarding steps in LogServ SAP internal wiki.
- Put [email protected] in cc
- Use the subject line: “SAP LogServ and Microsoft Sentinel – Activation” Please include your SAP RISE customer details in the email.
3. Request virtual network peering (AWS VPC, GCP VPC peering) if not yet deployed
4. Retrieve the LogServ connection details from the self-service section of the SAP ECS Security Portal.
5. Deploy the log forwarder provided by SAP:
- Deploy a virtual machine with line of sight to the LogServ assets and access to the peered private network.
- Install the python-based SAP ECS Logforwarder.
- Configure the log forwarder with the config details collected from ECS Security Portal. Use the Sentinel configuration section together with the values noted down in step 1a.
6. Use the SAP LogServ Insights workbook to verify successful log data ingest.
Don't miss this opportunity to enhance your security posture with the powerful combination of SAP LogServ and Microsoft Sentinel Solution for SAP. Activate today and be among the first to experience the benefits.
We look forward to your participation and to helping you incorporate your SAP RISE environments into your overall IT estate.
Check blog part 2 to cherry pick the log types you need from LogServ for real-time threat protection and which ones should go into cost-efficient long-term storage on the Sentinel Data Lake, part 3 to craft your own detections, part 4 to understand the monitoring.
And finally, part 1 of the series to discover the analytic rules for the application layer powering Microsoft’s correlation engine.
That’s a wrap🌯. You saw today how to onboard your SAP LogServ instance running RISE on AWS or GCP to Microsoft Sentinel for SAP. The approach is applicable to all other SAP ECS supported environments. You understand the difference to RISE on Azure deployments integrated with Microsoft Sentinel for SAP. Otherwise, go check again the intro paragraph.
Get started with your deployment today. See the art-of-the-possible for the agentic SOC on this video.
Which detections or analytic rules for RISE do you need most? Let me know in the comments or reach out directly.
Cheers Hemanth & Martin
