Skip to Content
Technical Articles
Author's profile photo Martin Pankraz

From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals – blog series


13.07.23 🎥Witness an SAP environment breach with a weak password from initial entry to lateral movement within the SAP landscape.

06.07.23 📰SAP playbook for Audit Log Collector attack added featuring multi staged attacks😍

28.06.23 🧑🏽‍💻Detailed guidance for Logic Apps (Standard) added here.

22.05.23 📰SAP playbook for audit log re-enablement added

Dear community,

This blog series sheds light on the plug-and-play automation content available to act on suspicious🕵🏽‍♂️ activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD with Microsoft Sentinel.

Get started with below out-of-the-box scenarios based on Azure Logic Apps:

🔗Part 1Basic SAP User blocking (quickstart template) Understand deployment options, configure your favorite scenario, adapt the Teams message, and start blocking SAP users as quickly as possible
🔗Part 2Advanced SAP User blocking (enterprise grade) Uplevel the basic scenario with secure credential handling and dynamic parameterization to scale the approach across your whole SAP estate with simple configuration
🔗Part 3SAP Audit Log re-enable

Automatically trigger re-activation of the SAP Auditlog if deactivated


🔗Part 4 Sentinel Collector Agent attack (blinding the auditor scenario) Sophisticated scenario distinguishing between SAP maintenance events and malicious deactivation☠️ of the audit log ingestion into Sentinel using Azure Center for SAP Solutions  (ACSS) health APIs❤️
🔗Part 5 – Next best scenario requested by you or shared by the community 😊

Find the equivalent for Azure Logic Apps (Standard) on our Azure GitHub repos with detailed guidance.

See the comparison between the two options here.

Supporting posts

Learn about modularizing flows and nesting for ease of maintenance:

Microsoft Sentinel Automation Tips & Tricks – Part 2: Playbooks – Microsoft Community Hub


Generate SOAP services for your legacy RFCs to simplify integration out-of-the-box | SAP Blogs

Revolutionize your SAP Security with Microsoft Sentinel’s SOAR Capabilities



Microsoft Sentinel incident response playbooks for SAP | Microsoft Learn

SAP Certification reference: SAP Certified Solutions Directory | Microsoft Sentinel

Deploy Microsoft Sentinel solution for SAP® applications in Microsoft Sentinel | Microsoft Learn

Integrating Azure with SAP RISE managed workloads | Microsoft Learn

Microsoft Sentinel solution for SAP® applications – security content reference | Microsoft Learn

How to use Microsoft Sentinel’s SOAR capabilities with SAP | TechCommunity

Azure-Sentinel/Solutions/SAP/Playbooks · Azure/Azure-Sentinel · GitHub


As always feel free to ask lots of follow-up questions and share your own SOAR scenarios with the community.




Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.