From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals – blog series

NEWS FEED

13.07.23 🎥Witness an SAP environment breach with a weak password from initial entry to lateral movement within the SAP landscape.

06.07.23 📰SAP playbook for Audit Log Collector attack added featuring multi staged attacks😍

28.06.23 🧑🏽‍💻Detailed guidance for Logic Apps (Standard) added here.

22.05.23 📰SAP playbook for audit log re-enablement added

Dear community,

This blog series sheds light on the plug-and-play automation content available to act on suspicious🕵🏽‍♂️ activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD with Microsoft Sentinel.

Get started with below out-of-the-box scenarios based on Azure Logic Apps:

🔗Part 1 – Basic SAP User blocking (quickstart template)	Understand deployment options, configure your favorite scenario, adapt the Teams message, and start blocking SAP users as quickly as possible
🔗Part 2 – Advanced SAP User blocking (enterprise grade)	Uplevel the basic scenario with secure credential handling and dynamic parameterization to scale the approach across your whole SAP estate with simple configuration
🔗Part 3 – SAP Audit Log re-enable	Automatically trigger re-activation of the SAP Auditlog if deactivated
🔗Part 4 – Sentinel Collector Agent attack (blinding the auditor scenario)	Sophisticated scenario distinguishing between SAP maintenance events and malicious deactivation☠️ of the audit log ingestion into Sentinel using Azure Center for SAP Solutions (ACSS) health APIs❤️
🔗Part 5 – Next best scenario requested by you or shared by the community 😊