From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals – blog series
13.07.23 🎥Witness an SAP environment breach with a weak password from initial entry to lateral movement within the SAP landscape.
06.07.23 📰SAP playbook for Audit Log Collector attack added featuring multi staged attacks😍
28.06.23 🧑🏽💻Detailed guidance for Logic Apps (Standard) added here.
22.05.23 📰SAP playbook for audit log re-enablement added
This blog series sheds light on the plug-and-play automation content available to act on suspicious🕵🏽♂️ activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD with Microsoft Sentinel.
Get started with below out-of-the-box scenarios based on Azure Logic Apps:
|🔗Part 1 – Basic SAP User blocking (quickstart template)||Understand deployment options, configure your favorite scenario, adapt the Teams message, and start blocking SAP users as quickly as possible|
|🔗Part 2 – Advanced SAP User blocking (enterprise grade)||Uplevel the basic scenario with secure credential handling and dynamic parameterization to scale the approach across your whole SAP estate with simple configuration|
|🔗Part 3 – SAP Audit Log re-enable||
Automatically trigger re-activation of the SAP Auditlog if deactivated
|🔗Part 4 – Sentinel Collector Agent attack (blinding the auditor scenario)||Sophisticated scenario distinguishing between SAP maintenance events and malicious deactivation☠️ of the audit log ingestion into Sentinel using Azure Center for SAP Solutions (ACSS) health APIs❤️|
|🔗Part 5 – Next best scenario requested by you or shared by the community 😊|
Find the equivalent for Azure Logic Apps (Standard) on our Azure GitHub repos with detailed guidance.
See the comparison between the two options here.
Learn about modularizing flows and nesting for ease of maintenance:
SAP Certification reference: SAP Certified Solutions Directory | Microsoft Sentinel
As always feel free to ask lots of follow-up questions and share your own SOAR scenarios with the community.