Microsoft Sentinel for SAP
Deploy Microsoft Sentinel's SAP solution for threat detection including the SAP data connector with agent and RFC, detect privilege escalation, data exfiltration, RFC abuse, and audit log tampering with built-in analytics rules.
Why SAP needs its own SIEM
π§ Aisha pulls up security alerts. βStandard Azure security tools monitor infrastructure β failed logins, suspicious network traffic, malware. But they do not understand SAP. They cannot tell you when someone grants themselves SAP_ALL authorization, exports the entire customer table via RFC, or disables the SAP audit log. For that, we need Microsoft Sentinel with the SAP solution.β
Carlos raises an eyebrow. βSAP has its own security, does it not?β
π§ Aisha shakes her head. βSAP logs security events, but it does not correlate them, alert on patterns, or respond automatically. Someone could be slowly escalating privileges over weeks, and native SAP tools would not flag it unless a Basis admin manually reviews logs. Sentinel automates that detection.β
Think of it like a security camera system for a building.
Standard Azure security is like having cameras at the building entrance β you see who comes and goes. But SAP is like a vault inside the building with its own access rules, combination locks, and inventory. Sentinel for SAP adds cameras and motion sensors inside the vault β it watches what people do with the sensitive items, not just whether they entered the building.
The SAP data connector
The Sentinel SAP data connector is the bridge between SAP and Sentinel. There are two approaches β the current recommended agentless method and the legacy agent-based method:
Recommended: Agentless data connector (GA)
- Uses SAP Cloud Connector and SAP Integration Suite to forward SAP logs to Sentinel
- No agent VM required β eliminates the infrastructure overhead of managing a collector VM
- Logs are sent to the Sentinel Log Analytics workspace for analysis
- This is the current recommended architecture for new deployments
Legacy: Containerized agent (deprecated β will be disabled September 14, 2026)
- A containerized agent runs on a Linux VM and connects to SAP using RFC
- The agent pulls SAP logs: security audit log, change documents, table access logs, RFC gateway logs
- This approach still works but is deprecated and will stop functioning after September 2026
- Existing deployments should plan migration to the agentless connector
Deployment requirements (agentless):
- SAP Cloud Connector configured to expose SAP system logs
- SAP Integration Suite for log forwarding
- Log Analytics workspace with Sentinel enabled
- The SAP solution installed from the Sentinel content hub
Exam tip: Know both connector approaches
The exam may reference the RFC-based containerized agent (legacy) or the newer agentless connector via SAP Cloud Connector. The agentless approach is the current recommendation. If you see a question about deploying the Sentinel SAP connector, the modern answer uses SAP Cloud Connector and SAP Integration Suite. The legacy agent-based approach using RFC from a container VM is deprecated and will be disabled September 14, 2026.
β οΈ Recently changed β exam alert
The SAP data connector architecture changed significantly in 2025-2026. The original containerized agent approach (Linux VM running a Docker container with RFC connectivity) is now deprecated and will be permanently disabled on September 14, 2026. The current recommended approach is the agentless data connector using SAP Cloud Connector and SAP Integration Suite. Exam questions may test whether you know the current recommended deployment method β if you see βdeploy a containerized agent on a Linux VMβ as an answer choice, that is the legacy/deprecated approach.
SAP-specific threat types
| Threat type | What it detects | Example scenario | Risk |
|---|---|---|---|
| Privilege escalation | Unauthorized role or authorization changes | A user assigns SAP_ALL profile to themselves during off-hours | Full system access β can read, modify, or delete any data |
| Data exfiltration | Large or unusual data downloads | Someone exports the entire customer master table to a local file | Data breach β customer, financial, or employee data stolen |
| RFC abuse | Suspicious RFC function calls | External system calls sensitive BAPIs without proper authorization | Remote code execution or data access through RFC gateway |
| Audit log tampering | Disabling or modifying SAP audit logs | An attacker turns off the security audit log to hide their tracks | Loss of forensic evidence β attacks become invisible |
| User creation anomalies | Unusual user account creation | A new SAP user with broad authorizations is created at 3 AM | Backdoor accounts for persistent unauthorized access |
π§ Aisha demonstrates. βLast month, Sentinel detected an SAP user who granted themselves debug authorization at 11 PM. That user had no business doing ABAP debugging. Turned out their credentials were compromised. We caught it in minutes instead of weeks.β
Built-in analytics rules
The Sentinel SAP solution includes dozens of pre-built analytics rules:
- SAP β Sensitive privilege use β detects when high-privilege transactions (SM19, SU01, SE38) are used outside normal hours
- SAP β User authorizations changed β triggers when role assignments or profiles are modified
- SAP β Audit log cleared β alerts when someone attempts to clear or disable the audit log
- SAP β RFC execution of sensitive function β detects calls to sensitive function modules via RFC
- SAP β Multiple logon from different IPs β flags concurrent logins from geographically distant locations
- SAP β Critical authorization changes β detects assignment of critical profiles like SAP_ALL or SAP_NEW
Rules can be customized:
- Adjust thresholds (e.g., alert after 5 sensitive transactions, not 1)
- Add exclusions for known administrative activities
- Create custom rules for TradeCorp-specific threat scenarios
Investigation and response
When Sentinel detects a threat:
- Incident created β with severity, affected entities (user, system), and timeline
- Investigation graph β visual map of related events, users, and systems
- Automated response β Logic Apps can lock the SAP user, notify the security team, or create a ServiceNow ticket
- Hunting queries β pre-built queries to search for similar activity across all SAP systems
Automated response for SAP
Sentinel playbooks (Logic Apps) can automate response to SAP threats. For example, if Sentinel detects a user granting themselves SAP_ALL, a playbook can automatically lock that user in SAP via RFC, send a Teams notification to the security team, and open an incident ticket β all within seconds. This is powerful but requires careful testing to avoid locking out legitimate admins.
Knowledge check
Carlos asks why standard Azure security tools are insufficient for SAP. What is Aisha's answer?
Aisha is reviewing TradeCorp's Sentinel SAP connector architecture. In the legacy (agent-based) data connector, what protocol does the agent use to pull logs from SAP?
Sentinel detects a user granting themselves SAP_ALL authorization at 2 AM. What automated response can Aisha configure?
Summary
You now understand why SAP needs its own SIEM layer: standard infrastructure security cannot detect SAP-specific threats. Microsoft Sentinel with the SAP solution provides RFC-based log collection, built-in analytics rules for privilege escalation, data exfiltration, RFC abuse, and audit log tampering, plus automated investigation and response.
Next, we look at cost optimization β making all this SAP infrastructure as cost-efficient as possible without sacrificing performance or availability.
π¬ Video coming soon