MS Sentinel for SAP

At All for One Poland, our way of maintaining security controls is the Microsoft Sentinel service and the dedicated Microsoft Sentinel for SAP connector – a solution that combines Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) functionalities. In practice, we collect logs from SAP in parallel, attaching system sources to them. This allows us to see both what is happening at the SAP application layer and at the operating systems and network layers.

Security Operations Center (SOC) works effectively when it has a single source of truth about events across SAP, operating systems and the network. Sentinel ensures this consistency by correlating signals from SAP with what servers, workstations and network devices are recording. As a result, at All for One Poland, we can detect anomalies in SAP and see real-time run-down logs of the complex IT environment, speeding up incident detection and analysis.

There are two paths for connecting SAP systems: an agent in a container or an agentless variant. The agent collects data from SAP (including security audit log, parameter changes, job and print logs) and then passes it to the Log Analytics workspace connected to Microsoft Sentinel, where we run ready-made rules to search through the logs and detect anomalies. In parallel, we enable collectors for system logs, which allows us to always see the full context of events.

Since the start of the solution in the organization, we have been using built-in analytics rules. We verify unauthorized access attempts, such as RFC-intensive logins indicative of brute force attacks, and anomalies in user activity, including the creation of privileged accounts or the assignment of sensitive roles. Sentinel immediately raises an alarm when an attempt is made to disable the Security Audit Log, as well as when critical security parameters change. We combine these signals with information from the OS and network layers to detect details of the event and quickly assess the scope of the incident.

The security content set, including alert rules, is constantly evolving. Sentinel’s SAP monitoring capabilities are constantly expanding, so we are constantly reviewing the current number of ready-made rules and the rest of the resources associated with the Microsoft Sentinel for SAP Connector to ensure that the organization always has access to the latest security tools.

Microsoft’s current price list charges for the use of Microsoft Sentinel for SAP only for production systems (for an active SID). SAP development and test systems are exempt from the fee.

Regardless, standard Microsoft Sentinel costs for Log Analytics workspace processing apply, including GB volume and data retention charges. The total cost is also affected by ancillary resources, such as a virtual machine with an agent.

At All for One Poland, we see the benefits of a single monitoring center for SAP and the rest of the IT environment, with signal correlation and noise reduction provided by the Microsoft Sentinel service. Ready-to-use dashboards and compliance reports speed up audits, and playbooks enable response automation directly in SAP. The whole thing scales with the organization’s growth and requires no process reengineering.

Microsoft Sentinel for SAP allows you to quickly extend visibility and control over critical processes. At All for One Poland, we combine SAP-specific detections with information from the system layer to provide full context and reduce response time.

Waldemar Sokolowski, Board Member, IT Services Director, All for One Poland emphasizes: “SAP systems are complex environments where financial, production and logistics data meet users, integrations and hundreds of access points. Each of these can become a potential attack vector. Therefore, effective SAP protection requires not only incident response, but more importantly, continuous monitoring and analysis of events across the IT landscape.

One of the most effective tools in this regard is Microsoft Sentinel – a SIEM/SOAR-class platform that allows to centrally collect, analyze and correlate security data from various sources, including SAP systems. This enables early detection of anomalies and rapid response to potential incidents.

Cyber security is not a matter of choice today. It’s an obligation, but also a competitive advantage. Companies that use MS Sentinel effectively monitor user activities, configuration changes or unauthorized access – in real time, from a single console. They gain full visibility and situational awareness into their IT environment."