MS Sentinel for SAP

At All for One Poland, we maintain security control through the Microsoft Sentinel service and a dedicated Microsoft Sentinel for SAP connector – a solution that combines Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) capabilities. In practice, we collect logs from SAP and correlate them with system-level sources. This allows us to see what is happening both at the SAP application layer and at the operating system and network layers.

Security Operations Center (SOC) works effectively when it has a single source of truth for events across SAP, operating systems and the network. Sentinel ensures this consistency by correlating signals from SAP with data recorded by servers, workstations and network devices. As a result, at All for One Poland, we can detect anomalies in SAP and view real-time logs from the complex IT environment, speeding up incident detection and analysis.

There are two paths for connecting SAP systems: an agent in a container or an agentless variant. The agent collects data from SAP (including a security audit log, parameter changes, job and print logs) and then forwards it to the Log Analytics workspace connected to Microsoft Sentinel, where we run ready-made rules to search through the logs and detect anomalies. In parallel, we enable collectors for system logs, which allows us to always see the full context of events.

Since the solution went live, we have been using built-in analytics rules. We verify unauthorized access attempts, such as intensive RFC login activity indicative of brute-force attacks, as well as anomalies in user behavior, including the creation of privileged accounts or the assignment of sensitive roles. Sentinel immediately raises an alarm when an attempt is made to disable the Security Audit Log, as well as when critical security parameters change. We combine these signals with information from the OS and network layers to detect details of the event and quickly assess the scope of the incident.

The security content set, including alert rules, is constantly evolving. Sentinel’s SAP monitoring capabilities are constantly expanding, so we regularly review the number of available built-in rules and other resources associated with the Microsoft Sentinel for SAP connector to ensure the organization always has access to the latest security tools.

According to Microsoft’s current price list, charges for Microsoft Sentinel for SAP apply only to production systems (with an active SID), while SAP development and test systems are exempt from fees.

Standard Microsoft Sentinel costs for Log Analytics workspace data processing still apply, including charges based on data volume (GB) and data retention. Total costs are also influenced by supporting resources, such as a virtual machine running the agent.

At All for One Poland, we see the benefits of a single monitoring center for SAP and the rest of the IT environment, with signal correlation and noise reduction provided by the Microsoft Sentinel service. Ready-to-use dashboards and compliance reports speed up audits, and playbooks enable response automation directly in SAP. The solution scales with the organization’s growth and does not require process redesign.

Microsoft Sentinel for SAP allows rapid expansion of visibility and control over critical processes. At All for One Poland, we combine SAP-specific detections with information from the system layer to provide full context and reduce response time.

Waldemar Sokolowski, Board Member, IT Services Director, All for One Poland emphasizes: “SAP systems are complex environments where financial, production and logistics data intersect with users, integrations and hundreds of access points. Each of these can become a potential attack vector. That is why effective SAP protection requires not only incident response, but above all continuous monitoring and analysis of events across the entire IT landscape.

One of the most effective tools in this area is Microsoft Sentinel – a SIEM/SOAR-class platform that enables centralized collection, analysis, and correlation of security data from various sources, including SAP systems. This allows early detection of anomalies and rapid response to potential incidents.

Cybersecurity is no longer a matter of choice. It is an obligation – but also a competitive advantage. Companies that use MS Sentinel effectively monitor user activities, configuration changes or unauthorized access – in real time, from a single console. They gain full visibility and situational awareness into their IT environment."