MS Sentinel: A New Era of SAP Cybersecurity

From finance through logistics to human resource management, rely on SAP solutions for their key business processes. These advanced, highly integrated IT systems are critical to business operations – and at the same time an attractive target for cybercriminals. Therefore, in an era of growing digital threats and tightening EU regulations, such as the NIS2 directive, companies are increasingly turning to advanced solutions to monitor and protect these systems, including Security Information and Event Management (SIEM) systems.

SAP environments are often highly complex and individually tailored to the needs of each company. This makes them function as the integrated nervous system of an organization – connecting different departments, streamlining operations, and enabling better decision-making. At the same time, this complexity makes these systems difficult to protect.

The wide range of products, functionalities, and modules translates into tens of thousands of transactions that need to be managed and controlled. At the same time, the complexity of system architecture, the way permissions are managed or interfacing with numerous external components pose a significant challenge in ensuring cybersecurity. This is difficult to achieve without the right tools and expertise.

The traditional division of competencies in the SAP ecosystem typically looks as follows:

• SAP Basis technical layer (infrastructure, operating system, database, technical parameters),
• modules (application settings),
• satellite equipment and systems – often provided by third-party companies,

This split results in difficulties already at the stage of identifying who is truly responsible for the security of the environment as a coherent whole in business terms. An island-based approach to security management (“each area is responsible for its own part") is ineffective against most threats. Therefore, in order to secure their key systems and produce a new quality in security management, organizations must rely on modern SIEM-class platforms.

Microsoft Sentinel for SAP applications addresses these challenges. Thanks to its flexibility and scalability, it is ideally suited to monitoring SAP environments – both on-premise and in the cloud – using:

• correlation of logs collected from different sources,
• threat analysis using artificial intelligence,
• incident response automation.

SAP generates huge volumes of logs, only a small fraction of which are relevant to security. The correlation function, supported by appropriate rules, filters events, assigns business relevance and prioritizes them based on risk. This enables the teams of the SOC (Security Operations Center) to focus on real threats, instead of drowning in irrelevant alerts.

On the SAP system side, integration with Sentinel requires meeting certain boundary conditions::

• SAP NetWeaver 7.5+ with active security audit (RSAU_CONFIG);
• SAP roles: /MSFTSEN/SENTINEL_CONNECTOR and /MSFTSEN/SENTINEL_AGENT_BASIC assigned to a technical user;
• Access to transactions: SU01, PFCG, STMS_IMPORT, RSAU_CONFIG;
• SAP Notes: 3390051 and 382318 – NetWeaver configuration for Sentinel integration.

Thanks to automated reporting, cybersecurity administrators do not need to know the details of the SAP environment – Sentinel identifies specific, named threats, whether they are repeated authentication attempts, changes in user privileges or mass data downloads. The system not only detects threats but also enables their automatic neutralization thanks to SOAR (Security Orchestration, Automation and Response) functions – you can, for example, block a user, trigger alerts or initiate processes in accordance with the security policy.

It is also worth noting that Microsoft Sentinel has completed certification for SAP S/4HANA Cloud, SAP S/4 on-premises and RISE with SAP environments. It supports both cloud and hybrid environments, making it a universal tool, regardless of the underlying architecture. And SAP security ceases to be island-based and becomes comprehensive and manageable.

Microsoft Sentinel also aligns with the requirements of Article 21 of the NIS2 Directive – as one of the technical measures necessary for effective incident management in IT environments, incident reporting or risk management support, and ensuring business continuity. SAP, as a critical system, must be covered by these requirements. And Sentinel will support the organization in meeting these obligations by automating, centralizing and documenting security-related activities.

A large proportion of companies using SAP are operators of essential or important services, which in the near future – following the amendment of the National Cyber Security System Act – will be required to implement regulations arising from the NIS2 Directive. These include companies operating in the energy, transport, manufacturing, healthcare, and other sectors.

SAP security is not a luxury – it is a necessity. In a world where data is the most valuable asset and cyber threats evolve every day, integrating SAP with a modern SIEM such as Microsoft Sentinel gives organizations a tangible advantage. Implementing the solution is a step towards modern security management, but also a response to the requirements of the NIS2 directive, thus turning technology into a business protection strategy. Organizations that opt for such a solution gain not only regulatory compliance but also a real increase in the security level of their key systems.

• Unauthorized changes to the system
• Privilege escalation
• Attempts to bypass SAP security mechanisms
• Creation of “backdoors" and external interfaces
• Mass data retrieval (exfiltration)
• Access attempts from suspicious IP addresses