![]() ![]() As we covered earlier, Sentinel detects a suspicious transaction being executed (steps 1-4), and an automation rule is set up as a response to the "SAP - Execution of a Sensitive Transaction Code" analytic rule. The core of this playbook revolves around adaptive cards in Teams (see step 5 in the overview diagram), and relies on waiting for a response from engineers. To start off, we'll break down the scenario into a step-by-step flow. Now, it's time to dive deeper into this OOB playbook! Let's examine it closely to better understand how it works and how it can be used in your environment. Specifically, in this blog post, we will use the playbook to promptly react to the execution of the sensitive transaction SE80, employing automation to mitigate any risks that may arise. To accomplish this, you can use the automatic remediation steps outlined in the OOB playbook “ SAP Incident handler- Block User from Teams or Email”.īy leveraging an automation rule and the out-of-the-box playbook, you can effectively respond to potential threats and ensure the safety and security of your systems. ![]() Sensitive Transactions watchlist with an entry for SE80Īs part of the security signal triage process, it might be decided to take action against this problematic user and to (temporarily) kick-out them out from ERP, SAP Business Technology Platform or even Azure AD. You get an instant warning, and now it's time to investigate the suspicious behavior. Thanks to your customization of the OOB “Sensitive Transactions” watchlist and enablement of the OOB rule “SAP - Execution of a Sensitive Transaction Code”, you're in the loop whenever the sensitive transaction SE80 is being executed. A user is trying to execute a highly sensitive transaction in your system. Suddenly Sentinel warns you that someone is behaving suspiciously on one of the SAP systems. Let me set the scene: you're the defender of your company’s precious SAP systems, tasked with keeping them safe. In this post, we showcase the same end-to-end scenario using a playbook that is part of the OOB content of the SAP Sentinel Solution.Īnd rest assured, no development is needed – it's all about configuration! This approach significantly reduces the integration effort, making it a smooth and efficient process! Overview & Use case In the previous blog post, we discussed blocking suspicious users using a gateway component, SAP RFC interface, and GitHub hosted sources. This means that we can not only monitor and analyze security events in real-time, we can also automate SAP incident response workflows to improve the efficiency and effectiveness of security operations. The breakthrough which the blogpost talked about was the use of Sentinel's SOAR (Security Orchestration and Automated Response) capabilities on top of the Sentinel SAP Solution. ![]() Now back to the SOAR capabilities! About a year ago, we published a blog post titled " How to use Microsoft Sentinel's SOAR capabilities with SAP", which discussed utilizing playbooks to react to threats in your SAP systems. In a nutshell: With the Microsoft Sentinel SAP solution, organizations can confidently fortify their SAP systems, proactively safeguarding critical assets and maintaining a vigilant security posture.įor a complete (and detailed) overview of what is included in the Sentinel SAP solution content, see Microsoft Docs for Microsoft Sentinel SAP solution In addition, an extensive selection of content, comprising analytic rules, watchlists, parsers, and workbooks, empowers security teams with the essential resources to assess and address potential risks. At its core, the solution features a specialized SAP data-connector that efficiently handles data ingestion, ensuring a smooth flow of information. By seamlessly collecting and correlating both business and application logs from SAP systems, this solution enables proactive detection and response to potential threats. The Microsoft Sentinel SAP solution empowers organizations to secure their SAP environments by providing threat monitoring capabilities. The purpose of this blog post is to demonstrate how the SOAR capabilities of Sentinel can be utilized in conjunction with SAP by leveraging Microsoft Sentinel Playbooks/ Azure Logic Apps to automate remedial actions in SAP systems or SAP Business Technology Platform (BTP).īefore we dive into the details of the SOAR capabilities in the Sentinel SAP Solution, let's take a step back and take a very quick run through of the Sentinel SAP Solution. ![]() First, big kudos to Martin for crafting this amazing playbook and co-authoring this blogpost.īe sure to check out his SAP-focused blog for more In-Depth Insights! ![]()
0 Comments
Leave a Reply. |