Episode #208
Introduction
In episode 208 of our SAP on Azure video podcast we talk about security!
Sentinel for SAP has been around for quite some time now. It is even certified for RISE with SAP and we see a lot of interest by customers in the additional protection that Sentinel can provide for their SAP system.
Speaking of SAP Systems - a lot of customers are using the SAP Business Technology Platform, to leverage Integration Suite, SAP Fiori or SAP Build services and of course also AI core services. Just a few weeks back the Microsoft Sentinel for SAP BTP solution went also General Availability, which means that now you can also detect attacks on BTP with Sentinel.
To help us understand more about the features I am happy to have Will King, Yossi Hasson and Martin Pankraz with us today.
Find all the links mentioned here: https://www.saponazurepodcast.de/episode208
Reach out to us for any feedback / questions:
- Robert Boban: https://www.linkedin.com/in/rboban/
- Goran Condric: https://www.linkedin.com/in/gorancondric/
- Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/
#Microsoft #SAP #Azure #SAPonAzure #Sentinel #BTP #SAPBTP #Security
Summary created by AI
- Holger introduced the episode and welcomed participants Will King, Yossi Hasson, and Martin Pankraz. Will King is a software engineer on the Microsoft Sentinel team, Yossi Hasson is a product manager in Microsoft Sentinel, and Martin Pankraz works with SAP integration and security.
- Introduction: Holger introduced the episode 208 of the SAP on Azure Video podcast, dated September 12th, and welcomed participants Will King, Yossi Hasson, and Martin Pankraz. He mentioned that the discussion would focus on SAP and Microsoft-related topics.
- Participants: Will King introduced himself as a software engineer on the Microsoft Sentinel team, focusing on the development of Sentinel solutions for business applications. Yossi Hasson introduced himself as the product manager in Microsoft Sentinel, leading the business applications solutions. Martin Pankraz introduced himself as working with SAP integration and security, particularly with the SAP private link on BTP and collaborating with the Microsoft product groups on their SAP integration journey.
- Overview of Microsoft Sentinel :
- Yossi Hasson provided an overview of Microsoft Sentinel, explaining it as a cloud-native SIM solution that offers a single pane of glass for SoC analysts to detect, investigate, and respond to threats. Sentinel integrates with various data sources and provides robust capabilities for threat detection, investigation, and response.
- SIM Solution: Yossi explained that Microsoft Sentinel is a cloud-native Security Information and Event Management (SIM) solution. It provides a single pane of glass for SoC analysts to detect, investigate, and respond to threats. Sentinel integrates with various data sources, including infrastructure, devices, users, and applications, to collect logs and detect threats.
- Capabilities: Sentinel offers robust capabilities for threat detection, investigation, and response. It allows analysts to visualize the full scope of an attack, understand its source, and take appropriate response actions. Sentinel also supports threat hunting, enabling analysts to look at collected logs and hunt for additional threats.
- Cloud-Native: Sentinel was the first cloud-native SIM solution in the market, launched about four years ago. It has become one of the leading SIM solutions, with many partner integrations and connectors that collect logs from various sources.
- Unified Security: In recent months, Sentinel has started consolidating its capabilities with other Microsoft security products to create a unified security operations platform (USOP). This platform includes threat intelligence, posture management, and extended detection and response (XDR) capabilities, along with AI-powered threat detection and response.
- Sentinel for SAP and BTP :
- Yossi Hasson explained that Sentinel for SAP is certified for SAP on-premise, cloud, and rise, and it monitors SAP systems for threats. The solution has been extended to cover SAP BTP, allowing for the detection of threats in BTP environments.
- SAP Certification: Yossi mentioned that Sentinel for SAP is certified for SAP on-premise, cloud, and rise. It provides capabilities to monitor SAP systems for various threats, such as privilege escalation and unapproved changes.
- BTP Extension: The Sentinel solution has been extended to cover SAP Business Technology Platform (BTP). This extension allows for the detection of threats in BTP environments, collecting audit logs from BTP and providing out-of-the-box detection capabilities for known threats and issues.
- Customization: Customers can build their own detections and response actions within Sentinel for SAP and BTP, making the solution highly extensible and customizable to meet specific organizational needs. *I mportance of BTP Integration :
- Holger and Martin discussed the importance of integrating BTP with Sentinel, highlighting that BTP is often the first internet-facing application connected to SAP systems. This integration allows for comprehensive monitoring and threat detection across multiple SAP solutions.
- First Internet-Facing: Martin highlighted that BTP is often the first internet-facing application connected to SAP systems, making it crucial to treat it differently from other isolated systems protected by firewalls and DMZs.
- Comprehensive Monitoring: Holger emphasized that integrating BTP with Sentinel allows for comprehensive monitoring and threat detection across multiple SAP solutions. This integration helps trace attacks across different systems, even if the initial attack is not detected.
- Customer Use: Will mentioned that many customers are ramping up their use of BTP in production, making it essential to ensure that BTP deployments are secure. Sentinel’s detection and monitoring capabilities are crucial for securing BTP environments.
- Demonstration of Sentinel Features :
- Martin and Will demonstrated various features of Sentinel, including the detection of malware in the Business Application Studio, the use of kql for querying logs, and the creation of automated responses to security incidents. They also showcased the use of workbooks for visualizing data and monitoring activities.
- Malware Detection: Martin demonstrated the detection of malware in the Business Application Studio, a development environment in BTP. He showed how a test file with a standard antivirus test string could trigger alerts in the SAP audit log, which Sentinel can process out-of-the-box.
- kql Queries: Will explained the use of kusto query language (kql) for querying logs in Sentinel. kql allows analysts to filter and analyze large amounts of data, extract fields from JSON blobs, and create visualizations and timelines for better insights.
- Automated Responses: Martin and Will showcased the creation of automated responses to security incidents in Sentinel. They demonstrated how playbooks could be used to lock and unlock users in BTP based on detected threats, integrating with SAP’s user API.
- Workbooks: Will demonstrated the use of workbooks in Sentinel for visualizing data and monitoring activities. Workbooks provide an interactive user interface to display trends, anomalous activities, and changes in user accounts, making it easier for analysts to understand and respond to security incidents.
- Onboarding and Managing Subaccounts :
- Will explained the process of onboarding and managing multiple subaccounts in BTP using Sentinel’s CODELESS connector platform. This allows for efficient data collection and monitoring across numerous subaccounts.
- CODELESS Connector: Will explained that Sentinel’s CODELESS connector platform allows for efficient onboarding and management of multiple subaccounts in BTP. This platform eliminates the need for deploying additional resources like function apps or storage accounts, making the process simpler and more scalable.
- Subaccount Management: Will mentioned that each BTP subaccount has its own audit log instance, requiring individual connections. However, Sentinel provides an API to onboard hundreds of subaccounts quickly, facilitating large-scale management.
- Global Account: Will clarified that while the global account in BTP has its own audit log, it does not consolidate logs from all subaccounts. Therefore, both global and subaccount logs need to be connected to Sentinel for a complete view.
- Customization and Extensibility :
- Martin and Will emphasized the customization and extensibility of Sentinel, allowing customers to create their own detection rules and automated responses. They highlighted the importance of customer feedback in continuously improving the solution.
- Custom Rules: Martin and Will highlighted that customers can create their own detection rules and automated responses in Sentinel. This customization allows organizations to tailor the solution to their specific security needs and requirements.
- Customer Feedback: Martin emphasized the importance of customer feedback in improving Sentinel. The team regularly incorporates feedback to enhance the solution, adding new rules and detections based on recurring patterns and customer needs.
- Extensibility: Will mentioned that Sentinel’s extensibility allows for the integration of various security tools and platforms. Customers can build and integrate additional functionalities on top of Sentinel, making it a versatile and powerful security solution.
- 0:00 Intro
- 1:30 Introducing Will King, Yossi Hasson, Martin Pankraz
- 4:20 What is Sentinel
- 6:15 Unified security operations platform (USOP)
- 7:50 Sentinel solution for SAP Applications
- 8:50 Sentinel solution for SAP BTP
- 11:50 Microsoft as customer zero
- 13:30 SAP BTP security measures after AI Core vulnerability
- 16:05 Testing alerts with Postman
- 18:00 Incident in Microsoft Sentinel
- 21:00 Connecting to SAP BTP Subaccount
- 24:10 Looking at the logs
- 28:00 Automation rule
- 30:25 Workbooks