SAP to Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-1462898%22%20slang%3D%22en-US%22%3ESAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462898%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%20does%20anyone%20know%20if%20there%20is%20a%20sentinel%20integration%20guide%20for%20sap%3F%20i%20have%20not%20found%20anything%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1462898%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESAP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463493%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415069%22%20target%3D%22_blank%22%3E%40Garfield-P%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20looked%20at%20this%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%3C%2FA%3E%26nbsp%3B%20There%20are%20some%20SAP%20instructions%2C%20note%20it%20also%20says%3A%20%22%3CSPAN%3Erequires%20a%20SAP%20account%3C%2FSPAN%3E%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1775180%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1775180%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F415069%22%20target%3D%22_blank%22%3E%40Garfield-P%3C%2FA%3E%26nbsp%3BDownload%20the%20SAP-SIEM%20Integration%20guide%20from%20Layer7%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flayersevensecurity.com%2Fwhitepapers%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flayersevensecurity.com%2Fwhitepapers%2F%3C%2FA%3E%26nbsp%3BI've%20also%20attached%20it%20to%20this%20thread%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954616%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F830606%22%20target%3D%22_blank%22%3E%40SAP-SIEM_Guru%3C%2FA%3E%26nbsp%3BI%20don't%20see%20any%20dedicated%26nbsp%3Bazure%20sentinel%20sap%20connector%20available%20yet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954617%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F830606%22%20target%3D%22_blank%22%3E%40SAP-SIEM_Guru%3C%2FA%3E%26nbsp%3BSAP%20to%20Sentinel%20connector%20is%20available%3F%20or%20we%20can%20leverage%20Solution%20Manager%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954733%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954733%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570112%22%20target%3D%22_blank%22%3E%40Amit-Lal%3C%2FA%3E%26nbsp%3BYou%20don't%20need%20a%20connector.%20SolMan%20will%20output%20alerts%20to%20a%20log%20file%20in%20the%20SolMan%20host.%20You%20just%20need%20to%20create%20a%20custom%20log%20data%20source%20in%20Azure%20to%20ingest%20the%20file.%20Based%20on%20Azure%20requirements%2C%20the%20output%20can%20be%20formatted%20in%20SolMan%20to%20start%20each%20entry%20in%20the%20log%20with%20a%20timestamp%20in%20a%20supported%20format.%20The%20default%20file%20format%20is%20UTF-8.%20This%20is%20also%20supported%20by%20Azure.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954738%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F830606%22%20target%3D%22_blank%22%3E%40SAP-SIEM_Guru%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20response.%20Just%20looking%20for%20SAP%20Audit%20and%20DB%20logs%20fetched%20on%20Azure%20Sentinel%20using%20syslog%20connector%2C%20that%20is%20possible%20too%20right%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1954741%22%20slang%3D%22en-US%22%3ERe%3A%20SAP%20to%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570112%22%20target%3D%22_blank%22%3E%40Amit-Lal%3C%2FA%3E%26nbsp%3BYes%2C%20the%20file%20can%20be%20converted%20to%20syslog.%20DB%20logs%20can%20also%20be%20monitored%20by%20SolMan%20and%20included%20in%20the%20output%20to%20Azure.%20This%20includes%20HANA%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi everyone, does anyone know if there is a sentinel integration guide for sap? i have not found anything yet.

 

Thx

 

6 Replies

@Garfield-P 

 

Have you looked at this? https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3...  There are some SAP instructions, note it also says: "requires a SAP account".

@Garfield-P Download the SAP-SIEM Integration guide from Layer7 https://layersevensecurity.com/whitepapers/ I've also attached it to this thread

@SAP-SIEM_Guru SAP to Sentinel connector is available? or we can leverage Solution Manager 

@Amit-Lal You don't need a connector. SolMan will output alerts to a log file in the SolMan host. You just need to create a custom log data source in Azure to ingest the file. Based on Azure requirements, the output can be formatted in SolMan to start each entry in the log with a timestamp in a supported format. The default file format is UTF-8. This is also supported by Azure. See https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs

@SAP-SIEM_Guru Thanks for your response. Just looking for SAP Audit and DB logs fetched on Azure Sentinel using syslog connector, that is possible too right?

@Amit-Lal Yes, the file can be converted to syslog. DB logs can also be monitored by SolMan and included in the output to Azure. This includes HANA

www.000webhost.com