SAP systems are the backbone of many organizations, including public administration. They manage financial flows, control procurement processes, and ensure smooth operations. At the same time, studies show that around 4% of employees are willing to act against their own organization, making SAP systems not only a target for external attacks but also vulnerable to insider threats. This highlights the necessity of monitoring for both unauthorized external access and suspicious internal activities.
The challenge at hand: Many companies and government agencies already have extensive security solutions in place, yet SAP often remains a blind spot. This is where our work comes in. The goal was to provide our customers full security visibility for their SAP systems. We achieved this with our comprehensive SAP Security Monitoring & Threat Detection – not as a theoretical concept, but as a practical, implementable solution using our expertise and SAP-certified Addon and Microsoft Sentinel as SIEM.
Why SAP Security Monitoring Is More Important Than Ever
We observe many SAP customers that already have various security solutions in place, but there is still a significant gap when it comes to SAP. Very few organizations monitor the SAP application layer for critical events, even though almost everyone would agree that SAP is a business-critical application.
Why is that? For a long time, integrating SAP into a SIEM was technically complex. The maturity of solutions was insufficient, there was no regulatory pressure, and CISOs were hesitant to impose security requirements on SAP teams. However, we now see a clear shift: More and more organizations are asking themselves how they can integrate SAP into their SIEM, bringing visibility where there was once darkness and ensuring that SAP is no longer a blind spot in their Security Operations Center (SOC).
The Path to Secure SAP Monitoring
The Swiss Federal Administration operates a complex SAP landscape essential for many business-critical processes. The SUPERB program, based on SAP S/4HANA, plays a central role in standardizing and optimizing administrative processes within the Swiss government. These systems manage financial accounting, human resources, and procurement processes – any failure or compromise would have serious consequences.
From Concept to Reality
Our first step was integrating SAP logs into Microsoft Sentinel. This was not just about collecting data but also interpreting it correctly.
What kinds of events indicate potential threats?
- Privilege escalations, where a user suddenly gains extensive access?
- Misconfigured systems, which open attack vectors?
- New, unusual user behavior that suggests a potential compromise?
Together with the IT security experts from the Federal Administration, we implemented a set of rules to identify suspicious activities. Using Kusto Query Language (KQL), we were able to specifically search for patterns indicating unauthorized access or suspicious activities.
We implemented this project using our SAP-certified SAP-to-Sentinel connector. We adopted a structured approach to integrating SAP logs into Microsoft Sentinel. Instead of an abrupt rollout, we implemented the connection in five waves, each consisting of five sprints to ensure a smooth transition. Each sprint introduced approximately 20 new detection rules, enabling us to systematically monitor for potential threats such as privilege escalations, misconfigured systems, and unusual user behavior that could indicate a security compromise. Together with the IT security experts of the Federal Administration, we implemented a set of rules to identify suspicious activities. Using Kusto Query Language (KQL), we were able to specifically search for patterns indicating unauthorized access or suspicious activities.
Once data integration was successful, the next crucial step was automation. With Microsoft Sentinel, we were able to create playbooks that automatically triggered alerts and even initiated the first response measures when anomalies were detected. An unexpected administrator login in the middle of the night? A ticket is automatically sent to the incident response team. Multiple failed login attempts from an unknown IP address? The affected account is immediately locked.
We also placed particular emphasis on monitoring not only the SAP S/4HANA application server but also the HANA database. This ensured that both the application layer and the underlying data storage were protected – a crucial advantage over traditional solutions.
SAP Security Monitoring at the Cutting Edge
The results speak for themselves: SAP systems are now monitored just like all other business-critical applications. What was long considered a blind spot in the Security Operations Center (SOC) is now fully integrated. By connecting to Microsoft Sentinel, SAP security can finally be monitored with the same modern tools and methods already standard in other areas.
A key component of this success was the use of our proven SAP-specific detection rules for Sentinel. These rules are the result of our team's combined decades of experience in SAP security, that we are continuously optimizing and expanding. Since they are identical for all SAP systems, the Federal Administration was able to benefit from an already established robust solution instead of reinventing the wheel. These rules enable precise identification of security-critical events and significantly reduce false alarms. Throughout the project, it became evident that close collaboration between SAP and security teams is essential. This is the only way we could ensure that the right data was captured, processed, and used effectively. Ultimately, this project was more than just a technical implementation – it represented a shift in how SAP security should be handled.
Conclusion:
The integration of SAP into Microsoft Sentinel has shown that real-time analysis is no longer optional but should be a given. Cyberattacks are becoming more sophisticated, and organizations can no longer afford to react only after threats have materialized. Those who truly want to protect their business-critical systems should not wait for the next security incident but should act now by implementing centralized monitoring. The Swiss Federal Administration has taken this step – and now benefits from significantly greater transparency and response speed.
