![]() ![]() It is up to you to employ this extra step or act automatically and ask for forgiveness afterwards □įig.1 Sentinel card with SAP incident in Microsoft Teams offering user block scenariosĪs you can see above our guinea pig user Nestor had the audacity □ to open SAP transaction SE80. Hence, there is the out-of-the-box option on the playbook template provided by Sentinel for a Microsoft Teams driven approval process. □ Note: See this video for a small detour to gain a broader overview of multi-staged attacks with file download from SAP and investigation hints identifying hacker groups.Īs part of the security signal triage process, you may choose to kick out □□♂️ □ this problematic user from ERP, SAP Business Technology Platform, or even Azure AD – a little drastic you might say. Sentinel warns us about this suspicious behavior by triggering an incident which we need to investigate further! Imagine a scenario where your SAP system is being targeted in an attackĪ user attempted to execute a sensitive transaction within SAP, triggering a detection on Sentinel. That brings down the integration effort even further □ Yes, you heard that right – configuration only! No development needed. Today’s post showcases the end-to-end scenario using a playbook that is being shipped by the SAP solution in Microsoft Sentinel right away. So, it can monitor and analyze security events in real-time while automating incident response workflows to improve the efficiency and effectiveness of security operations. As you might know from the previous post: Sentinel functions both as a Security Information and Event Management (SIEM) tool and SOAR solution. SOAR is short for Security Orchestration, Automation, and ResponseĪnd refers to acting on security signals. I am building upon the prior blog posts about SAP and SOAR by Amit Lal and Naomi Christis that leveraged the same user blocking scenario but used a gateway component for on-premises connectivity, SAP RFC interface, and GitHub hosted sources for the automation. We will get back to that later, no worries. By the way, SOAR doesn’t have anything to do with fireworks rising into the night sky – just saying, for those of you who guessed the correct artist but wrong pop song. Now you’re stuck with that educational jingle like I am. 'Cause I am a champion, and you're gonna hear me SOAR I'm roaring with confidence my business is guaranteed to succeed! With automation and response at lightning speed, My ERP's on lock, my data's out of sight! Microsoft Sentinel's got my back, every day and night, Can you guess which one? I used to run scared from every cyber threat,īut now I'm standing strong with SOAR and SAP, you bet! To get into the right mood, read below lyrics inspired by a famous pop song. But we are here mostly for the kicking □□. As a byproduct to that rewarding experience your landscape becomes more secure. ![]() ![]() This blog has you covered with all the steps required to start kicking □□♂️ compromised users. □□back to blog series or to GitHub reposĪre you ready to learn how to apply plug-and-play automation to block compromised SAP users based on suspicious activity on SAP RISE, SAP ERP, Business Technology Platform, and Azure AD?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |