🕵️ Security-Insights 2 Action with SOAR 🚀 - Automatic locking of users on suspicious activity in SAP systems

Content supporting hands-on session 1 "Automatisches Sperren von Benutzern bei ungewöhnlichen Aktivitäten" @ DSAG Technology Days March 2023

Security incidents affect every company at some point. Given the threat landscape: It is not a question of if but when. According to Statista 2022 the average downtime duration increases year over year and circles around 22 days currently. That is enough for some companies to suffer considerable damage or even go out of business. SAP systems are a prime target for cyber attackers.

The ability to detect suspicious activity automatically and timely react on them is key to reduce damage. This practice is called Security Orchestration, Automation and Response (SOAR).

🔭 Introduction

In this hands-on session you will embark on a journey to design automatic workflows based on raised security incidents from SAP S/4HANA. You will learn how to use Azure Sentinel to detect suspicious activity and how to automate the locking of users in SAP systems and Azure AD.

🧙🏾‍♀️Epic Quests

Before you go: verify prerequisites are met (backpack, lunch box, good-bye kiss, haunted jewelry, etc.)

0. The Journey - Where will those quests take us
1. Novice's path - Raise an incident in Microsoft Sentinel and investigate the incident details
2. Apprentice's curious road - Understand the workflow and see the SAP user blocking in action
3. Debutant's journey - Adjust the workflow blueprint to add the transaction code to the Microsoft Teams message
4. Master's trail - Go all in and add Azure AD user locking

🏆Finish the final quest, collect the pass phrase, and redeem it to claim your badge 😎

Get the slide deck from here.

✨Recommended courses and further learning

Applied security science

• Ransomware struck on-premises but Azure Cloud survived | a customer story
• Get started with SAP and Azure integration scenarios
• Microsoft Sentinel solution for SAP® applications: security content reference

Handy work

• Adaptive Card Desginer, the Schema explorer, and the templating language
• Outlook Actionable Messages and Debugger
• Kusto Query Language Overview
• Kusto Query learning exercise - Data Detective

SAP Legacy interfaces at their best

• Connect to SAP RFCs/BAPIs from workflows in Azure Logic Apps

📢Feedback

This repos encourages contributions and feedback via the GitHub Issues.

🚸 Adventure Guides 🔗

• Holger Bruchelt - Microsoft Engineering
• Martin Pankraz - Microsoft Engineering
• Ofer Inbar - Microsoft Sentinel Engineering
• Sebastian Ullrich - Microsoft Cloud Solution Architect
• Martin Steiner - Microsoft Security Cloud Solution Architect