[Deprecated] SecurityBridge Threat Detection for SAP connector for Microsoft Sentinel
Important
Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.
SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | SecurityBridgeLogs_CL |
| Data collection rules support | Not currently supported |
| Supported by | Christoph Nagy |
Query samples
Top 10 Event Names
SecurityBridgeLogs_CL
| extend Name = tostring(split(RawData, '
|')[5])
| summarize count() by Name
| top 10 by count_
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto Functions alias, SecurityBridgeLogs
Note
This data connector has been developed using SecurityBridge Application Platform 7.4.0.
- Install and onboard the agent for Linux or Windows
This solution requires logs collection via an Microsoft Sentinel agent installation
The Sentinel agent is supported on the following Operating Systems:
Windows Servers
SUSE Linux Enterprise Server
Redhat Linux Enterprise Server
Oracle Linux Enterprise Server
If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector
Configure the logs to be collected
Configure the custom log directory to be collected
- Select the link above to open your workspace advanced settings
- Click +Add custom
- Click Browse to upload a sample of a SecurityBridge SAP log file (e.g. AED_20211129164544.cef). Then, click Next >
- Select New Line as the record delimiter then click Next >
- Select Windows or Linux and enter the path to SecurityBridge logs based on your configuration. Example:
- '/usr/sap/tmp/sb_events/*.cef'
NOTE: You can add as many paths as you want in the configuration.
After entering the path, click the '+' symbol to apply, then click Next >
Add SecurityBridgeLogs as the custom log Name and click Done
Check logs in Microsoft Sentinel
Open Log Analytics to check if the logs are received using the SecurityBridgeLogs_CL Custom log table.
NOTE: It may take up to 30 minutes before new logs will appear in SecurityBridgeLogs_CL table.
Next steps
For more information, go to the related solution in the Azure Marketplace.