![]() The true power lies in the correlation of multiple signals in addition to the ACSS metadata leading to the event of the SAP Collector being “blinded”įig.4 Screenshot from Sentinel security video series about multi-staged attacks to SAP Will get into details once it gets more widely available. This suggested remediations (see fig.2) are a natural fit for the upcoming Microsoft Security Copilot. Hit the corresponding button (see lower section on above screenshot) to trigger an automatic restart of the VM.įig.3 Screenshot of Sentinel Collector VM restart logic The simplest option addresses the possible process glitch on the Collector VM. Let the community know what additional remediation paths you would like to see here. This is customizable according to your needs. What else would you like to see here? Reach out or let me know in the comments.įig.2 Screenshot of adaptive card with Sentinel’s SAP incident in Microsoft TeamsĪs per the inferred info from the various sources, the playbook suggests a couple of options to remediate the situation. Integration with the SharePoint list using the SID known to Sentinel enables you to enhance the presented flow further. See here how to communicate SAP maintenance via Microsoft Teams in an interactive way. In case the Collector or SAP would have been down, the likelihood of attack gets set to low with the suggestion to double check and investigate further through Sentinel, since this likely a planned maintenance or an outage. See here how to register your SAP system with ACSS and be ready for upcoming out of the box integrations. ![]() Up to you to configure this as “high” or “ OMG run for your lives” based on how likely you think that is in your landscape. After all there is still a little chance that someone unintentionally performed a breaking user setup change. That causes the playbook to raise the attack likelihood based on the alert “RFC LOGON FAILURE” to medium. In the scenario depicted in fig.1 the Sentinel Collector for SAP is healthy while SAP is running fine too. But you may customize yourself to whatever scenario you need. The playbook is wired to listen to the pre-built Sentinel alert “ SAP – Data collection health check”. The Azure Center for SAP Solutions provides a set of managed APIs to query such info in a scalable and secure way. The provided playbook posts an adaptive card to Microsoft Teams with a color-coded message scoring the likelihood of an attack based on the signals coming from the Sentinel Collector for SAP, and the SAP system state. Stay tuned – Azure Center for SAP solutions (ACSS) comes to the rescue□□⛑️ to wade through the false positives and emphasize the impactful true positives.įig.1 Overview remediation workflow for the Sentinel Collector attack scenario powered by ACSS Cyber-attacks require the quickest possible reaction How about regular SAP or Sentinel Collector VM maintenance? How do we distinguish between normal operations and actual attacks? ![]() Today you will see an automated response flow to deal with that situation. Now, what if the SAP RFC user to collect the audit log info gets locked, deleted, or disabled in any other way too?Īt that point you are fully blind and might not even get the audit-log deactivation message anymore if the attacker is fast. In part 3 we discussed malicious deactivation of the SAP audit log. There are various problematic attack vectors for SAP backends, but only a few are as severe as losing access to the SAP audit log from your security tooling. □□back to blog series or to GitHub repos with ready-to-run playbooks. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |