SAP Community - Martin Pankraz

Re: ABAP to Microsoft EWS

2024-01-31T11:51:01.349000+01:00

Always good to hear back you were able to solve and how @jakob_steen-petersen 🙂 did you consider using or at least getting inspired from the ABAP SDK for Azure to integrate with Microsoft Graph API? If not, why?

Also want to make you aware we keep our docs for the support auth setup for Exchange Online and SAP here.

KR Martin

Re: How to connect with "Microsoft Power Apps" or "Micros...

2024-02-28T09:00:03.891000+01:00

Hi @koide_yuya,

PowerApps interactions triggered by Buttons etc will point at PowerAutomate flows. From there you are free to trigger iFlows on Integration Suite as you like using the plain http connector for instance (push-based scenario). On PowerAutomate you may also retrieve the info from your app or do additional pulls from Dataverse that you want to pass along to your iflow.

SAP Open Connectors would be needed for pull-based scenarios from your iFlow.

Let the community know what you decided in the end.

Cheers Martin

Re: How to connect with "Microsoft Power Apps" or "Micros...

2024-03-04T11:41:56.119000+01:00

Yes, for the "push" you directly point at Integration Suite. Up to you if you need to front it with SAP APIM. For pull-based you may use the Dataverse Web API. That is plain OData and can be called with SAP's standard oData connector. No need for OpenConnectors. Alternatively, use Azure Data Factory to move the data from Dataverse to SAP

Re: Open your SAP OData APIs for some swagger – or how to make friends with the other kids from the

2024-03-04T17:10:29.904000+01:00

Hey @papsoc,

In case your chosen CA is not “well-known”, you need to also upload the intermediary and root certificate to APIM. Have a look at my other blog post subsection "Add the pfx file to Azure API Management" for more details. Also verify your APIM tier. Certificate-validation is not support in Consumption tier for instance.

Let me know if that fixes your 401.

KR Martin

Re: Open your SAP OData APIs for some swagger – or how to make friends with the other kids from the

2024-03-06T09:19:03.466000+01:00

Hey @papsoc,

1. Hard for me to tell from afar. You need to have the whole chain that sits on top of your client leaf certificate in C4C available in Azure APIM as CA certificate and the client cert for C4C on the "Certificates" section.

2. No won't work. How about you swap from Consumption to Developer tier? With Azure free credits you will be able to perform your validation at no cost.

KR Martin

Re: IAS is mandatory for customers with Microsoft Azure S...

2024-03-11T07:59:39.888000+01:00

We describe our best practices for the scenarios on the Microsoft docs here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration

Re: IAS is mandatory for customers with Microsoft Azure S...

2024-03-11T08:01:10.336000+01:00

We describe our best practices for the scenarios of integrating SAP IAS and Entra ID (formerly Azure AD) on the Microsoft docs here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration

Re: SAP Connector for .NET Framework 5.0 and higher

2024-03-20T16:09:51.541000+01:00

Hi @KentP,

SAP is tracking the item as influencing request. Engineering will make an update to give more clarity on timeline.

KR Martin

Re: Simplify SSO with Microsoft Entra ID (Azure AD) & SAP Identity Authentication Service

2024-03-22T08:56:16.855000+01:00

Thanks for sharing @PolySonika. I'd like to add the reference to the best-practices guide for Entra ID (formerly Azure AD) with SAP IAS. Find it on Microsoft Learn here.

Re: SAP application slow after Microsoft Defender was installed on server

2024-03-27T09:39:05.160000+01:00

@Syamkriz Please have a look at Microsoft's dedicated guidance for Defender for Endpoint on SAP hosts:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap

https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268

Re: Provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication

2024-04-02T09:53:38.724000+02:00

Hey @tskwin,

Have a look at the Microsoft learn page for our recommendations on Entra ID with SAP IAS. Note on the side: Be aware SAP recommends SAP IDM customers to migrate to Entra ID. Meaning the already deep integration between both ecosystems will increase even more over time.

KR Martin

Re: Provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication

2024-04-05T09:27:20.407000+02:00

Hey @tskwin,

not sure what your requirements are. If you need to synch groups you require SAP IPS. The mechanism described on our docs before is about mapping based on attributes like groups but actually re-creating them on the SAP side.

In general, like with any integration project, less redundancy and a single source of truth is beneficial.

KR Martin

Re: Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider

2024-04-11T08:59:38.676000+02:00

Thank you for sharing @vinayak_adkoli! I am curious what scenarios require a people-based interactive authentication flow for CPI. Shouldn't this be solved on app layer rather than the iflow? SAP Principal Propagation would then be achieved through token exchange on CPI level.

It has never been easier to print from SAP with Microsoft Universal Print

2024-04-16T17:06:26.850000+02:00

👉🏿back to Microsoft Learn or jump to GitHub repos🧑🏽‍💻

Dear community,

Printing from SAP is rarely discussed with all the SAP S/4HANA cloud migration chatter, AI bliss, and sustainability efforts to avoid printing at all (don’t print this blog post😈). For some of you it is similarly mission critical, nevertheless.

For instance, consider a manufacturer that needs to print and attach labels to their products before they leave the factory. In case of disruption delivery is halted! It can be equally bad as an ERP outage.

Printer management and driver software maintenance for the different vendors are among the causes of headaches. Anyone emotionally attached to print servers💖? I hope not…

Those days are gone now – you will see the future with cloud printing and Microsoft Universal Print today! No more print servers!

Crowd🎉: Yes, and no more laser cartridge changes or replenishing paper stacks!

Don’t be ridiculous! Of course, you will still change cartridges and replenish paper! Till the robots come at least.

However, the drivers, print servers, and complicated setups are gone 😊And yes, it works with RISE, GROW, Azure, other hyperscalers, on-premises, and even down in your dark cellar where the poor “Raspberry Pies” are ticking away legacy integrat📱 if they have Internet uplink.

Enabling your SAP Business Users (Frontend Printing)

SAP front-end printing sends an output to a printer available for the user on their front-end device. In other words, a printer accessible by the operating system. The same client computer runs SAP GUI, or a browser (Fiori, BTP apps, WebGUI, you name it). To use Universal Print, you need to have access to such printers.

Client OS with support for Universal Print
Add Universal Print printer to your Windows client
Able to print on Universal Print printer from OS

See the Universal Print documentation for details on these prerequisites.

Find more details on the overall setup for SAP on the dedicated Microsoft Learn page.

Enabling unattended SAP processes (Backend Printing)

SAP offers the standard OData service as “Print Queue Item - Read (A2X)” to enable 3rd party integration with SAP Print Queues. You will see the term: Output Management Systems (OMS) being referenced on other SAP sources and docs entries.

In collaboration with SAP SE the capabilities of the communication scenario SAP_COM_0466 “Printing - Pull Integration” were made available to SAP NetWeaver SAP_BASIS releases 757 and upwards. Have a look at the SAP docs to which ERP releases the components apply 😊At the time of publishing this blog that would be S/4HANA 2022 and upwards.

See the SAP note “3420465 – Print queues in on-premise systems” to learn more about how to enable on your own SAP system.

Given the above preparations you are ready to integrate the SAP print queues with the Microsoft Graph API that powers Microsoft Universal Print. To get you started we shipped an open-source project on GitHub. For ease of use, and CI/CD best practices, the app is terraform enabled. But of course, you could also deploy manually if needed.

fig.1 Architecture Overview

Kick-off your SAP backend print process however you prefer with SAP standard means (print function on SAPGUI screens, Spool requests etc.). The simplest means for an integration test would be printing the ALV screen from transaction SP02. Find the print button and choose your new print queue as Output Device.

fig.2 Screenshot of test print from SAP transaction SP02

Note on the side: The new output device of type “Q: print via print queue” can be maintained from transaction SPAD. Find the setting under “Access Method -> Host Spool Access Method”.

On SAP S/4HANA Cloud Public Edition tenants that ship Fiori apps or don’t offer SAPGUI access anymore use the app “Maintain Print Queues” and trigger “Create Test Page

fig.3 Screenshot of Fiori app "Print Queue" to trigger test page print

Our function app on Azure takes care of pulling the SAP print queue items, mapping the queues to your targeted Microsoft Universal Print cloud printer, securely managing the required credentials + identities, and handling robust upload of the print queue items to the cloud.
Once your output device reports back to Universal Print, the app notifies the SAP print queue on NetWeaver about a successful print via OData again. This way the integration and status tracking work end-to-end.

As a result, you will be greeted with a physical hard copy of a test page like this:

fig.4 Screenshot of printed test page

Depending on your needs, the Azure services can be injected into isolated private virtual networks next to the SAP system for instance. Use Azure ARC to deploy on-premises or to other hyperscalers.

Not too bad, huh? 😎

Find the latest deployment instructions, SAP specific FAQ, and community discussion on our GitHub repos. Your contributions are more than welcome!

For general FAQ on Universal Print see Microsoft Learn. In case you are looking to integrate special label printers have a look here.

Thoughts on production readiness

Most print device manufacturers already support Microsoft Universal Print. If they don’t yet, check Microsoft’s Universal Print connector to make them compatible.

Looking for front end printing for SAP on MacOS? Here you go.

Availability from SAP NetWeaver SAP_BASIS releases 757 and upwards ensures decent coverage for more recent SAP ECC and S/4HANA installations 😊

Universal Print relies on the Microsoft Graph API and the components involved in the integration use Azure PaaS services that power various mission critical workloads like O365 and M365 worldwide.

See the latest info on SLA here.

You are all set for prime time with cloud printing with SAP🚀

Partner solutions

SAP and Microsoft partners offer packaged solutions or even managed service offerings for SAP printing. See below initial list to get started.

DOM-Zone from BLUE-ZONE
RISE ONE from All for One Group
Universal Print integration with SAP using SAP Cloud Integration from Kangoolutions

By no means is the list complete. Anyone else looking to be listed or referenced, please leave a comment, or contact me directly.

Final Words

That’s a wrap 🌯you saw today how you can simplify your printing from SAP, reduce the device management overhead, and get rid of the need for print drivers.

Cloud printing for SAP with Microsoft Universal print is applicable to your SAP Business Users (called frontend printing) from their own devices and browsers just as they are used to.

For your SAP backend jobs and SAP’s standard OData API a community-driven open-source integration component is offered on GitHub. Check the Azure marketplace, SAP store, and partner repositories for updates on partner offerings. Above list of partner solutions could get you started.

Let us know what you think and feel encouraged to participate in the community effort🙌.

Partners are welcome to reach out to build a marketplace or managed offering.

Last but not least: thank you to @timo_straub1 and amazing team for the great collaboration🙏

Cheers

Devansh and Martin

Govern SAP APIs living in various API Management gateways in a single place with Azure API Center

2024-04-26T12:33:48.591000+02:00

Find the GitHub repos associated with this post on Azure API Center here.

Our engineering friends from SAP Integration Suite– in particular @Chaim_Bendelac – published a nice “sister blog” on supporting Azure API Management with the API Management capability of SAP Integration Suite here.

Dear community,

Many of you are heavily invested in APIs regarding your SAP ecosystem and the rest of your IT real estate. Given the integration specialization in the SAP space companies decide to use more than one integration tool to cater for SAP and non-SAP integrations. Gartner even says that 75% will use at least two different ones. For many of you that means SAP Integration Suite plus one for non-SAP.

Due to the fast-paced growth of APIs within organizations, inventory, governance, security, and management cannot keep up. The resulting fragmentation and inconsistency lead to adoption challenges, project delays, and security risks. Postman’s State of APIs report 2023 shows that API security incidents happen frequently.

These challenges are summed up under the term “API Sprawl” by the industry. Beware the API sprawl monster is upon you!

fig.1 Illustration of API Sprawl challenge

Key to survival is automatic discovery of available APIs and a single place to enforce guidelines from, or at least know these unmanaged APIs exist in your estate. Forgotten APIs are low hanging fruit for attackers. To drive home that argument: “Improper Inventory Management” made the OWASP top 10 list for API Security in 2023.

Besides that on the human side of things: Which developer likes to develop duplicate functionality just because of the lack of shared API inventory to discover existing stuff?

The API Sprawl monster🦖 much hungry! “Nomnom nomnom more food, yes more food!”.

Azure API Center embarked on the journey of taming the monster.

What API solutions can be registered to Azure API Center?

Azure API Center applies to any API and any API management solution out there. Always remember that API Center is not an API Gateway! It doesn’t expose the endpoints or apply policies to them. That stays with the API Management provider. API Center makes them discoverable and allows decorating APIs with additional info to improve governance.

Let that sink in.

My colleagues are building integrated experiences for the most interesting API and integration tool providers. However, API-based registration in API Center will always be possible.

Get it? APIs to register APIs to register APIs ... yah maybe to complicated for a joke.

fig.2 Azure API Center solution coverage overview

The focus of this blog post will be on inventorying APIs hosted by the API Management capability of SAP Integration Suite to mitigate SAP API sprawl. However, the approach described is applicable to all the other SAP APIs out there hosted on SAP Gateway, SAP Graph, SAP CAP, SAP RAP, CloudFoundry, Kyma, etc. too.

Another prominent SAP service would be SAP Cloud Integration (formerly CPI – Cloud Platform Integration). Many of you expose APIs internally or to business partners through SAP integration flows without fronting them with an API Management solution – you know who you are 😉. Those can be registered too. Unfortunately, there is no built-in option to retrieve the definition of such an endpoint. You may generate an API definition for your http trigger using payload samples for instance. I found this repo useful to get an overview on how to generate OpenAPI definitions from JSON payloads.

Even if you don’t, putting the available metadata on the Azure API Center inventory still improves discoverability and enterprise-wide governance by magnitudes.

But now on to SAP API Management.

Automagically registering SAP API Management APIs on Azure API Center

Our starting point is the SAP BTP service apimanagement-devportal. Check SAP’s docs on the setup process here. Make sure you don’t mistakenly choose apimanagement-apiportal.

The API “API Business Hub Enterprise - Discovery Service (CF)” enables querying all available APIs hosted on SAP API Management on that subaccount. It holds info about their OpenAPI definitions.

Authenticate on the service with any of the supported authentication mechanisms. I chose OAuth2 client credentials grant (instance secret – without payload).

See below response from “/apidiscovery/v1/apis” from my SAP BTP sandbox environment. Pay attention to the attributes of “apiDefinitions” and values for “oas-json”.

{
"@odata.context": "$metadata#apis",
  "value": [
    {
      "name": "GWSAMPLE_BASIC",
      "title": "GWSAMPLE_BASIC",
      "version": "1",
      "lastUpdated": "2024-01-24",
      "releaseStatus": "PUBLIC",
      "protocol": "ODATAV2",
      "entryPoints": [
        {
          "name": "GWSAMPLE_BASIC",
          "type": "PROD",
          "url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC"
        }
      ],
      "apiDefinitions": [
        {
          "type": "oas-json",
          "url": "https://eu10devportal.cfapps.eu10.hana.ondemand.com/odata/1.0/data.svc/APIMgmt.APIResourceDocumentations('2797A5F5-E18A-4FCC-826A-C833845303F5')/content/$value"
        },
        {
          "type": "edmx",
          "url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC/$metadata"
        }
      ]
}

For your convenience we have provided a sample repo that runs Infrastructure-as-Code scripting to register the SAP APIs using their OpenAPI definitions as highlighted above. On each SAP API definition we execute registration requests on Azure API Center.

You may also use Postman, or SAP Build Process Automation etc. to execute the REST API calls if you prefer. Find our collection here.

fig.3 Flow of automated API registration in Azure API Center

Discover all your APIs where you code – see VS Code and GitHub Copilot in action

We developers like to stay within our flow. So, having the API inventory available at my fingertips in VSCode is a good step into that direction. Also generating http requests to poke around the service and API clients is nice 😎Kiota supports a multitude of languages for SDK generation.

To get that going install the Azure API Center portal VSCode extension.

fig.4 Screenshot of VSCode extension with example OpenAPI definition

Please note that the authorize button (and respective authentication scheme) on the OpenAPI definition explorer is only available if present on the definition file. It looks like this for Basic Auth:

fig.5 Screenshot of auth definition in example OpenAPI spec for SAP OData service

When using the http file and the REST client extension of your choice, you may simply provide the authentication header with Bearer token etc.

Next to the Azure API Center extension view before, you can also use GitHub Copilot Chat to query available APIs from API Center. See Microsoft Learn for more samples. You may search for APIs by key words like so:

@apicenter /search business-partner

Cherry on the cake 🍰is the API Center portal for the classic developer portal experience across your whole registered API inventory wherever that is.

fig.6 Screenshot of Azure API Center portal API inventory view

So far so good on registering APIs and working off the info their definitions provide. But how about governance? I know how desperately everyone wants to plaster cost centers, line-of-business info, and security labels on your interfaces. 😏

Enforced API metadata is your second line of defense against API sprawl

In addition to simply registering APIs you may add custom properties to the object on Azure API Center. So, even if the info is not present on the API itself you can still govern it from Azure. See below sample that I created from the Microsoft Learn tutorial.

fig.7 Screenshot of Azure API Center metadata maintenance view

Knowing which APIs are public facing is useful, isn’t it?

For everyone looking for more sophisticated security with less human error surface, have a look at Defender for APIs. I like the alert rule for “un-authenticated APIs” and disabling endpoints that were not used in the past 60 days most – wait what? Those exist out there in the wild west of SAP on the Internet? 😲See the open-source automatic remediations repos here to mitigate for Azure API Management.

Defender for API integration with 42Crunch brings API security testing and hardening to your CI/CD pipeline.

API Linting gets you to the next level

OK, now let’s look at API style guide compliance. Is everyone playing by your rules? How do you make sure developers notice violations already during design phase rather than at later stages of deployment, release, or even months after the fact when audited?

Good automatic API linting creates much less hassle for everyone in the long run, less cost to fix API definitions after the fact, improved security posture, and a more rewarding experience for the people involved. See below video on the setup of the linting function for OpenAPI using Spectral linting engine.

Anyone aware of a great OData linter and would be curious to explore? Please share!

Get more details on API Linting for Azure API Center from this Microsoft Learn article.

Thoughts on production readiness

Azure API Center is in public preview but due for General Availability with the next wave of announcements, so completely ready for prime time. The same is true for the VS Code extensions and APIs used to orchestrate the integration between SAP API Management and Azure.

Intentionally registering APIs from SAP to Azure API Center improves API inventory management by magnitudes. However, shadow inventory thrives in places you don’t actively look. To mitigate even more effectively the team is building automated discovery from your GitHub org, Azure DevOps, and other popular sources.

SAP Fiori tools on VSCode provided by SAP SE enable usage of the approach described in this blog out of the box. The same is true for SAP CAP development in VSCode.

Final words

That’s a wrap🌯. You saw today how you can effectively counter API sprawl and its negative side effects that put your APIs and organizations at risk. A primary means to achieve that is creating a central API inventory hosted on all the different API Management solutions out there with Azure API Center.

This blog showed how to achieve that using the API Management capability of SAP Integration Suite as an example.

Furthermore, you learned about steps to improve API governance with custom properties and API linting. Eventually, you understood the difference between Azure API Center and an API Gateway.

Find the GitHub repos associated with this post here. It gets you started in no time.

Big #Kudos to Pascal van der Heiden – my brother in crime on this effort. And of course, last but not least to @UdoPaltzer and @vinayak_adkoli for the great collaboration! 🙌

Anyone curious to tap their toe into the waters where the API sprawl monster 🦖 lives, just reach out to me and Chaim or leave a comment.

Cheers

Martin

Re: Govern SAP APIs living in various API Management gateways in a single place with Azure API Cente

2024-05-14T14:52:23.677000+02:00

@saurabhkumbhare API Center went GA on the 6th of May: https://azure.microsoft.com/en-us/updates/general-availability-azure-api-center/

Re: Steps to access Azure Blob Storage via REST API from SAP CPI using Azure Storage Adapter and SAP

2024-05-22T09:11:36.362000+02:00

Hi @Shemy,

What is the reason you want to use http instead of AzureStorage adapter?

The blog above also described the needed parts for http. Find the official API reference here.

KR Martin

Re: Authenticating an API using SAML assertion in SAP API...

2024-05-29T08:08:44.612000+02:00

Hi @giridhar_vegi,

when generating the SAML assertion yourself in APIM you are essentially declaring it your identity provider. That is a severe security risk. Any error or exploitable gap would to lead to user compromise. Identity Providers are purpose-built for this. I am assuming you are bypassing another challenge by looking to implement this yourself. Feel free to share more, so the community can advise on solving the underlying challenge.

If you must explore further have a look at this javascript library and this ApiGee article how to generate your own in SAP APIM. Make sure to lock down access tightly. Either way, I highly discourage this.

KR Martin

Re: SAP AI Core Azure Blob storage SAS token RESPONSE 403...

2024-06-05T10:03:45.189000+02:00

Hi @thomasweckerbasf,

sounds like encoding challenges. Encountered this in the CPI http adapter before. Have a look at this note https://me.sap.com/notes/0003131448 to resolve with triple encoding .

KR Martin

Nice patch SAP! Revisiting your SAP BTP security measures after AI Core vulnerability fix

2024-07-25T10:46:43.272000+02:00

Dear community,

SAP recently fixed a critical vulnerability in the SAP AI Core service that could have allowed attackers to access sensitive data in the multi-tenant environment. This issue, dubbed "SAPwned", was responsibly disclosed and publicly shared on July 18 after it was patched. You can read more about it here.

Bottom line: SAP shows its commitment to security and timely patching of its cloud services. But remember, SAP BTP - like any cloud platform - is based on a shared responsibility model. That means you need to do your part to protect your data and applications too:

Pick secure authentication means (no Basic AUTH is not one of them!),
Be conscious that every endpoint exposed by SAP BTP like Microsoft365 lives on the Internet by design,
Scope Cloud Foundry + Kyma app access, and user roles to the minimum rights needed,
When using the popular” OAuth2 client credentials grant” with service keys rotate your secrets (at best automatically regularly)! Have your pick from app based solution like this, PowerShell module and blog on automatic cert renewal.
Establish a continuous process to harden your SAP cloud workloads. It is not a one stop shop.

Ever heard about “MFA fatigue”? Plain Multi-Factor-Authentication is not good enough anymore today. Additionally, enforce Conditional Access to SAP BTP service through integration the SAP ID Service or the SAP Identity Authentication Service with the corporate identity provider of your choice. See here how to do it with Microsoft Entra ID.

Second line of defense: Automatic detections based on the SAP Audit Log Service

Most of the BTP based services in the Cloud Foundry environment provided by SAP automatically write to the SAP Audit Log Service. Each service lists the standardized events that are propagated.

SAP has a nice video on the general workings of the SAP Audit Log Service on BTP.

This is a good start, but how useful are log entries that record a compromise if they are overlooked and hidden among countless normal entries?

I use the Microsoft Sentinel for SAP BTP solution - which went into General Availability state this week - as an example for running automatic detections via built-in analytic rules. It connects to your subaccounts and global account ingesting all audit logs that are written to your registered Audit Log Management service instances. Polling interval is 10mins when deployed from the Azure Portal by default. Configure down to 1 min if needed using ARM API.

Architecture diagram of Sentinel solution for SAP BTP

It comes with out-of-the-box content. Check out the alert “Failed access attempts across multiple Business Application Studio accounts” for instance. Password spray attack anyone?

Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks

Once I have onboarded my subaccount (I named it SAP-AI-Core-playground), I can go wild on the ingested log entries, apply the threat intel functions, and built analytic rules. Let's browse the entries via the Kusto query language. The standard table SAPBTPAuditLog_CL holds all audit log info for your registered SAP BTP subaccounts:

Screenshot of simple KQL for SAP BTP

The Message contains the JSON payload BTP provides for each message as well as the involved BTP service identifier.

Looking at audit messages is nice, but you may go one step further by applying automatic action like blocking the SAP BTP users.

Below Screenshot shows the part of the process triggered by the included playbook. The SAP security team gets notified with evidence of the compromise, offering an approval option to block the user from a Microsoft Teams channel flow. Find more info here. Below screenshot shows the adaptive card with a trigger from SAP Business Suite. The same is possible with triggers coming from BTP too.

Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams

The AI Core Service audit log entries alone are not useful

Threat protection-wise correlation with other signals in your company is required, because a single SAP AI Core event like “Successful retrieval of object store secret” does not tell you anything. See below a Kusto query working off the AI Core audit log info ingested by the Sentinel for SAP BTP solution.

Note: SAP publishes the available events for all the Cloud Foundry based services here.

It identifies entries on my BTP subaccount related to AI Core activity and cross-references the IP address involved in the login and its country of origin. In my sample below I use the built-in function geo_info_from_ip_address() to learn if the BTP client remote address originated from Germany or not. Assumption here is that all my BTP developers are based there. Think about sanctioned countries lists etc.

//flag unexpected logins from countries other than Germany
let myBTPDevelopers = dynamic(['Germany']);
let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']);
SAPBTPAuditLog_CL 
| where SubaccountName == "SAP-AI-Core-playground"
| where Message has_any (login_messages)
| extend ip_ = tostring(Message.ip)
| extend country = geo_info_from_ip_address(ip_)['country']
| where country !in (myBTPDevelopers);

For a smoke test I teleported myself into the land of leprechauns🌈, steep cliffs, and mysterious celtic culture🍀 using an Azure VM. Marvel at the rule that identifies that mischieveous btp user!

Screenshot of found btp login from Ireland

The next sample uses the Threat Intelligence feature to verify if the BTP remote access can be traced back to a feed of known problematic IP indicators (e.g. a bot network). I maintained it on Sentinel on the Threat Management section using the IP known to BTP for my recent logins to the SAP AI Core service to trigger a result. In real life you would take the IPs from a threat intel feed of course. I don't have a bot net handy though😉.

Screenshot of Sentinel Threat Management experience

That makes it available to my Kusto query as below. See below the screenshot of the result:

Screenshot of Kusto query result filtered by problematic IPs

//flag unexpected logins from IP indicators from Sentinel
let ips = ThreatIntelligenceIndicator
| distinct NetworkIP = tostring(NetworkIP);
let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']);
SAPBTPAuditLog_CL
| where SubaccountName == "SAP-AI-Core-playground"
| where Message contains "aicore" and Message has_any (login_messages)
| extend ip_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(Message.ip))))
| join kind=inner (
    ips
    | extend NetworkIP_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(NetworkIP))))
) on $left.ip_ == $right.NetworkIP_;

A natural next evolution of the detection would be to extend it to the "impossible travel" scenario.

These queries are simple to set up and are good to go to serve as new analytics rule on the solution, don’t you think?

Let me know what other scenarios you would like to see 😊

Thoughts on production readiness

SAP’s Audit Log Service is widely adopted across the SAP BTP services and foundational to the platform.

Sentinel for SAP BTP recently went into “General Availability” state, making it good to use for anyone who doesn’t like previews 😎

To create meaningful detections based on the SAP BTP audit log at minimum other sources, such as the Authorization and Trust Management service (XSUAA) must be considered. Enriching your threat signals with indicators from the rest of your IT landscape gets you from "SAP-security-acolyte"🧑🏻‍🏫 to master of disaster🥷🏼.

The built-in Sentinel for SAP playbooks use SAP BTP public APIs for automatic remediation. See the user API documentation for disabling users here.

Final words

Constantly staying ahead of attackers all the time is impossible. However, putting up a fight so they move on without doing more serious damage or at least being automatically informed about the incident puts you back in the driver’s seat.

The Sentinel for SAP BTP solution enables you to bring the SAP BTP audit log information for cross-correlation with your wider IT landscape to the Microsoft SIEM solution Sentinel. Furthermore, it powers automatic remediations like user block, password reset, and more.

For true confidence in drastic actions like blocking users, you require signals from as many sources as possible. Think beyond the SAP boundary and towards your complete IT landscape: Devices, endpoints, and suspicious logins etc. All of those touchpoints leave a trail of your attacker long before they reach SAP BTP, because of the prior phishing attempts or lateral movement etc. Have a look at Defender XDR for further info.

What detections are you running for your BTP landscape? Let the community know so we can learn from each other’s security practices.

Cheers

Martin