Work with the Microsoft Sentinel solution for SAP applications in multiple workspaces
When you set up your Log Analytics workspace enabled for Microsoft Sentinel, you have multiple architecture options and factors to consider. Taking into account geography, regulation, access control, and other factors, you might choose to have multiple workspaces in your organization.
This article discusses how to work with the Microsoft Sentinel solution for SAP applications in multiple workspaces for different deployment scenarios.
The Microsoft Sentinel solution for SAP applications natively supports a cross-workspace architecture to support improved flexibility for:
- Managed security service providers (MSSPs) or a global or federated security operations center (SOC).
- Data residency requirements.
- Organizational hierarchy and IT design.
- Insufficient role-based access control (RBAC) in a single workspace.
Important
Working with multiple workspaces is currently in preview. This feature is provided without a service-level agreement. For more information, see Supplemental Terms of Use for Azure Previews.
You can define multiple workspaces when you deploy SAP security content.
Collaboration between the SOC and SAP teams in your organization
A common use case is one in which collaboration between the SOC and SAP teams in your organization requires a multi-workspace setup.
Your organization's SAP team has technical knowledge that's critical to successfully and effectively implement the Microsoft Sentinel solution for SAP applications. Therefore, it's important for the SAP team see the relevant data and to collaborate with the SOC about the required configuration and incident response procedures.
There are two possible scenarios for SOC and SAP team collaboration, depending on your organization's needs:
Scenario 1: SAP data and SOC data maintained in separate workspaces. Both teams can see the SAP data by using cross-workspace queries.
Scenario 2: SAP data kept only in the SOC workspace. The SAP team can query the data by using resource context queries.
Scenario 1: SAP data and SOC data maintained in separate workspaces
In this scenario, the SAP team and the SOC team have separate Log Analytics workspaces enabled for Microsoft Sentinel where team data is kept.
When your organization deploys the Microsoft Sentinel solution for SAP applications, each team specifies its SAP workspace.
A common practice is to provide some or all SOC team members with the Sentinel Reader role for the SAP workspace.
Creating separate workspaces for the SAP and SOC data has these benefits:
Microsoft Sentinel can trigger alerts that include both SOC and SAP data, and it can run those alerts on the SOC workspace.
Note
For larger SAP landscapes, running queries that are made by the SOC on data from the SAP workspace can affect performance. The SAP data must travel to the SOC workspace when it's being queried. For improved performance and cost optimizations, consider having both the SOC and SAP workspaces on the same dedicated cluster.
The SAP team has its own Log Analytics workspace enabled for Microsoft Sentinel that includes all features except detections that include both SOC and SAP data.
Flexibility. The SAP team can focus on the control of internal threats in its landscape, and the SOC can focus on external threats.
There's no additional charge for ingestion fees, because data is ingested only once into Microsoft Sentinel. However, each workspace has its own pricing tier.
The SOC can see and investigate SAP incidents. If the SAP team faces an event that it can't explain by using existing data, the team can assign the incident to the SOC.
The following table maps the access of data and features for the SAP and SOC teams in this scenario:
Function | SOC team | SAP team |
---|---|---|
SOC workspace access | ✅ | ❌ |
SAP workspace data, analytics rules, functions, watchlists, and workbooks access | ✅ | ✅1 |
SAP incident access and collaboration | ✅ | ✅1 |
1 The SOC team can see these functions in both workspaces. The SAP team can see these functions only in the SAP workspace.
Scenario 2: SAP data kept only in the SOC workspace
In this scenario, you want to keep all the data in one workspace and to apply access controls. You can do this by using Log Analytics in Azure Monitor to manage access to data by resource. You can also associate SAP resources with an Azure resource ID by specifying the required azure_resource_id
field in the connector configuration section on the data collector that you use to ingest data from the SAP system into Microsoft Sentinel.
After the data collector agent is configured with the correct resource ID, the SAP team can access the specific SAP data in the SOC workspace by using a resource-scoped query. The SAP team can't read any of the other, non-SAP data types.
There are no costs associated with this approach because the data is ingested only once into Microsoft Sentinel. When you use this mode of access, the SAP team sees only raw and unformatted data. The SAP team can't use any Microsoft Sentinel features. In addition to accessing the raw data via Log Analytics, the SAP team can access the same data via Power BI.
Next step
In this article, you learned about working with Microsoft Sentinel solution for SAP applications in multiple workspaces for different deployment scenarios. Next, learn how to deploy the solution: