Skip to content

SOAR for SAP: Security Automation

Key Takeaways

  • What is SOAR for SAP?
  • Is SOAR a new security trend?
  • Key benefits of security automation for SAP
  • We share our conclusion

Irrespective of whether you’re going to start your career in information security or if you have years of experience in this field, you might realize that you are part of an unfair game. Why is that? An army of attackers, including kids, organized crime, and nation-state hackers, stands against you, while you need retort with a limited budget and a handful of resources. It’s no surprise therefore that automation becomes an important weapon in the game to protect your enterprise organization against this rising threat. Solution providers such as SecurityBridge and Fortinet, have combined to support you with advanced cybersecurity solutions.

Particularly complex and enterprise-critical applications such as SAP need to be protected. Accepting that an SAP system transacts thousands of actions per second it’s an enormous challenge to detect anomalies in real-time. Additionally, once an incident has been detected it’s easy to generate an automated response. In this article, we look at how SOAR for SAP can enhance your response process with security automation and automated response.

Is it a new security trend?

The subject of security automation isn’t new. Gartner has estimated that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity. Primarily, the orchestration component makes SOAR very efficient. Security technology like SOAR is a central component of an organization’s SOC to provide analysts with a comprehensive enterprise view of the security posture.

What is SOAR for SAP?

The abbreviation SOAR stands for Security orchestration, automation and response. SOAR solutions supplement rather than replace a SIEM. It helps to coordinate, execute and automate tasks between involved parties (people and tools). Similarly, for Business Process Management (BPM) or Industry 4.0 the SOAR tools help you to evolve your security operation. FortiSOAR as an example aggregates and enriches alerts from a wide range of security products to enable rapid response and automated alert triage. Enhanced SOAR products embed easily within your security landscape. They use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.

A series of actions conducted by an account and/or terminal in SAP NetWeaver may trigger a detection pattern to execute an automated action within your SOC.

Benefits of security automation for SAP

In a 2020 survey, 42% of responders reported suffering from cybersecurity fatigue, and 93% of those individuals were experiencing 5,000 or more alerts per day. As Attacks are becoming more sophisticated and complex, this number will grow. In addition, each company must fight with the complexity of various business applications and more complex infrastructure solutions within the Datacenter and Cloud environments.

SOAR can help provide the appropriate response at the right time, avoiding cybersecurity fatigue. With a SOAR solution such as FortiSOAR, security operations teams can automate the tedious and repetitive elements of workflows while maintaining human authority. SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity, or the critical nature of the threatened business functions.

Steps Manual SOAR
Isolate affected devices
10 minutes
1 minute
Enrich artifacts to identify indicator of compromise (IOC)
45 to 60 minutes
3 minutes
Submit a file to the detonation engine
1 to 6 hours
1 minute

Providing an orchestration and automated alert response does not only lowering the time, analysts will have to invest working on incidents and alerts – it will also boost the return of investment (ROI) considerably. FortiSOAR for example also provides a broad portfolio of integrations which allows you to integrate directly with your existing security infrastructure like Firewalls, SIEM, Microsoft Active Directory, etc. This also dramatically lowers the operational complexity.

How could SOAR for SAP look like?

A SOAR Solution can be used in many different ways to simplify and automate security actions within SAP environments. With more than 300 connectors to various products and solutions and more than 150 predefined playbooks, FortiSOAR provides a broad portfolio of integrations and actions which can be used “out of the box” to automate security tasks.

If, for example, SecurityBridge Threat Detection detects a malicious activity within an SAP System, FortiSOAR would send an E-Mail to the corresponding user and inform them about their activities. SOAR’s could also perform more invasive activities as a playbook and could look like the following:

  1. Email to inform the user and/or supervisor
  2. End SAP Session for user (logoff)
  3. Lock user account within active directory and reset password to avoid reuse of possible compromised accounts
  4. Quarantine Client at Firewall Level to avoid further malicious activities

There are many possibilities as to how such a response could look like. SecurityBridge itself provides some easy-to-use capabilities as “first response” actions.

  • Terminate user session
  • Lock account
  • Deprovision authorization
  • Display SAP GUI information popup during user session.


Although covering “Identify” and “Detect” gets the highest priority in many organizations, the logical next step is to take care of “Response” and “Recover”. SecurityBridge creates a connection by enabling SAP customers to bridge SIEM and SOAR solutions using normalized, and context enhanced events.

As security processes mature, the requirement for orchestration, standardization, and automation also increases. Implementing SOAR with the intention of securing SAP may not make sense for some customers, although for small security teams the need for security automation is clearly evident. The standardization of responses and the predefined playbooks in solutions such as FortiSOAR make a significant contribution to success in the fight against cyberattacks.

Posted by

Christoph Nagy

In collaboration with

Julian Petersohn

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Next-Gen Application Security for SAP

Join roundtable delegates who will discuss the challenges, solutions, and their experiences in simplifying security and combining it across the network and the SAP application, to introduce a shift in paradigm for SAP customers.

Networking Lunch: SAP Security 2023

Companies are more concerned than ever about IT security. In addition to hackers and security gaps, inadequate configurations also present threats. The purpose of our networking lunch is to engage you in an exchange: What are the current challenges? How are other companies implementing this? What are the tips and tricks for more security?
SAP security Patch day
SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.
we are hiring - career page
SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.