Skip to content

SOAR for SAP: Security Automation

Key Takeaways

  • What is SOAR for SAP?
  • Is SOAR a new security trend?
  • Key benefits of security automation for SAP
  • We share our conclusion

Irrespective of whether you’re going to start your career in information security or if you have years of experience in this field, you might realize that you are part of an unfair game. Why is that? An army of attackers, including kids, organized crime, and nation-state hackers, stands against you, while you need retort with a limited budget and a handful of resources. It’s no surprise therefore that automation becomes an important weapon in the game to protect your enterprise organization against this rising threat. Solution providers such as SecurityBridge and Fortinet, have combined to support you with advanced cybersecurity solutions.

Particularly complex and enterprise-critical applications such as SAP need to be protected. Accepting that an SAP system transacts thousands of actions per second it’s an enormous challenge to detect anomalies in real-time. Additionally, once an incident has been detected it’s easy to generate an automated response. In this article, we look at how SOAR for SAP can enhance your response process with security automation and automated response.

Is it a new security trend?

The subject of security automation isn’t new. Gartner has estimated that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity. Primarily, the orchestration component makes SOAR very efficient. Security technology like SOAR is a central component of an organization’s SOC to provide analysts with a comprehensive enterprise view of the security posture.

What is SOAR for SAP?

The abbreviation SOAR stands for Security orchestration, automation and response. SOAR solutions supplement rather than replace a SIEM. It helps to coordinate, execute and automate tasks between involved parties (people and tools). Similarly, for Business Process Management (BPM) or Industry 4.0 the SOAR tools help you to evolve your security operation. FortiSOAR as an example aggregates and enriches alerts from a wide range of security products to enable rapid response and automated alert triage. Enhanced SOAR products embed easily within your security landscape. They use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.

A series of actions conducted by an account and/or terminal in SAP NetWeaver may trigger a detection pattern to execute an automated action within your SOC.

Benefits of security automation for SAP

In a 2020 survey, 42% of responders reported suffering from cybersecurity fatigue, and 93% of those individuals were experiencing 5,000 or more alerts per day. As Attacks are becoming more sophisticated and complex, this number will grow. In addition, each company must fight with the complexity of various business applications and more complex infrastructure solutions within the Datacenter and Cloud environments.

SOAR can help provide the appropriate response at the right time, avoiding cybersecurity fatigue. With a SOAR solution such as FortiSOAR, security operations teams can automate the tedious and repetitive elements of workflows while maintaining human authority. SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity, or the critical nature of the threatened business functions.

Steps Manual SOAR
Isolate affected devices
10 minutes
1 minute
Enrich artifacts to identify indicator of compromise (IOC)
45 to 60 minutes
3 minutes
Submit a file to the detonation engine
1 to 6 hours
1 minute

Providing an orchestration and automated alert response does not only lowering the time, analysts will have to invest working on incidents and alerts – it will also boost the return of investment (ROI) considerably. FortiSOAR for example also provides a broad portfolio of integrations which allows you to integrate directly with your existing security infrastructure like Firewalls, SIEM, Microsoft Active Directory, etc. This also dramatically lowers the operational complexity.

How could SOAR for SAP look like?

A SOAR Solution can be used in many different ways to simplify and automate security actions within SAP environments. With more than 300 connectors to various products and solutions and more than 150 predefined playbooks, FortiSOAR provides a broad portfolio of integrations and actions which can be used “out of the box” to automate security tasks.

If, for example, SecurityBridge Threat Detection detects a malicious activity within an SAP System, FortiSOAR would send an E-Mail to the corresponding user and inform them about their activities. SOAR’s could also perform more invasive activities as a playbook and could look like the following:

  1. Email to inform the user and/or supervisor
  2. End SAP Session for user (logoff)
  3. Lock user account within active directory and reset password to avoid reuse of possible compromised accounts
  4. Quarantine Client at Firewall Level to avoid further malicious activities

There are many possibilities as to how such a response could look like. SecurityBridge itself provides some easy-to-use capabilities as “first response” actions.

  • Terminate user session
  • Lock account
  • Deprovision authorization
  • Display SAP GUI information popup during user session.


Although covering “Identify” and “Detect” gets the highest priority in many organizations, the logical next step is to take care of “Response” and “Recover”. SecurityBridge creates a connection by enabling SAP customers to bridge SIEM and SOAR solutions using normalized, and context enhanced events.

As security processes mature, the requirement for orchestration, standardization, and automation also increases. Implementing SOAR with the intention of securing SAP may not make sense for some customers, although for small security teams the need for security automation is clearly evident. The standardization of responses and the predefined playbooks in solutions such as FortiSOAR make a significant contribution to success in the fight against cyberattacks.

Posted by

Christoph Nagy

In collaboration with

Julian Petersohn

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Turnkey Webinar: SAP Cyber Security – how does it work?

Join experts from Turnkey Consulting and SecurityBridge to explore how businesses can get a 360-degree view of their SAP Security posture, and ensure their SAP operations are properly secured.

DSAG Technology Days – Review

Finally we could attend a physical event again. Here’s our review on the DSAG Technology Days 2022: What is the new normal in IT? Personal highlights from the event and a short summary of our presentation “NextGen Cybersecurity for SAP.”
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.