Skip to content

SOAR for SAP: Security Automation


Key Takeaways

  • What is SOAR for SAP?
  • Is SOAR a new security trend?
  • Key benefits of security automation for SAP
  • We share our conclusion

Irrespective of whether you’re going to start your career in information security or if you have years of experience in this field, you might realize that you are part of an unfair game. Why is that? An army of attackers, including kids, organized crime, and nation-state hackers, stands against you, while you need retort with a limited budget and a handful of resources. It’s no surprise therefore that automation becomes an important weapon in the game to protect your enterprise organization against this rising threat. Solution providers such as SecurityBridge and Fortinet, have combined to support you with advanced cybersecurity solutions.

Particularly complex and enterprise-critical applications such as SAP need to be protected. Accepting that an SAP system transacts thousands of actions per second it’s an enormous challenge to detect anomalies in real-time. Additionally, once an incident has been detected it’s easy to generate an automated response. In this article, we look at how SOAR for SAP can enhance your response process with security automation and automated response.

Is it a new security trend?

The subject of security automation isn’t new. Gartner has estimated that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity. Primarily, the orchestration component makes SOAR very efficient. Security technology like SOAR is a central component of an organization’s SOC to provide analysts with a comprehensive enterprise view of the security posture.

What is SOAR for SAP?

The abbreviation SOAR stands for Security orchestration, automation and response. SOAR solutions supplement rather than replace a SIEM. It helps to coordinate, execute and automate tasks between involved parties (people and tools). Similarly, for Business Process Management (BPM) or Industry 4.0 the SOAR tools help you to evolve your security operation. FortiSOAR as an example aggregates and enriches alerts from a wide range of security products to enable rapid response and automated alert triage. Enhanced SOAR products embed easily within your security landscape. They use security “playbooks” to automate and coordinate workflows that may include any number of disparate security tools as well as human tasks.

A series of actions conducted by an account and/or terminal in SAP NetWeaver may trigger a detection pattern to execute an automated action within your SOC.

Benefits of security automation for SAP

In a 2020 survey, 42% of responders reported suffering from cybersecurity fatigue, and 93% of those individuals were experiencing 5,000 or more alerts per day. As Attacks are becoming more sophisticated and complex, this number will grow. In addition, each company must fight with the complexity of various business applications and more complex infrastructure solutions within the Datacenter and Cloud environments.

SOAR can help provide the appropriate response at the right time, avoiding cybersecurity fatigue. With a SOAR solution such as FortiSOAR, security operations teams can automate the tedious and repetitive elements of workflows while maintaining human authority. SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity, or the critical nature of the threatened business functions.

Steps Manual SOAR
Isolate affected devices
10 minutes
1 minute
Enrich artifacts to identify indicator of compromise (IOC)
45 to 60 minutes
3 minutes
Submit a file to the detonation engine
1 to 6 hours
1 minute

Providing an orchestration and automated alert response does not only lowering the time, analysts will have to invest working on incidents and alerts – it will also boost the return of investment (ROI) considerably. FortiSOAR for example also provides a broad portfolio of integrations which allows you to integrate directly with your existing security infrastructure like Firewalls, SIEM, Microsoft Active Directory, etc. This also dramatically lowers the operational complexity.

How could SOAR for SAP look like?

A SOAR Solution can be used in many different ways to simplify and automate security actions within SAP environments. With more than 300 connectors to various products and solutions and more than 150 predefined playbooks, FortiSOAR provides a broad portfolio of integrations and actions which can be used “out of the box” to automate security tasks.

If, for example, SecurityBridge Threat Detection detects a malicious activity within an SAP System, FortiSOAR would send an E-Mail to the corresponding user and inform them about their activities. SOAR’s could also perform more invasive activities as a playbook and could look like the following:

  1. Email to inform the user and/or supervisor
  2. End SAP Session for user (logoff)
  3. Lock user account within active directory and reset password to avoid reuse of possible compromised accounts
  4. Quarantine Client at Firewall Level to avoid further malicious activities

There are many possibilities as to how such a response could look like. SecurityBridge itself provides some easy-to-use capabilities as “first response” actions.

  • Terminate user session
  • Lock account
  • Deprovision authorization
  • Display SAP GUI information popup during user session.


Although covering “Identify” and “Detect” gets the highest priority in many organizations, the logical next step is to take care of “Response” and “Recover”. SecurityBridge creates a connection by enabling SAP customers to bridge SIEM and SOAR solutions using normalized, and context enhanced events.

As security processes mature, the requirement for orchestration, standardization, and automation also increases. Implementing SOAR with the intention of securing SAP may not make sense for some customers, although for small security teams the need for security automation is clearly evident. The standardization of responses and the predefined playbooks in solutions such as FortiSOAR make a significant contribution to success in the fight against cyberattacks.

Posted by

Christoph Nagy

In collaboration with

Julian Petersohn

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Kickstarting Your SAP Security Journey

Do you want to kickstart your journey towards SAP security excellence? Then check out our upcoming webinar. In our webinar, we will show you how to overcome these pitfalls and kickstart your journey to SAP Security excellence. Our customer cbs consulting will talk about their experience with implementing the SecurityBridge Platform and the first milestones achieved on their SAP Security journey.

Steampunk und BTP Summit 2024

Die SAP-Programmiersprache Abap auf der SAP Business Technology Platform, BTP, wird nach Meinung der SAP-Community die bestimmende ERP-Strategie. Embedded ABAP auf der BTP ist Steampunk. Der Steampunk und BTP Summit 2024 zeigt die Zukunft von S/4 Hana und darüber hinaus.
Sales & Partner Manager APAC Singapore
We are expanding our operation in the APAC region and are looking for an experienced Sales & Partner Manager to join our team in Singapore. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, or cybersecurity.
Pre-Sales Consultant APAC Singapore
As a Pre-Sales Consultant at SecurityBridge, you will be instrumental in our rapid expansion within the APAC region. You will directly contribute to the growth of our innovative SAP security solution, SecurityBridge.