|
| 1 | +--- |
| 2 | +title: Working with the Microsoft Sentinel solution for SAP® applications across multiple workspaces |
| 3 | +description: This article discusses working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios. |
| 4 | +author: limwainstein |
| 5 | +ms.author: lwainstein |
| 6 | +ms.topic: conceptual |
| 7 | +ms.date: 03/22/2023 |
| 8 | +--- |
| 9 | + |
| 10 | +# Working with the Microsoft Sentinel solution for SAP® applications across multiple workspaces |
| 11 | + |
| 12 | +When you set up your Microsoft Sentinel workspace, there are [multiple architecture options](../design-your-workspace-architecture.md#decision-tree) and considerations. Considering geography, regulation, access control, and other factors, you may choose to have multiple Sentinel workspaces in your organization. |
| 13 | + |
| 14 | +This article discusses working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios. |
| 15 | + |
| 16 | +The Microsoft Sentinel solution for SAP® applications natively supports a cross-workspace ar architecture to allow improved flexibility for: |
| 17 | + |
| 18 | +- Managed security service providers (MSSPs) or a global or federated SOC |
| 19 | +- Data residency requirements |
| 20 | +- Organizational hierarchy/IT design |
| 21 | +- Insufficient role-based access control (RBAC) in a single workspace. |
| 22 | + |
| 23 | +In this article, we focus on a specific and common use case, where collaboration between the security operations center (SOC) and SAP teams in your organization requires a multi-workspace setup. |
| 24 | + |
| 25 | +## Collaboration between the SAP and SOC teams and multi-workspace architecture |
| 26 | + |
| 27 | +Your organization's SAP team has technical knowledge that's critical to a successfully and effectively implement the Microsoft Sentinel solution for SAP® applications. Therefore, it's important for the SAP team see the relevant data and collaborate with the SOC on the required configuration and incident response procedures. |
| 28 | + |
| 29 | +As part of this collaboration, there are two possible scenarios, depending on your organization's needs: |
| 30 | + |
| 31 | +1. **The SAP data and the SOC data reside in separate workspaces**. Both teams can see the SAP data, [using cross-workspace queries](#scenario-1-sap-and-soc-data-reside-in-separate-workspaces) |
| 32 | +1. **The SAP data is kept in the SOC workspace**, and SAP team can query the data using [resource context queries] |
| 33 | + |
| 34 | +### Scenario 1: SAP and SOC data reside in separate workspaces |
| 35 | + |
| 36 | +In this scenario, the SAP and SOC teams have separate Microsoft Sentinel workspaces. When your organization deploys the Microsoft Sentinel solution for SAP® applications, each team specifies its SAP workspace under **Instance details** > **Configure the workspace where the SAP data resides**. |
| 37 | + |
| 38 | +:::image type="content" source="media/cross-workspace/sap-cross-workspace-separate.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications in separate workspaces for the SAP and SOC data." border="false"::: |
| 39 | + |
| 40 | +A common practice is to provide some or all of the SOC team members with read permissions to the SAP workspace. |
| 41 | + |
| 42 | +Creating separate workspaces for the SAP and SOC data has these benefits: |
| 43 | + |
| 44 | +- Microsoft Sentinel can create alerts that include both SOC and SAP data, and to run those alerts on the SOC workspace. |
| 45 | +- The SAP has its own Microsoft Sentinel workspace, including all features, except for detections that include both SOC and SAP data. |
| 46 | +- Flexibility: The SAP team can focus on the control and internal threats in its landscape, while the SOC can focus on external threats. |
| 47 | +- There is no additional charge for ingestion fees, because data is only ingested once into Microsoft Sentinel. However, note that each workspace has its own [pricing tier](../design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). |
| 48 | +- The SOC can see and investigate SAP incidents: If the SAP team faces an event they can't explain with the existing data, they can assign the incident to the SOC. |
| 49 | + |
| 50 | +For larger SAP landscapes, working in this scenario can impact the performance of queries made by the SOC on data from the SAP workspace. This is because the SAP data must travel to the SOC workspace when being queried. For improved performance and cost optimizations, consider having both SOC and SAP workspaces to be on the same [dedicated cluster](./../azure-monitor/logs/logs-dedicated-clusters?tabs=cli#cluster-pricing-model). |
| 51 | + |
| 52 | +This table shows the best practice for managing the SAP and SOC data and permissions in this scenario. |
| 53 | + |
| 54 | +|Function |SOC team |SAP team | |
| 55 | +|---------|---------|---------| |
| 56 | +|SOC workspace access |❌ |✅ | |
| 57 | +|SAP workspace data, analytics rules, functions, watchlists, and workbooks access |✅ |✅ | |
| 58 | +|SAP incident access and collaboration |✅ |✅ | |
| 59 | + |
| 60 | +TBD - how this is done - separate page? + screenshot |
| 61 | + |
| 62 | +### Scenario 2: SAP data is kept in the SOC workspace |
| 63 | + |
| 64 | +In this scenario, you want to keep all of the data in one workspace. You can do this using Log Analytics to [manage access to data by resource](../resource-context-rbac.md). You can also associate SAP resources with an Azure resource ID by specifying the required `azure_resource_id` field in the connector configuration section on the data collector used to ingest data from the SAP system into Microsoft Sentinel. |
| 65 | + |
| 66 | +:::image type="content" source="media/cross-workspace/sap-cross-workspace-combined.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications using the same workspace for the SAP and SOC data." border="false"::: |
| 67 | + |
| 68 | +Once the data collector agent is configured with the correct resource ID, the SAP team can access the specific SAP data in the SOC workspace using a resource-scoped query. The SAP team cannot read any of the other, non-SAP data types. |
| 69 | + |
| 70 | +There are no costs associated with this approach, as the data is only ingested once into Microsoft Sentinel. Using this mode of access, the SAP team only sees raw and unformatted data and cannot use any Microsoft Sentinel features. In addition to accessing the raw data via log analytics, the SAP team can also access the same data [via Power BI](../resource-context-rbac.md). |
| 71 | + |
| 72 | +TBD - how this is done - separate page? + screenshot |
| 73 | + |
| 74 | +## Next steps |
| 75 | + |
| 76 | +In this article, you learned about working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios. |
| 77 | + |
| 78 | +> [!div class="nextstepaction"] |
| 79 | +> [Deploy the Sentinel solution for SAP® applications](deployment-overview.md) |
0 commit comments