Pathlock Inc.: Threat Detection and Response for SAP
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Connector ID | Pathlock_TDnR |
| Publisher | Pathlock Inc. |
| Used in Solutions | Pathlock_TDnR |
| Collection Method | CCF Push |
| Connector Definition Files | Pathlock_TDnR_connectorDefinition.json |
| DCR Definition Files | Pathlock_TDnR_DCR.json |
| CCF Configuration | Pathlock_TDnR_PollingConfig.json |
| CCF Capabilities | Push |
| Ingestion API | Log Ingestion API — CCF Push connectors use DCR-based Log Ingestion API |
| Microsoft Learn | View on Learn |
The Pathlock Threat Detection and Response (TD&R) integration with Microsoft Sentinel Solution for SAP delivers unified, real-time visibility into SAP security events, enabling organizations to detect and act on threats across all SAP landscapes. This out-of-the-box integration allows Security Operations Centers (SOCs) to correlate SAP-specific alerts with enterprise-wide telemetry, creating actionable intelligence that connects IT security with business processes.
Pathlock’s connector is purpose-built for SAP and forwards only security-relevant events by default, minimizing data volume and noise while maintaining the flexibility to forward all log sources when needed. Each event is enriched with business process context, allowing Microsoft Sentinel Solution for SAP analytics to distinguish operational patterns from real threats and to prioritize what truly matters.
This precision-driven approach helps security teams drastically reduce false positives, focus investigations, and accelerate mean time to detect (MTTD) and mean time to respond (MTTR). Pathlock’s library consists of more than 1,500 SAP-specific detection signatures across 70+ log sources, the solution uncovers complex attack behaviors, configuration weaknesses, and access anomalies.
By combining business-context intelligence with advanced analytics, Pathlock enables enterprises to strengthen detection accuracy, streamline response actions, and maintain continuous control across their SAP environments—without adding complexity or redundant monitoring layers.
For detailed guidance on how to deploy this connector, refer to the Pathlock help portal.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
ABAPAuditLog |
✓ | ✓ | ✓ |
Pathlock_TDnR_CL |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions:
- Workspace (Workspace): Read and Write permissions are required.
- Keys (Workspace): Read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys
Custom Permissions:
- Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
- Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
1. Create ARM Resources and Provide the Required Permissions
We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it.
Automated deployment of Azure resources
Clicking on "Deploy push connector resources" will trigger the creation of DCR and DCE resources. It will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials.
- Deploy push connector resources Application: Pathlock Inc. Threat Detection and Response for SAP
2. Maintain the data collection endpoint details and authentication info in your central instance of Pathlock's Cybersecurity Application Controls: Threat Detection and Response
Share the data collection endpoint URL and authentication info with the Pathlock administrator to configure the plug and play forwarding in Threat Detection and Response to send data to the data collection endpoint. For detailed deployment guidance, refer to the Pathlock help portal. Please do not hesitate to contact Pathlock if support is needed.
- Use this value to configure as Tenant ID in the LogIngestionAPI credential.:
TenantIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
- Entra Application ID:
ApplicationIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
- Entra Application Secret:
ApplicationSecretNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
- Use this value to configure the LogsIngestionURL parameter when deploying the IFlow.:
DataCollectionEndpointNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
- DCR Immutable ID:
DataCollectionRuleIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊