SyntaAI Documentation
Complete guide to the SyntaAI SAP Security Platform. Learn how to leverage AI-powered threat detection, vulnerability management, and automated user administration.
Platform Overview
SyntaAI is an intelligent SAP security platform that combines comprehensive vulnerability scanning, AI-powered analysis, and automated remediation workflows. The platform supports three AI modes to fit your security and compliance requirements.
Platform Modules
Vulnerability Management
Comprehensive scanning, AI-powered analysis, and guided Remediation Journeys for your entire SAP landscape.
Patch Intelligence
AI-driven recommendations and end-to-end lifecycle management for SAP Security Notes with maintenance scheduling.
AI-Powered Automation
Customizable workflow engine with three AI modes (Rule-Based, Cloud, Local) and proactive AI Quick Wins.
Unified Security Interface
Central web dashboard with deep analytics, complemented by conversational AI via Teams/Web for rapid tasks.
Platform Benefits
- Accelerate Remediation - Reduce vulnerability remediation time by up to 60% with AI-guided analysis and prioritized patch plans
- Increase Productivity - Automate over 80% of routine security tasks like password resets and account unlocks
- Gain Centralized Visibility - Unified view of security posture, vulnerability trends, and patch compliance across all SAP systems
- Enterprise-Grade Security - Implement granular 5-tier RBAC and maintain full audit trail for every action
AI Threat Detection
The AI Threat Detection module monitors SAP security logs in real-time, analyzing events against configurable threat patterns using AI (Claude/Ollama) or regex fallback.
Key Features
- Plain English Threat Patterns - Define threat rules in natural language without code changes
- User Behavior Baselines - Compares current activity against established user behavior patterns
- Terminated User Detection - Automatically detects login attempts from terminated users via LDAP/HR integration
- Auto-Reload Patterns - Pattern files are automatically reloaded when modified
- Email Alerting - Configurable email notifications for detected threats
Threat Analysis Output
Each analyzed event returns a structured result:
Severity Levels
| Level | Description | Example Threats |
|---|---|---|
| Critical | Immediate action required | SAP_ALL assignment, Debug in production, Security audit tampering |
| High | Investigate within 24 hours | Privilege escalation attempts, RFC configuration changes |
| Medium | Review during business hours | Failed login attempts, Unusual transaction patterns |
| Low | Informational | Standard administrative activities |
Automatic Polling
The threat detection service automatically polls SAP logs every 5 minutes via Celery background tasks. No manual intervention required once configured.
FF Log Review AI
The Firefighter Log Review module provides AI-powered analysis of SAP GRC Firefighter session logs, helping reviewers assess emergency access usage efficiently.
Analysis Components
- Transaction Categorization - Automatically categorizes transactions (User Admin, Debug, Finance, System Config, etc.)
- Risk Scoring - Calculates risk score (1-10) based on activities performed
- Reason Alignment - Checks if activities align with the stated reason for FF access
- Field-Level Analysis - Detects sensitive table and field modifications
- Reviewer Guidance - Generates questions and guidance for reviewers
Risk Levels
| Score | Level | Recommendation |
|---|---|---|
| 1-3 | Low | OK to Confirm - Quick review sufficient |
| 4-5 | Medium | Review Carefully - Verify flagged items |
| 6-7 | High | Review Carefully - Request documentation if needed |
| 8-10 | Critical | Flag for Investigation - Escalate to security team |
Critical Activity Detection
The following activities automatically raise concerns:
- User/role administration (SU01, PFCG, SU10)
- Debug/development activities (SE38, SE80 with debug)
- System configuration changes (RZ10, RZ11)
- RFC/Trust configuration (SM59, SMT1)
- Security audit configuration (SM19, SM20)
- Direct table access (SE16, SE16N, SM30)
Teams Notifications
FF Log Review integrates with Microsoft Teams to send rich Adaptive Card notifications when sessions require review, including risk score, concerns, and quick action buttons.
Vulnerability Management
Comprehensive SAP vulnerability scanning with 1400+ pre-built security controls and AI-powered remediation planning.
Scanning Capabilities
- Scheduled and on-demand security scans
- SAP Security Notes monitoring and tracking
- Custom security control definitions
- Multi-system landscape support
- SAP RISE compatibility
AI Business Impact Analysis
The AI analyzes each vulnerability to determine real business risk, considering:
- Exploitability and attack complexity
- Impact on confidentiality, integrity, availability
- Business process dependencies
- Existing compensating controls
Remediation Plans
AI generates phased remediation roadmaps with:
- Prioritized patch deployment sequences
- Dependency analysis between patches
- Maintenance window recommendations
- Rollback procedures
Patch Intelligence
AI-driven recommendations and end-to-end lifecycle management for SAP Security Notes with intelligent maintenance scheduling.
Key Capabilities
- Automated Monitoring - Continuous tracking of new SAP Security Notes relevant to your landscape
- AI-Driven Prioritization - Intelligent ranking based on exploitability, business impact, and system criticality
- Dependency Mapping - Automatic detection of patch dependencies and prerequisites
- Maintenance Scheduling - Optimal deployment windows based on system usage patterns
- Compliance Tracking - SLA monitoring and audit-ready reporting
Security Note Lifecycle
| Stage | Automation |
|---|---|
| Discovery | Auto-detection of new notes from SAP Support Portal |
| Analysis | AI assessment of relevance and impact to your systems |
| Planning | Generated remediation plan with deployment sequence |
| Testing | Test system deployment tracking and validation |
| Deployment | Production rollout with rollback procedures |
| Verification | Post-deployment validation and compliance confirmation |
AI-Powered Automation
Customizable workflow engine with three AI modes (Rule-Based, Cloud, Local) and proactive AI Quick Wins for continuous security improvement.
Workflow Engine
- Configurable Rules - Define custom automation triggers and actions
- Approval Workflows - Multi-level approval chains with escalation
- Scheduled Tasks - Automated scans, reports, and maintenance activities
- Event-Driven Actions - Real-time response to security events
AI Quick Wins
Proactive AI-generated recommendations for immediate security improvements:
- Unused user account cleanup suggestions
- Excessive authorization detection
- Configuration drift alerts
- Best practice compliance gaps
- Quick remediation scripts for common issues
Automation Examples
Auto-lock inactive users after 90 days | Auto-generate compliance reports weekly | Auto-escalate critical vulnerabilities to security team | Auto-notify managers of pending approvals
Unified Security Interface
Central web dashboard with deep analytics, complemented by conversational AI via Teams/Web for rapid task execution.
Dashboard Features
Security Posture Overview
Real-time visibility into vulnerabilities, threats, and compliance status across all systems.
Trend Analytics
Historical charts showing vulnerability trends, remediation progress, and risk reduction.
System Comparison
Side-by-side security comparison across SAP systems in your landscape.
Export & Reporting
Excel exports, PDF reports, and scheduled email delivery for stakeholders.
Conversational AI Interface
Execute tasks quickly through natural language via web chatbot or MS Teams:
- "Show me critical vulnerabilities in PRD system"
- "What's the patch status for Security Note 3456789?"
- "Generate compliance report for Q4"
- "Unlock user JSMITH in ERP system"
Role-Based Access Control
5-tier RBAC ensures users see only what they need:
| Role | Access Level |
|---|---|
| Viewer | Read-only dashboards and reports |
| Analyst | Run scans, view details, export data |
| Operator | Execute remediation, manage users |
| Manager | Approve workflows, configure rules |
| Admin | Full system configuration and user management |
User Administration
Automate SAP user lifecycle management through natural language commands via web chatbot or MS Teams.
Supported Operations
| Operation | Command Example | Description |
|---|---|---|
| Create User | "Create user for John Smith in Finance" | Creates user with appropriate roles |
| Unlock Account | "/sap unlock JSMITH" | Unlocks locked user account |
| Reset Password | "/sap reset-password JSMITH" | Generates new password |
| Assign Role | "Add FI_CLERK role to JSMITH" | Assigns role to user |
| Check Status | "Show status of user JSMITH" | Displays user details and lock status |
Approval Workflow
Configurable approval workflows ensure proper authorization:
- Manager approval for role assignments
- Security team approval for privileged access
- One-click approval via Teams notifications
- Full audit trail of all actions
AI Configuration
SyntaAI supports three AI modes to meet different security and compliance requirements.
Cloud AI (Claude)
Uses Anthropic Claude API for deep analysis. Best accuracy for complex threat patterns. Requires API key.
Local AI (Ollama)
On-premise AI using Ollama. Data never leaves your infrastructure. Supports llama3.1, mistral, and other models.
Rule-Based
Regex and keyword matching fallback. No AI required. Works offline with deterministic results.
Auto Mode
Automatically selects best available mode. Falls back gracefully if AI unavailable.
Data Privacy Note
When using Cloud AI mode, SAP log data is sent to external AI services. For sensitive environments, use Local AI (Ollama) or Rule-Based mode to keep all data on-premise.
MS Teams Integration
Native Microsoft Teams bot for user administration and security notifications.
Bot Commands
Notifications
The Teams bot sends rich Adaptive Card notifications for:
- FF Log Review requests with risk scores
- Approval workflow requests
- Critical threat alerts
- Password reset confirmations
GRC Integration
FF Log Review connects to SAP GRC via Java JCo service for real-time session data retrieval from GRACFFLOG and related tables.