SyntaAI Documentation

Complete guide to the SyntaAI SAP Security Platform. Learn how to leverage AI-powered threat detection, vulnerability management, and automated user administration.

Platform Overview

SyntaAI is an intelligent SAP security platform that combines comprehensive vulnerability scanning, AI-powered analysis, and automated remediation workflows. The platform supports three AI modes to fit your security and compliance requirements.

Platform Modules

Vulnerability Management

Comprehensive scanning, AI-powered analysis, and guided Remediation Journeys for your entire SAP landscape.

Patch Intelligence

AI-driven recommendations and end-to-end lifecycle management for SAP Security Notes with maintenance scheduling.

AI-Powered Automation

Customizable workflow engine with three AI modes (Rule-Based, Cloud, Local) and proactive AI Quick Wins.

Unified Security Interface

Central web dashboard with deep analytics, complemented by conversational AI via Teams/Web for rapid tasks.

Platform Benefits

  • Accelerate Remediation - Reduce vulnerability remediation time by up to 60% with AI-guided analysis and prioritized patch plans
  • Increase Productivity - Automate over 80% of routine security tasks like password resets and account unlocks
  • Gain Centralized Visibility - Unified view of security posture, vulnerability trends, and patch compliance across all SAP systems
  • Enterprise-Grade Security - Implement granular 5-tier RBAC and maintain full audit trail for every action

AI Threat Detection

The AI Threat Detection module monitors SAP security logs in real-time, analyzing events against configurable threat patterns using AI (Claude/Ollama) or regex fallback.

Key Features

  • Plain English Threat Patterns - Define threat rules in natural language without code changes
  • User Behavior Baselines - Compares current activity against established user behavior patterns
  • Terminated User Detection - Automatically detects login attempts from terminated users via LDAP/HR integration
  • Auto-Reload Patterns - Pattern files are automatically reloaded when modified
  • Email Alerting - Configurable email notifications for detected threats

Threat Analysis Output

Each analyzed event returns a structured result:

{ "is_threat": true, "matched_pattern": "Failed Login Attempt", "severity": "medium", "category": "Authentication", "confidence": 0.9, "reasoning": "Failed login attempt detected for user ADMIN", "recommended_action": "Monitor for brute force patterns", "ai_mode_used": "local" }

Severity Levels

LevelDescriptionExample Threats
CriticalImmediate action requiredSAP_ALL assignment, Debug in production, Security audit tampering
HighInvestigate within 24 hoursPrivilege escalation attempts, RFC configuration changes
MediumReview during business hoursFailed login attempts, Unusual transaction patterns
LowInformationalStandard administrative activities

Automatic Polling

The threat detection service automatically polls SAP logs every 5 minutes via Celery background tasks. No manual intervention required once configured.

FF Log Review AI

The Firefighter Log Review module provides AI-powered analysis of SAP GRC Firefighter session logs, helping reviewers assess emergency access usage efficiently.

Analysis Components

  • Transaction Categorization - Automatically categorizes transactions (User Admin, Debug, Finance, System Config, etc.)
  • Risk Scoring - Calculates risk score (1-10) based on activities performed
  • Reason Alignment - Checks if activities align with the stated reason for FF access
  • Field-Level Analysis - Detects sensitive table and field modifications
  • Reviewer Guidance - Generates questions and guidance for reviewers

Risk Levels

ScoreLevelRecommendation
1-3LowOK to Confirm - Quick review sufficient
4-5MediumReview Carefully - Verify flagged items
6-7HighReview Carefully - Request documentation if needed
8-10CriticalFlag for Investigation - Escalate to security team

Critical Activity Detection

The following activities automatically raise concerns:

  • User/role administration (SU01, PFCG, SU10)
  • Debug/development activities (SE38, SE80 with debug)
  • System configuration changes (RZ10, RZ11)
  • RFC/Trust configuration (SM59, SMT1)
  • Security audit configuration (SM19, SM20)
  • Direct table access (SE16, SE16N, SM30)

Teams Notifications

FF Log Review integrates with Microsoft Teams to send rich Adaptive Card notifications when sessions require review, including risk score, concerns, and quick action buttons.

Vulnerability Management

Comprehensive SAP vulnerability scanning with 1400+ pre-built security controls and AI-powered remediation planning.

Scanning Capabilities

  • Scheduled and on-demand security scans
  • SAP Security Notes monitoring and tracking
  • Custom security control definitions
  • Multi-system landscape support
  • SAP RISE compatibility

AI Business Impact Analysis

The AI analyzes each vulnerability to determine real business risk, considering:

  • Exploitability and attack complexity
  • Impact on confidentiality, integrity, availability
  • Business process dependencies
  • Existing compensating controls

Remediation Plans

AI generates phased remediation roadmaps with:

  • Prioritized patch deployment sequences
  • Dependency analysis between patches
  • Maintenance window recommendations
  • Rollback procedures

Patch Intelligence

AI-driven recommendations and end-to-end lifecycle management for SAP Security Notes with intelligent maintenance scheduling.

Key Capabilities

  • Automated Monitoring - Continuous tracking of new SAP Security Notes relevant to your landscape
  • AI-Driven Prioritization - Intelligent ranking based on exploitability, business impact, and system criticality
  • Dependency Mapping - Automatic detection of patch dependencies and prerequisites
  • Maintenance Scheduling - Optimal deployment windows based on system usage patterns
  • Compliance Tracking - SLA monitoring and audit-ready reporting

Security Note Lifecycle

StageAutomation
DiscoveryAuto-detection of new notes from SAP Support Portal
AnalysisAI assessment of relevance and impact to your systems
PlanningGenerated remediation plan with deployment sequence
TestingTest system deployment tracking and validation
DeploymentProduction rollout with rollback procedures
VerificationPost-deployment validation and compliance confirmation

AI-Powered Automation

Customizable workflow engine with three AI modes (Rule-Based, Cloud, Local) and proactive AI Quick Wins for continuous security improvement.

Workflow Engine

  • Configurable Rules - Define custom automation triggers and actions
  • Approval Workflows - Multi-level approval chains with escalation
  • Scheduled Tasks - Automated scans, reports, and maintenance activities
  • Event-Driven Actions - Real-time response to security events

AI Quick Wins

Proactive AI-generated recommendations for immediate security improvements:

  • Unused user account cleanup suggestions
  • Excessive authorization detection
  • Configuration drift alerts
  • Best practice compliance gaps
  • Quick remediation scripts for common issues

Automation Examples

Auto-lock inactive users after 90 days | Auto-generate compliance reports weekly | Auto-escalate critical vulnerabilities to security team | Auto-notify managers of pending approvals

Unified Security Interface

Central web dashboard with deep analytics, complemented by conversational AI via Teams/Web for rapid task execution.

Dashboard Features

Security Posture Overview

Real-time visibility into vulnerabilities, threats, and compliance status across all systems.

Trend Analytics

Historical charts showing vulnerability trends, remediation progress, and risk reduction.

System Comparison

Side-by-side security comparison across SAP systems in your landscape.

Export & Reporting

Excel exports, PDF reports, and scheduled email delivery for stakeholders.

Conversational AI Interface

Execute tasks quickly through natural language via web chatbot or MS Teams:

  • "Show me critical vulnerabilities in PRD system"
  • "What's the patch status for Security Note 3456789?"
  • "Generate compliance report for Q4"
  • "Unlock user JSMITH in ERP system"

Role-Based Access Control

5-tier RBAC ensures users see only what they need:

RoleAccess Level
ViewerRead-only dashboards and reports
AnalystRun scans, view details, export data
OperatorExecute remediation, manage users
ManagerApprove workflows, configure rules
AdminFull system configuration and user management

User Administration

Automate SAP user lifecycle management through natural language commands via web chatbot or MS Teams.

Supported Operations

OperationCommand ExampleDescription
Create User"Create user for John Smith in Finance"Creates user with appropriate roles
Unlock Account"/sap unlock JSMITH"Unlocks locked user account
Reset Password"/sap reset-password JSMITH"Generates new password
Assign Role"Add FI_CLERK role to JSMITH"Assigns role to user
Check Status"Show status of user JSMITH"Displays user details and lock status

Approval Workflow

Configurable approval workflows ensure proper authorization:

  • Manager approval for role assignments
  • Security team approval for privileged access
  • One-click approval via Teams notifications
  • Full audit trail of all actions

AI Configuration

SyntaAI supports three AI modes to meet different security and compliance requirements.

Cloud AI (Claude)

Uses Anthropic Claude API for deep analysis. Best accuracy for complex threat patterns. Requires API key.

Local AI (Ollama)

On-premise AI using Ollama. Data never leaves your infrastructure. Supports llama3.1, mistral, and other models.

Rule-Based

Regex and keyword matching fallback. No AI required. Works offline with deterministic results.

Auto Mode

Automatically selects best available mode. Falls back gracefully if AI unavailable.

Data Privacy Note

When using Cloud AI mode, SAP log data is sent to external AI services. For sensitive environments, use Local AI (Ollama) or Rule-Based mode to keep all data on-premise.

MS Teams Integration

Native Microsoft Teams bot for user administration and security notifications.

Bot Commands

/sap unlock [username] - Unlock user account /sap reset-password [user] - Reset user password /sap status [username] - Check user status /sap create [details] - Create new user /sap help - Show available commands

Notifications

The Teams bot sends rich Adaptive Card notifications for:

  • FF Log Review requests with risk scores
  • Approval workflow requests
  • Critical threat alerts
  • Password reset confirmations

GRC Integration

FF Log Review connects to SAP GRC via Java JCo service for real-time session data retrieval from GRACFFLOG and related tables.