pre-RSA SAP

Author: batamig

articles/sentinel/TOC.yml

@@ -25,6 +25,8 @@
     href: tutorial-respond-threats-playbook.md
   - name: Create KQL queries (Learn module)
     href: /learn/paths/sc-200-utilize-kql-for-azure-sentinel/
+  - name: Deploy the Azure Sentinel solution for SAP
+    href: sap-deploy-solution.md
 - name: Concepts
   items:
   - name: Classify data using entities
@@ -51,6 +53,8 @@
     href: identify-threats-with-entity-behavior-analytics.md
   - name: Import threat intelligence into Azure Sentinel
     href: import-threat-intelligence.md
+  - name: Threat intelligence integrations
+    href: threat-intelligence-integration.md
   - name: Bring your own machine learning platform
     href: bring-your-own-ml.md
   - name: Integrate Microsoft 365 Defender with Azure Sentinel
@@ -266,6 +270,16 @@
       href: connect-azure-stack.md
     - name: Monitor data connector health
       href: monitor-data-connector-health.md
+  - name: Sentinel solutions
+    items:
+      - name: Find and deploy solutions
+        href: sentinel-solutions.md
+      - name: Build and publish solutions (for Partners)
+        href: sentinel-solutions-building.md
+      - name: Deploy the SAP data connector on-premises
+        href: sap-solution-deploy-alternate.md
+  - name: Enable user and entity behavior analytics
+    href: enable-entity-behavior-analytics.md
   - name: Use user and entity behavior analytics
     items:
     - name: Enable UEBA
@@ -341,6 +355,14 @@
     href: cef-name-mapping.md
   - name: MCAS alerts not onboarded to Microsoft 365 Defender
     href: microsoft-cloud-app-security-alerts-not-imported-microsoft-365-defender.md
+  - name: SAP solution references
+    items:
+      - name: Detailed SAP solution requirements
+        href: sap-solution-detailed-requirements.md
+      - name: Available SAP logs
+        href: sap-solution-log-reference.md
+      - name: SAP solution security content reference
+        href: sap-solution-security-content.md
 - name: Resources
   items:
   - name: Useful resources

articles/sentinel/media/sap/required-sap-role-authorizations.png

@@ -0,0 +1,333 @@
+---
+title: Deploy the Azure Sentinel SAP data connector on-premises | Microsoft Docs
+description: Learn how to deploy the Azure Sentinel data connector for SAP environments using an on-premises machine.
+author: batamig
+ms.author: bagol
+ms.service: azure-sentinel
+ms.topic: how-to
+ms.custom: mvc
+ms.date: 05/10/2021
+ms.subservice: azure-sentinel
+
+---
+
+# Deploy the Azure Sentinel SAP data connector on-premises
+
+This article describes how to deploy the Azure Sentinel SAP data connector using an on-premises machine and an Azure Key Vault to store your credentials.
+
+> [!NOTE]
+> The default, and most recommended process for deploying the Azure Sentinel SAP data connector is by [using an Azure VM](sap-deploy-solution.md). This article is intended for advanced users.
+
+> [!IMPORTANT]
+> The Azure Sentinel SAP solution is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+## Prerequisites
+
+The basic prerequisites for deploying your Azure Sentinel SAP data connector are the same regardless of your deployment method.
+
+Make sure that your system complies with the prerequisites documented in the main [SAP data connector deployment tutorial](sap-deploy-solution.md#prerequisites) before you start.
+
+For more information, see [Azure Sentinel SAP solution detailed SAP requirements (public preview)](sap-solution-detailed-requirements.md).
+
+## Create your Azure key vault
+
+Create an Azure key vault that you can dedicate to your Azure Sentinel SAP data connector.
+
+Run the following command to create your Azure key vault:
+
+``` azurecli
+kvgp=<KVResourceGroup>
+
+kvname=<keyvaultname>
+
+#Create key vault
+az keyvault create \
+  --name $kvname \
+  --resource-group $kvgp
+```
+
+For more information, see [Quickstart: Create a key vault using the Azure CLI](/azure/key-vault/general/quick-create-cli).
+
+## Add Azure Key Vault secrets
+
+To add Azure Key Vault secrets, run the following script, with your own system ID and the credentials you want to add:
+
+```azurecli
+#Add Abap username
+az keyvault secret set \
+  --name <SID>-ABAPUSER \
+  --value "<abapuser>" \
+  --description SECRET_ABAP_USER --vault-name $kvname
+
+#Add Abap Username password
+az keyvault secret set \
+  --name <SID>-ABAPPASS \
+  --value "<abapuserpass>" \
+  --description SECRET_ABAP_PASSWORD --vault-name $kvname
+
+#Add java Username
+az keyvault secret set \
+  --name <SID>-JAVAOSUSER \
+  --value "<javauser>" \
+  --description SECRET_JAVAOS_USER --vault-name $kvname
+
+#Add java Username password
+az keyvault secret set \
+  --name <SID>-JAVAOSPASS \
+  --value "<javauserpass>" \
+  --description SECRET_JAVAOS_PASSWORD --vault-name $kvname
+
+#Add abapos username
+az keyvault secret set \
+  --name <SID>-ABAPOSUSER \
+  --value "<abaposuser>" \
+  --description SECRET_ABAPOS_USER --vault-name $kvname
+
+#Add abapos username password
+az keyvault secret set \
+  --name <SID>-ABAPOSPASS \
+  --value "<abaposuserpass>" \
+  --description SECRET_ABAPOS_PASSWORD --vault-name $kvname
+
+#Add Azure Log ws ID
+az keyvault secret set \
+  --name <SID>-LOG_WS_ID \
+  --value "<logwsod>" \
+  --description SECRET_AZURE_LOG_WS_ID --vault-name $kvname
+
+#Add Azure Log ws public key
+az keyvault secret set \
+  --name <SID>-LOG_WS_PUBLICKEY \
+  --value "<loswspubkey>" \
+  --description SECRET_AZURE_LOG_WS_PUBLIC_KEY --vault-name $kvname
+```
+
+For more information, see the [az keyvault secret](/cli/azure/keyvault/secret) CLI documentation.
+
+## Deploy the SAP data connector
+
+After you have a key vault with your SAP credentials, deploy your SAP data connector on your on-premises machine.
+
+**To deploy the SAP data connector**:
+
+1. On your on-premises machine, download the latest SAP NW RFC SDK from the [SAP Launchpad site](https://support.sap.com) > **SAP NW RFC SDK** > **SAP NW RFC SDK 7.50** > **nwrfc750X_X-xxxxxxx.zip**.
+
+    > [!NOTE]
+    > You'll need your SAP user sign-in information in order to access the SDK, and you must download the SDK that matches your operating system.
+    >
+    > Make sure to select the **LINUX ON X86_64 65BIT** option.
+
+1. On your on-premises machine, create a new folder with a meaningful name, and copy the SDK zip file into your new folder.
+
+1. Clone the Azure Sentinel solution GitHub repo onto your on-premises machine, and copy Azure Sentinel SAP solution **systemconfig.ini** file into your new folder.
+
+    For example:
+
+    ```bash
+    Wget <systemconfig.ini location>
+    mkdir /home/$(pwd)/sapcon/<sap-sid>/
+    cp <azuresentinel4sap>/template/systemconfig.ini /home/$(pwd)/sapcon/<sap-sid>/
+    cp <**nwrfc750X_X-xxxxxxx.zip**> /home/$(pwd)/sapcon/<sap-sid>/
+    ```
+
+1. Edit the **systemconfig.ini** file as needed, using the embedded comments as a guide.
+
+    To test your configuration, add the user and password to the **systemconfig.ini** configuration file. We recommend that you use the **env.list** file, or Docker secrets as shown in [Manually configure the SAP data connector](#manually-configure-the-sap-data-connector).
+
+    > [!NOTE]
+    > Enter your time zone in GMT format, such as: `GMT+0`,`GMT+1`,`GMT-1`
+
+1. Define the logs that you want to ingest into Azure Sentinel using the instructions in the **systemconfig.ini** file. For example, see [Define the SAP logs that are sent to Azure Sentinel](#define-the-sap-logs-that-are-sent-to-azure-sentinel).
+
+1. Define the following configurations using the instructions in the **systemconfig.ini** file:
+
+    - Whether to include user email addresses in audit logs
+    - Whether to retry failed API calls
+    - Whether to include cexal audit logs
+    - Whether to wait an interval of time between data extractions, especially for large extractions
+
+    For more information, see [SAL logs connector configurations](#sal-logs-connector-settings).
+
+1. Save your updated **systemconfig.ini** file in the **sapcon** directory on your machine.
+
+1. Create a temporary **env.list** file with any required credentials. Once your Docker container is running correctly, make sure to delete this file.
+
+    > [!NOTE]
+    > The following script has each Docker container connecting to a specific ABAP system. Modify your script as needed for your environment.
+    >
+
+    Run:
+
+    ```bash
+    ##############################################################
+    ##############################################################
+    # env.list template
+    SAPADMUSER=<SET_SAPCONTROL_USER>
+    SAPADMPASSWORD=<SET_SAPCONTROL_PASS>
+    ABAPUSER=SET_ABAP_USER>
+    ABAPPASS=<SET_ABAP_PASS>
+    JAVAUSER=<SET_JAVA_OS_USER>
+    JAVAPASS=<SET_JAVA_OS_USER>
+    ##############################################################
+    ```
+
+1. Download and run the pre-defined Docker image with the SAP data connector installed.  Run:
+
+    ```azurecli
+    docker pull docker pull mcr.microsoft.com/azure-sentinel/solutions/sapcon /sapcon:latest
+    docker run --env-file=<env.list_location> -d -v /home/$(pwd)/sapcon/<sap-sid>/:/sapcon-app/sapcon/config/system --name sapcon-<sid> sapcon
+    rm -f <env.list_location>
+    ```
+
+1. Verify that the Docker container is running correctly. Run:
+
+    ```azurecli
+    docker logs –f sapcon-[SID]
+
+    ```
+
+1. In Azure Sentinel, browse to **Azure Sentinel Continuous Threat Monitoring for SAP** data connector to confirm the connection:
+
+    [ ![Azure Sentinel Continuous Threat Monitoring for SAP data connector page.](media/sap/sap-data-connector.png) ](media/sap/sap-data-connector.png#lightbox)
+
+    > [!NOTE]
+    > It may take up to 15 minutes for data ingestion to start.
+    >
+
+SAP logs are displayed in the Azure Sentinel **Logs** page under **Custom logs**:
+
+[ ![SAP ABAP logs under Custom logs in Azure Sentinel.](media/sap/sap-logs-in-sentinel.png) ](media/sap/sap-logs-in-sentinel.png#lightbox)
+
+## Manually configure the SAP data connector
+
+The Azure Sentinel SAP solution data connector is configured in the **systemconfig.ini** file, which you cloned to your SAP data connector machine as part of the [deployment procedure](#deploy-the-sap-data-connector).
+
+The following code shows a sample **systemconfig.ini** file:
+
+```Python
+[Secrets Source]
+secrets = '<DOCKER_RUNTIME/AZURE_KEY_VAULT/DOCKER_SECRETS/DOCKER_FIXED>'
+keyvault = '<SET_YOUR_AZURE_KEYVAULT>'
+intprefix = '<SET_YOUR_PREFIX>'
+
+[ABAP Central Instance]
+##############################################################
+# Define the following values according to your server configuration.
+ashost = <SET_YOUR_APPLICATION_SERVER_HOST>
+mshost = <SET_YOUR_MESSAGE_SERVER_HOST> - #In case different then App
+##############################################################
+group = <SET_YOUR_LOGON_GROUP>
+msserv = <SET_YOUR_MS_SERVICE> - #Required only if the message server service is not defined as sapms<SYSID> in /etc/services
+sysnr = <SET_YOUR_SYS_NUMBER>
+user = <SET_YOUR_USER>
+##############################################################
+# Enter your password OR your X509 SNC parameters
+passwd = <SET_YOUR_PASSWORD>
+snc_partnername = <SET_YOUR_SNC_PARTNER_NAME>
+snc_lib = <SET_YOUR_SNC_LIBRARY_PATH>
+x509cert = <SET_YOUR_X509_CERTIFICATE>
+##############################################################
+sysid = <SET_YOUR_SYSTEM_ID>
+client = <SET_YOUR_CLIENT>
+
+[Azure Credentials]
+loganalyticswsid = <SET_YOUR_LOG_ANALYTICS_WORKSPACE_ID>
+publickey = <SET_YOUR_PUBLIC_KEY>
+
+[File Extraction ABAP]
+osuser = <SET_YOUR_SAPADM_LIKE_USER>
+##############################################################
+# Enter your password OR your X509 SNC parameters
+ospasswd = <SET_YOUR_SAPADM_PASS>
+x509pkicert = <SET_YOUR_X509_PKI_CERTIFICATE>
+##############################################################
+appserver = <SET_YOUR_SAPCTRL_SERVER>
+instance = <SET_YOUR_SAP_INSTANCE>
+abapseverity = <SET_ABAP_SEVERITY>
+abaptz = <SET_ABAP_TZ>
+
+[File Extraction JAVA]
+javaosuser = <SET_YOUR_JAVAADM_LIKE_USER>
+##############################################################
+# Enter your password OR your X509 SNC parameters
+javaospasswd = <SET_YOUR_JAVAADM_PASS>
+javax509pkicert = <SET_YOUR_X509_PKI_CERTIFICATE>
+##############################################################
+javaappserver = <SET_YOUR_JAVA_SAPCTRL_SERVER>
+javainstance = <SET_YOUR_JAVA_SAP_INSTANCE>
+javaseverity = <SET_JAVA_SEVERITY>
+javatz = <SET_JAVA_TZ>
+```
+
+### Define the SAP logs that are sent to Azure Sentinel
+
+Add the following code to the Azure Sentinel SAP solution **systemconfig.ini** file to define the logs that are sent to Azure Sentinel.
+
+For more information, see [Azure Sentinel SAP solution logs reference (public preview)](sap-solution-log-reference.md).
+
+```Python
+##############################################################
+# Enter True OR False for each log to send those logs to Azure Sentinel
+[Logs Activation Status]
+ABAPAuditLog = True
+ABAPJobLog = True
+ABAPSpoolLog = True
+ABAPSpoolOutputLog = True
+ABAPChangeDocsLog = True
+ABAPAppLog = True
+ABAPWorkflowLog = True
+ABAPCRLog = True
+ABAPTableDataLog = False
+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+ABAPFilesLogs = False
+SysLog = False
+ICM = False
+WP = False
+GW = False
+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+JAVAFilesLogs = False
+##############################################################
+```
+
+### SAL logs connector settings
+
+Add the following code to the Azure Sentinel SAP data connector **systemconfig.ini** file to define other settings for SAP logs ingested into Azure Sentinel. 
+
+For more information, see [Deploy the SAP data connector](#deploy-the-sap-data-connector).
+
+
+```Python
+##############################################################
+[Connector Configuration]
+extractuseremail = True
+apiretry = True
+auditlogforcexal = False
+auditlogforcelegacyfiles = False
+timechunk = 60
+##############################################################
+```
+
+This section enables you to configure the following parameters:
+
+|Parameter name  |Description  |
+|---------|---------|
+|**extractuseremail**     |  Determines whether user email addresses are included in audit logs.       |
+|**apiretry**     |   Determines whether API calls are retried as a failover mechanism.      |
+|**auditlogforcexal**     |  Determines whether the system forces the use of audit logs for non-SAL systems, such as SAP BASIS version 7.4.       |
+|**auditlogforcelegacyfiles**     |  Determines whether the system forces the use of audit logs with legacy system capabilities, such as from SAP BASIS version 7.4 with lower patch levels.|
+|**timechunk**     |   Determines that the system waits a specific number of minutes as an interval between data extractions. Use this parameter if you have a large amount of data expected. <br><br>For example, during the initial data load during your first 24 hours, you might want to have the data extraction running only every 30 minutes to give each data extraction enough time. In such cases, set this value to **30**. <!--unclear-->  |
+|     |         |
+
+
+## Next steps
+
+After you have your SAP data connector deployed, you can add the SAP-related security content.
+
+For more information, see [Deploy the SAP solution security content from Azure Sentinel](sap-deploy-solution.md#deploy-sap-security-content-from-azure-sentinel).
+
+For more information, see:
+
+- [Azure Sentinel SAP solution detailed SAP requirements](sap-solution-detailed-requirements.md)
+- [Azure Sentinel SAP solution logs reference](sap-solution-log-reference.md)
+- [Azure Sentinel SAP solution: security content reference](sap-solution-security-content.md)

articles/sentinel/media/sap/sap-data-connector.png

@@ -0,0 +1,126 @@
+---
+title: Azure Sentinel SAP solution detailed SAP requirements | Microsoft Docs
+description: Learn about the detailed SAP system requirements for the Azure Sentinel SAP solution.
+author: batamig
+ms.author: bagold
+ms.service: azure-sentinel
+ms.topic: reference
+ms.custom: mvc
+ms.date: 05/10/2021
+ms.subservice: azure-sentinel
+
+---
+
+# Azure Sentinel SAP solution detailed SAP requirements (public preview)
+
+The [default procedure for deploying the Azure Sentinel SAP solution](sap-deploy-solution.md) includes the required SAP change requests and SAP notes, and provides a built-in role with all required permissions.
+
+This article lists the required SAP change requests, notes, and permissions in detail.
+
+Use this article as a reference if you're an admin, or if you're [deploying the SAP solution manually](sap-solution-deploy-alternate.md). This article is intended for advanced SAP users.
+
+
+> [!IMPORTANT]
+> The Azure Sentinel SAP solution is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+## Required SAP Log change requests
+
+The following SAP Log change requests are required for the SAP solution, depending on your SAP Basis version:
+
+- **SAP Basis versions 7.50 and higher**,  install S4HK900125
+- **SAP Basis version 7.40**,  install S4HK900126
+- **To create a SAP role with the required authorizations**, for any supported SAP Basis version, install S4HK900114. For more information, see [Configure your SAP system](sap-deploy-solution.md#configure-your-sap-system) and [Required ABAP backend authorizations](#required-abap-authorizations).
+
+> [!NOTE]
+> The required SAP log change requests expose custom RFC FMs that are required for the connector, and do not change any standard or custom objects.
+>
+
+## Required SAP notes
+
+If you have an SAP Basis version of 7.50 or lower, install the following SAP notes:
+
+- **SAP Note 2641084**. Provides standardized read access for the Security Audit log data.
+- **SAP Note 2173545**. Named `CHANGEDOCUMENT_READ_ALL`.
+- **SAP Note 2502336**. Named `RSSCD100 - read only from archive, not from database`.
+
+Access the SAP notes from the [SAP support Launchpad site](https://support.sap.com/en/index.html).
+
+## Required ABAP authorizations
+
+The following table lists the ABAP authorizations required for the backend SAP user to connect Azure Sentinel to the SAP logs. For more information, see [Configure your SAP system](sap-deploy-solution.md#configure-your-sap-system).
+
+Required authorizations are listed by log type. You only need the authorizations listed for the types of logs you plan to ingest into Azure Sentinel.
+
+> [!TIP]
+> To create the role with all required authorizations, deploy the SAP change request [S4HK900114](#required-sap-log-change-requests) on your SAP system. This change request creates the **/MSFTSEN/SENTINEL_CONNECTOR** role, and assigns the role to the ABAP connecting to Azure Sentinel.
+> 
+
+| Authorization Object | Field | Value |
+| -------------------- | ----- | ----- |
+| **All RFC logs** | | |
+| S_RFC | FUGR | /OSP/SYSTEM_TIMEZONE |
+| S_RFC | FUGR | ARFC |
+| S_RFC | FUGR | STFC |
+| S_RFC | FUGR | RFC1 |
+| S_RFC | FUGR | SDIFRUNTIME  |
+| S_RFC | FUGR | SMOI |
+| S_RFC | FUGR | SYST |
+| S_RFC | FUGR/FUNC | SRFC/RFC_SYSTEM_INFO |
+| S_RFC | FUGR/FUNC | THFB/TH_SERVER_LIST |
+| S_TCODE | TCD | SM51 |
+| **ABAP Application Log**  | | |
+| S_APPL_LOG | ACTVT | Display |
+| S_APPL_LOG | ALG_OBJECT | * |
+| S_APPL_LOG | ALG_SUBOBJ | * |
+| S_RFC | FUGR | SXBP_EXT |
+| S_RFC | FUGR | /MSFTSEN/_APPLOG |
+| **ABAP Change Documents Log** | | |
+| S_RFC | FUGR | /MSFTSEN/_CHANGE_DOCS |
+| **ABAP CR Log** | | |
+| S_RFC | FUGR | CTS_API |
+| S_RFC | FUGR | /MSFTSEN/_CR |
+| S_TRANSPRT | ACTVT | Display |
+| S_TRANSPRT | TTYPE | * |
+| **ABAP DB Table Data Log** | | |
+| S_RFC | FUGR | /MSFTSEN/_TD |
+| S_TABU_DIS | ACTVT | Display |
+| S_TABU_DIS | DICBERCLS | &NC& |
+| S_TABU_DIS | DICBERCLS | + Any object required for logging |
+| S_TABU_NAM | ACTVT | Display |
+| S_TABU_NAM | TABLE | + Any object required for logging |
+| S_TABU_NAM | TABLE | DBTABLOG |
+| **ABAP Job Log** | | |
+| S_RFC | FUGR | SXBP |
+| S_RFC | FUGR | /MSFTSEN/_JOBLOG |
+| **ABAP Job Log, ABAP Application Log** | | |
+| S_XMI_PRD | INTERFACE | XBP |
+| **ABAP Security Audit Log - XAL** | | |
+| All RFC | S_RFC | FUGR |
+| S_ADMI_FCD | S_ADMI_FCD | AUDD |
+| S_RFC | FUGR | SALX |
+| S_USER_GRP | ACTVT | Display |
+| S_USER_GRP | CLASS | * |
+| S_XMI_PRD | INTERFACE | XAL |
+| **ABAP Security Audit Log - XAL, ABAP Job Log, ABAP Application Log** | | |
+| S_RFC | FUGR | SXMI |
+| S_XMI_PRD | EXTCOMPANY | Microsoft |
+| S_XMI_PRD | EXTPRODUCT | Azure Sentinel |
+| **ABAP Security Audit Log - SAL** | | |
+| S_RFC | FUGR | RSAU_LOG |
+| S_RFC | FUGR | /MSFTSEN/_AUDITLOG |
+| **ABAP Spool Log, ABAP Spool Output Log** | | |
+| S_RFC | FUGR | /MSFTSEN/_SPOOL |
+| **ABAP Workflow Log** | | |
+| S_RFC | FUGR | SWRR |
+| S_RFC | FUGR | /MSFTSEN/_WF |
+| | |
+
+## Next steps
+
+For more information, see:
+
+- [Tutorial: Deploy the Azure Sentinel solution for SAP](sap-deploy-solution.md)
+- [Deploy the Azure Sentinel SAP data connector on-premises](sap-solution-deploy-alternate.md)
+- [Azure Sentinel SAP solution logs reference](sap-solution-log-reference.md)
+- [Azure Sentinel SAP solution: built-in security content](sap-solution-security-content.md)