![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\")
",
+ "Description": "SAP S/4HANA Cloud is a next-generation enterprise resource planning (ERP) suite designed to help businesses run more efficiently and effectively.\n\nThe SAP S/4HANA Cloud Public Edition add-on for the Microsoft Sentinel Solution for SAP will collect logs from the SAP S/4HANA Cloud security audit log, detect threats, suspicious activities, illegitimate activities, and more. Find additional details here: https://learn.microsoft.com/azure/sentinel/sap/solution-partner-overview.\n\nLooking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts). ",
+ "WorkbookDescription": [],
+ "Workbooks": [],
+ "Analytic Rules": [],
+ "Playbooks": [],
+ "PlaybookDescription": [],
+ "Parsers": [],
+ "SavedSearches": [],
+ "Hunting Queries": [],
+ "Data Connectors": [
+ "/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json"
+ ],
+ "Watchlists": [],
+ "WatchlistDescription": [],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP S4 Cloud Public Edition",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip b/Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip
new file mode 100644
index 00000000000..07a495fbdad
Binary files /dev/null and b/Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip differ
diff --git a/Solutions/SAP S4 Cloud Public Edition/Package/createUiDefinition.json b/Solutions/SAP S4 Cloud Public Edition/Package/createUiDefinition.json
new file mode 100644
index 00000000000..2c28464a390
--- /dev/null
+++ b/Solutions/SAP S4 Cloud Public Edition/Package/createUiDefinition.json
@@ -0,0 +1,85 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20S4%20Cloud%20Public%20Edition/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSAP S/4HANA Cloud is a next-generation enterprise resource planning (ERP) suite designed to help businesses run more efficiently and effectively.\n\nThe SAP S/4HANA Cloud Public Edition add-on for the Microsoft Sentinel Solution for SAP will collect logs from the SAP S/4HANA Cloud security audit log, detect threats, suspicious activities, illegitimate activities, and more. Find additional details here: https://learn.microsoft.com/azure/sentinel/sap/solution-partner-overview.\n\nLooking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts). \n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for SAP S4 Cloud Public Edition. You can get SAP S4 Cloud Public Edition data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link1",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/SAP S4 Cloud Public Edition/Package/mainTemplate.json b/Solutions/SAP S4 Cloud Public Edition/Package/mainTemplate.json
new file mode 100644
index 00000000000..40a5954f015
--- /dev/null
+++ b/Solutions/SAP S4 Cloud Public Edition/Package/mainTemplate.json
@@ -0,0 +1,762 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "SAP",
+ "comments": "Solution template for SAP S4 Cloud Public Edition"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "_solutionName": "SAP S4 Cloud Public Edition",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "sap_jasondau.azure-sentinel-solution-s4hana-public",
+ "_solutionId": "[variables('solutionId')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "SAPS4PublicAlerts",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "SAPS4PublicAlertsConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "SAP S/4HANA Cloud Public Edition",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "SAPS4PublicAlerts",
+ "title": "SAP S/4HANA Cloud Public Edition",
+ "logo": "SapLogo.svg",
+ "publisher": "SAP",
+ "descriptionMarkdown": "The SAP S/4HANA Cloud Public Edition data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts).",
+ "graphQueriesTableName": "ABAPAuditLog",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "SAP SAL Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of SAP SAL Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Client Id and Client Secret for Audit Retrieval API",
+ "description": "Enable API access in BTP."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "**Step 1 - Configuration steps for SAP S/4HANA Cloud Public Edition**\n\nTo connect to SAP S/4HANA Cloud Public Edition, you will need:\n\n1. **SAP S/4HANA Cloud Public Edition tenant API URL**\n2. **Valid username and password** for your SAP S/4HANA Cloud system\n3. **Appropriate authorizations** to access audit log data via OData services\n\nEnsure that your SAP S/4HANA Cloud Public Edition system has the necessary OData services enabled for audit log retrieval and that your user account has the required permissions to access security audit logs.\n\n>**NOTE:** Basic authentication must be enabled in your SAP S/4HANA Cloud Public Edition system for this data connector to work properly."
+ },
+ {
+ "description": "Connect using Basic authentication",
+ "title": "Connect events from SAP S/4HANA Cloud Public Edition to Microsoft Sentinel Solution for SAP",
+ "instructions": [
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "label": "Add account",
+ "isPrimary": true,
+ "title": "S/4HANA Cloud Public Edition connection",
+ "instructionSteps": [
+ {
+ "title": "Account Details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Username",
+ "placeholder": "Enter your SAP S/4HANA Cloud username",
+ "type": "text",
+ "name": "username"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Password",
+ "placeholder": "Enter your SAP S/4HANA Cloud password",
+ "type": "password",
+ "name": "password"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "SAP S/4HANA Cloud API URL",
+ "placeholder": "https://my123456-api.s4hana.cloud.sap",
+ "type": "text",
+ "name": "s4hanaHost"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "S/4HANA Cloud Public Edition connections",
+ "description": "Each row represents a connected S/4HANA Cloud Public Edition system",
+ "instructions": [
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnName": "S/4HANA Cloud API endpoint",
+ "columnValue": "properties.request.apiEndpoint"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "SAP"
+ },
+ "support": {
+ "name": "SAP",
+ "tier": "Partner",
+ "link": "https://api.sap.com/api/SecurityAuditLog_ODataService/overview"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "SAPS4PublicDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]",
+ "streamDeclarations": {
+ "Custom-S4PublicCloudAuditLog_CL": {
+ "columns": [
+ {
+ "name": "eventID",
+ "type": "string"
+ },
+ {
+ "name": "log_tstmp",
+ "type": "datetime"
+ },
+ {
+ "name": "slgmand",
+ "type": "string"
+ },
+ {
+ "name": "sid",
+ "type": "string"
+ },
+ {
+ "name": "counter",
+ "type": "int"
+ },
+ {
+ "name": "terminal_name",
+ "type": "string"
+ },
+ {
+ "name": "user_fullname",
+ "type": "string"
+ },
+ {
+ "name": "param_a",
+ "type": "string"
+ },
+ {
+ "name": "param_b",
+ "type": "string"
+ },
+ {
+ "name": "param_c",
+ "type": "string"
+ },
+ {
+ "name": "param_d",
+ "type": "string"
+ },
+ {
+ "name": "slgtc",
+ "type": "string"
+ },
+ {
+ "name": "slgrepna",
+ "type": "string"
+ },
+ {
+ "name": "rsau_text",
+ "type": "string"
+ },
+ {
+ "name": "UserID",
+ "type": "string"
+ },
+ {
+ "name": "useralias",
+ "type": "string"
+ },
+ {
+ "name": "email_adress",
+ "type": "string"
+ },
+ {
+ "name": "UserDescription",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-S4PublicCloudAuditLog_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = now(), AgentId = \"S4-Public-Cloud\", ClientID = slgmand, Computer = terminal_name, Email = email_adress, MessageClass = eventID, MessageText = rsau_text, SystemID = sid, UpdatedOn = todatetime(log_tstmp), TransactionCode = slgtc, User = UserID, Variable1 = param_a, Variable2 = param_b, Variable3 = param_c, Variable4 = param_d\n| project TimeGenerated, AgentId, ClientID, Computer, Email, MessageClass, MessageText, SAL_DATE, SAL_TIME, SystemID, UpdatedOn, TransactionCode, User, Variable1, Variable2, Variable3, Variable4",
+ "outputStream": "Microsoft-ABAPAuditLog"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "SAPS4PublicAlerts",
+ "title": "SAP S/4HANA Cloud Public Edition",
+ "logo": "SapLogo.svg",
+ "publisher": "SAP",
+ "descriptionMarkdown": "The SAP S/4HANA Cloud Public Edition data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts).",
+ "graphQueriesTableName": "ABAPAuditLog",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "SAP SAL Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of SAP SAL Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Client Id and Client Secret for Audit Retrieval API",
+ "description": "Enable API access in BTP."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "**Step 1 - Configuration steps for SAP S/4HANA Cloud Public Edition**\n\nTo connect to SAP S/4HANA Cloud Public Edition, you will need:\n\n1. **SAP S/4HANA Cloud Public Edition tenant API URL**\n2. **Valid username and password** for your SAP S/4HANA Cloud system\n3. **Appropriate authorizations** to access audit log data via OData services\n\nEnsure that your SAP S/4HANA Cloud Public Edition system has the necessary OData services enabled for audit log retrieval and that your user account has the required permissions to access security audit logs.\n\n>**NOTE:** Basic authentication must be enabled in your SAP S/4HANA Cloud Public Edition system for this data connector to work properly."
+ },
+ {
+ "description": "Connect using Basic authentication",
+ "title": "Connect events from SAP S/4HANA Cloud Public Edition to Microsoft Sentinel Solution for SAP",
+ "instructions": [
+ {
+ "type": "ContextPane",
+ "parameters": {
+ "contextPaneType": "DataConnectorsContextPane",
+ "label": "Add account",
+ "isPrimary": true,
+ "title": "S/4HANA Cloud Public Edition connection",
+ "instructionSteps": [
+ {
+ "title": "Account Details",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Username",
+ "placeholder": "Enter your SAP S/4HANA Cloud username",
+ "type": "text",
+ "name": "username"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Password",
+ "placeholder": "Enter your SAP S/4HANA Cloud password",
+ "type": "password",
+ "name": "password"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "SAP S/4HANA Cloud API URL",
+ "placeholder": "https://my123456-api.s4hana.cloud.sap",
+ "type": "text",
+ "name": "s4hanaHost"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "S/4HANA Cloud Public Edition connections",
+ "description": "Each row represents a connected S/4HANA Cloud Public Edition system",
+ "instructions": [
+ {
+ "type": "DataConnectorsGrid",
+ "parameters": {
+ "mapping": [
+ {
+ "columnName": "S/4HANA Cloud API endpoint",
+ "columnValue": "properties.request.apiEndpoint"
+ }
+ ],
+ "menuItems": [
+ "DeleteConnector"
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "SAP"
+ },
+ "support": {
+ "name": "SAP",
+ "tier": "Partner",
+ "link": "https://api.sap.com/api/SecurityAuditLog_ODataService/overview"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "SAP S/4HANA Cloud Public Edition",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "SAP S/4HANA Cloud Public Edition",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "username": {
+ "defaultValue": "username",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "password": {
+ "defaultValue": "password",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "s4hanaHost": {
+ "defaultValue": "s4hanaHost",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "SAP"
+ },
+ "support": {
+ "name": "SAP",
+ "tier": "Partner",
+ "link": "https://api.sap.com/api/SecurityAuditLog_ODataService/overview"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'SAPS4PublicAlertsPolling', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "SAPS4PublicAlerts",
+ "dataType": "S4PublicCloudAuditLog_CL",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-S4PublicCloudAuditLog_CL"
+ },
+ "addOnAttributes": {
+ "S4HANACloudHost": "[[parameters('s4hanaHost')]"
+ },
+ "auth": {
+ "type": "Basic",
+ "userName": "[[parameters('username')]",
+ "password": "[[parameters('password')]"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('s4hanaHost'), '/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog')]",
+ "queryWindowInMin": 1,
+ "httpMethod": "Get",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "queryParameters": {
+ "$filter": "log_tstmp gt {_QueryWindowStartTime} and log_tstmp le {_QueryWindowEndTime}"
+ },
+ "headers": {
+ "Accept": "application/json;odata.metadata=minimal;charset=utf-8",
+ "User-Agent": "Scuba"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.value"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "LinkHeader",
+ "linkHeaderTokenJsonPath": "$.['@odata.nextLink']"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "SAP S4 Cloud Public Edition",
+ "publisherDisplayName": "SAP",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nSAP S/4HANA Cloud is a next-generation enterprise resource planning (ERP) suite designed to help businesses run more efficiently and effectively.
\nThe SAP S/4HANA Cloud Public Edition add-on for the Microsoft Sentinel Solution for SAP will collect logs from the SAP S/4HANA Cloud security audit log, detect threats, suspicious activities, illegitimate activities, and more. Find additional details here: https://learn.microsoft.com/azure/sentinel/sap/solution-partner-overview.
\nLooking for alternative authentication mechanisms? See here.
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SAP S4 Cloud Public Edition",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "SAP"
+ },
+ "support": {
+ "name": "SAP",
+ "tier": "Partner",
+ "link": "https://api.sap.com/api/SecurityAuditLog_ODataService/overview"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2025-09-12",
+ "providers": [
+ "SAP"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection",
+ "Identity",
+ "Application",
+ "Cloud Provider"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/SAP S4 Cloud Public Edition/Package/testParameters.json b/Solutions/SAP S4 Cloud Public Edition/Package/testParameters.json
new file mode 100644
index 00000000000..554801e41b7
--- /dev/null
+++ b/Solutions/SAP S4 Cloud Public Edition/Package/testParameters.json
@@ -0,0 +1,38 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/SAP S4 Cloud Public Edition/ReleaseNotes.md b/Solutions/SAP S4 Cloud Public Edition/ReleaseNotes.md
new file mode 100644
index 00000000000..44ea71429c3
--- /dev/null
+++ b/Solutions/SAP S4 Cloud Public Edition/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------------------------------|
+| 3.0.0 | 06-10-2025 |Initial release|
\ No newline at end of file
diff --git a/Solutions/SAP S4 Cloud Public Edition/SolutionMetadata.json b/Solutions/SAP S4 Cloud Public Edition/SolutionMetadata.json
new file mode 100644
index 00000000000..98044465a3e
--- /dev/null
+++ b/Solutions/SAP S4 Cloud Public Edition/SolutionMetadata.json
@@ -0,0 +1,15 @@
+{
+ "publisherId": "sap_jasondau",
+ "offerId": "azure-sentinel-solution-s4hana-public",
+ "firstPublishDate": "2025-09-12",
+ "providers": ["SAP"],
+ "categories": {
+ "domains": ["Security - Threat Protection","Identity", "Application", "Cloud Provider"],
+ "verticals": []
+ },
+ "support": {
+ "name": "SAP",
+ "tier": "Partner",
+ "link": "https://api.sap.com/api/SecurityAuditLog_ODataService/overview"
+ }
+}
\ No newline at end of file