Skip to content

Add-sap-public-cloud #12917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 8 commits into from
Oct 7, 2025
Merged

Add-sap-public-cloud #12917

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fcdcbbb
initial
MartinPankraz Jul 30, 2025
84729b4
dcr fix
MartinPankraz Jul 31, 2025
08fb02d
intermediate
MartinPankraz Sep 12, 2025
7d350a6
id adjust, gzip drop
MartinPankraz Sep 15, 2025
e044b88
kql fix
MartinPankraz Oct 2, 2025
07f8616
kql fix
MartinPankraz Oct 2, 2025
0403c21
text cleanup
MartinPankraz Oct 6, 2025
c688113
build add
MartinPankraz Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions ...P S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
"name": "SAPS4PublicDCR",
"apiVersion": "2022-06-01",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"properties": {
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
"streamDeclarations": {
"Custom-S4PublicCloudAuditLog_CL": {
"columns": [
{
"name": "eventID",
"type": "string"
},
{
"name": "log_tstmp",
"type": "datetime"
},
{
"name": "slgmand",
"type": "string"
},
{
"name": "sid",
"type": "string"
},
{
"name": "counter",
"type": "int"
},
{
"name": "terminal_name",
"type": "string"
},
{
"name": "user_fullname",
"type": "string"
},
{
"name": "param_a",
"type": "string"
},
{
"name": "param_b",
"type": "string"
},
{
"name": "param_c",
"type": "string"
},
{
"name": "param_d",
"type": "string"
},
{
"name": "slgtc",
"type": "string"
},
{
"name": "slgrepna",
"type": "string"
},
{
"name": "rsau_text",
"type": "string"
},
{
"name": "UserID",
"type": "string"
},
{
"name": "useralias",
"type": "string"
},
{
"name": "email_adress",
"type": "string"
},
{
"name": "UserDescription",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "{{workspaceResourceId}}",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-S4PublicCloudAuditLog_CL"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source\n| extend TimeGenerated = now(), AgentId = \"S4-Public-Cloud\", ClientID = slgmand, Computer = terminal_name, Email = email_adress, MessageClass = eventID, MessageText = rsau_text, SystemID = sid, UpdatedOn = todatetime(log_tstmp), TransactionCode = slgtc, User = UserID, Variable1 = param_a, Variable2 = param_b, Variable3 = param_c, Variable4 = param_d\n| project TimeGenerated, AgentId, ClientID, Computer, Email, MessageClass, MessageText, SAL_DATE, SAL_TIME, SystemID, UpdatedOn, TransactionCode, User, Variable1, Variable2, Variable3, Variable4",
"outputStream": "Microsoft-ABAPAuditLog"
}
]
}
}
49 changes: 49 additions & 0 deletions ... Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_PollingConfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"name": "SAPS4PublicAlertsPolling",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectors",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "SAPS4PublicAlerts",
"dataType": "S4PublicCloudAuditLog_CL",
"dcrConfig": {
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
"dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
"streamName": "Custom-S4PublicCloudAuditLog_CL"
},
"addOnAttributes": {
"S4HANACloudHost": "[[parameters('s4hanaHost')]"
},
"auth": {
"type": "Basic",
"userName": "{{username}}",
"password": "{{password}}"
},
"request": {
"apiEndpoint": "[[concat(parameters('s4hanaHost'), '/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog')]",
"queryWindowInMin": 1,
"httpMethod": "Get",
"retryCount": 3,
"timeoutInSeconds": 60,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"queryParameters": {
"$filter": "log_tstmp gt {_QueryWindowStartTime} and log_tstmp le {_QueryWindowEndTime}"
},
"headers": {
"Accept": "application/json;odata.metadata=minimal;charset=utf-8",
"User-Agent": "Scuba"
}
},
"response": {
"eventsJsonPaths": [
"$.value"
],
"format": "json"
},
"paging": {
"pagingType": "LinkHeader",
"linkHeaderTokenJsonPath": "$.['@odata.nextLink']"
}
}
}
148 changes: 148 additions & 0 deletions ...c Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"name": "SAPS4PublicAlerts",
"apiVersion": "2025-06-01",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "SAPS4PublicAlerts",
"title": "SAP S/4HANA Cloud Public Edition",
"logo": "SapLogo.svg",
"publisher": "SAP",
"descriptionMarkdown": "The SAP S/4HANA Cloud Public Edition data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts).",
"graphQueriesTableName": "ABAPAuditLog",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "SAP SAL Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of SAP SAL Events",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Client Id and Client Secret for Audit Retrieval API",
"description": "Enable API access in BTP."
}
]
},
"instructionSteps": [
{
"description": "**Step 1 - Configuration steps for SAP S/4HANA Cloud Public Edition**\n\nTo connect to SAP S/4HANA Cloud Public Edition, you will need:\n\n1. **SAP S/4HANA Cloud Public Edition tenant API URL**\n2. **Valid username and password** for your SAP S/4HANA Cloud system\n3. **Appropriate authorizations** to access audit log data via OData services\n\nEnsure that your SAP S/4HANA Cloud Public Edition system has the necessary OData services enabled for audit log retrieval and that your user account has the required permissions to access security audit logs.\n\n>**NOTE:** Basic authentication must be enabled in your SAP S/4HANA Cloud Public Edition system for this data connector to work properly."
},
{
"description": "Connect using Basic authentication",
"title": "Connect events from SAP S/4HANA Cloud Public Edition to Microsoft Sentinel Solution for SAP",
"instructions": [
{
"type": "ContextPane",
"parameters": {
"contextPaneType": "DataConnectorsContextPane",
"label": "Add account",
"isPrimary": true,
"title": "S/4HANA Cloud Public Edition connection",
"instructionSteps": [
{
"title": "Account Details",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Username",
"placeholder": "Enter your SAP S/4HANA Cloud username",
"type": "text",
"name": "username"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Password",
"placeholder": "Enter your SAP S/4HANA Cloud password",
"type": "password",
"name": "password"
}
},
{
"type": "Textbox",
"parameters": {
"label": "SAP S/4HANA Cloud API URL",
"placeholder": "https://my123456-api.s4hana.cloud.sap",
"type": "text",
"name": "s4hanaHost"
}
}
]
}
]
}
}
]
},
{
"title": "S/4HANA Cloud Public Edition connections",
"description": "Each row represents a connected S/4HANA Cloud Public Edition system",
"instructions": [
{
"type": "DataConnectorsGrid",
"parameters": {
"mapping": [
{
"columnName": "S/4HANA Cloud API endpoint",
"columnValue": "properties.request.apiEndpoint"
}
],
"menuItems": [
"DeleteConnector"
]
}
}
]
}
]
}
}
}
24 changes: 24 additions & 0 deletions Solutions/SAP S4 Cloud Public Edition/Data/Solution_SAPS4Public.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"Name": "SAP S4 Cloud Public Edition",
"Author": "SAP",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
"Description": "SAP S/4HANA Cloud is a next-generation enterprise resource planning (ERP) suite designed to help businesses run more efficiently and effectively.\n\nThe SAP S/4HANA Cloud Public Edition add-on for the Microsoft Sentinel Solution for SAP will collect logs from the SAP S/4HANA Cloud security audit log, detect threats, suspicious activities, illegitimate activities, and more. Find additional details here: https://learn.microsoft.com/azure/sentinel/sap/solution-partner-overview.\n\nLooking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts). ",
"WorkbookDescription": [],
"Workbooks": [],
"Analytic Rules": [],
"Playbooks": [],
"PlaybookDescription": [],
"Parsers": [],
"SavedSearches": [],
"Hunting Queries": [],
"Data Connectors": [
"/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json"
],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP S4 Cloud Public Edition",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}
Binary file added Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip
View file
Open in desktop
Binary file not shown.
Loading