Contrast-Security-OSS
diff --git a/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json‎
Lines changed: 107 additions & 0 deletions b/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_PollingConfig.json‎
Lines changed: 49 additions & 0 deletions b/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_PollingConfig.json‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json‎
Lines changed: 148 additions & 0 deletions b/‎Solutions/SAP S4 Cloud Public Edition/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎Solutions/SAP S4 Cloud Public Edition/Data/Solution_SAPS4Public.json‎
Lines changed: 24 additions & 0 deletions b/‎Solutions/SAP S4 Cloud Public Edition/Data/Solution_SAPS4Public.json‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip‎
7.33 KB b/‎Solutions/SAP S4 Cloud Public Edition/Package/3.0.0.zip‎
7.33 KB
@@ -0,0 +1,107 @@
+{
+    "name": "SAPS4PublicDCR",
+    "apiVersion": "2022-06-01",
+    "type": "Microsoft.Insights/dataCollectionRules",
+    "location": "{{location}}",
+    "properties": {
+      "dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
+      "streamDeclarations": {
+        "Custom-S4PublicCloudAuditLog_CL": {
+          "columns": [
+            {
+              "name": "eventID",
+              "type": "string"
+            },
+            {
+              "name": "log_tstmp",
+              "type": "datetime"
+            },
+            {
+              "name": "slgmand",
+              "type": "string"
+            },
+            {
+              "name": "sid",
+              "type": "string"
+            },
+            {
+              "name": "counter",
+              "type": "int"
+            },
+            {
+              "name": "terminal_name",
+              "type": "string"
+            },
+            {
+              "name": "user_fullname",
+              "type": "string"
+            },
+            {
+              "name": "param_a",
+              "type": "string"
+            },
+            {
+              "name": "param_b",
+              "type": "string"
+            },
+            {
+              "name": "param_c",
+              "type": "string"
+            },
+            {
+              "name": "param_d",
+              "type": "string"
+            },
+            {
+              "name": "slgtc",
+              "type": "string"
+            },
+            {
+              "name": "slgrepna",
+              "type": "string"
+            },
+            {
+              "name": "rsau_text",
+              "type": "string"
+            },
+            {
+              "name": "UserID",
+              "type": "string"
+            },
+            {
+              "name": "useralias",
+              "type": "string"
+            },
+            {
+              "name": "email_adress",
+              "type": "string"
+            },
+            {
+              "name": "UserDescription",
+              "type": "string"
+            }
+          ]
+        }
+      },
+      "destinations": {
+        "logAnalytics": [
+          {
+            "workspaceResourceId": "{{workspaceResourceId}}",
+            "name": "clv2ws1"
+          }
+        ]
+      },
+      "dataFlows": [
+        {
+          "streams": [
+            "Custom-S4PublicCloudAuditLog_CL"
+          ],
+          "destinations": [
+            "clv2ws1"
+          ],
+          "transformKql": "source\n| extend TimeGenerated = now(), AgentId = \"S4-Public-Cloud\", ClientID = slgmand, Computer = terminal_name, Email = email_adress, MessageClass = eventID, MessageText = rsau_text, SystemID = sid, UpdatedOn = todatetime(log_tstmp), TransactionCode = slgtc, User = UserID, Variable1 = param_a, Variable2 = param_b, Variable3 = param_c, Variable4 = param_d\n| project TimeGenerated, AgentId, ClientID, Computer, Email, MessageClass, MessageText, SAL_DATE, SAL_TIME, SystemID, UpdatedOn, TransactionCode, User, Variable1, Variable2, Variable3, Variable4",
+          "outputStream": "Microsoft-ABAPAuditLog"
+        }
+      ]
+    }
+}
@@ -0,0 +1,49 @@
+{
+    "name": "SAPS4PublicAlertsPolling",
+    "apiVersion": "2023-02-01-preview",
+    "type": "Microsoft.SecurityInsights/dataConnectors",
+    "location": "{{location}}",
+    "kind": "RestApiPoller",
+    "properties": {
+      "connectorDefinitionName": "SAPS4PublicAlerts",
+      "dataType": "S4PublicCloudAuditLog_CL",
+      "dcrConfig": {
+        "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+        "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
+        "streamName": "Custom-S4PublicCloudAuditLog_CL"
+      },
+      "addOnAttributes": {
+        "S4HANACloudHost": "[[parameters('s4hanaHost')]"
+      },
+      "auth": {
+        "type": "Basic",
+        "userName": "{{username}}",
+        "password": "{{password}}"
+      },
+      "request": {
+        "apiEndpoint": "[[concat(parameters('s4hanaHost'), '/sap/opu/odata4/sap/rsau_log_api/srvd_a2x/sap/rsau_log_api/0001/SecurityAuditLog')]",
+        "queryWindowInMin": 1,
+        "httpMethod": "Get",
+        "retryCount": 3,
+        "timeoutInSeconds": 60,
+        "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+        "queryParameters": {
+          "$filter": "log_tstmp gt {_QueryWindowStartTime} and log_tstmp le {_QueryWindowEndTime}"
+        },
+        "headers": {
+          "Accept": "application/json;odata.metadata=minimal;charset=utf-8",
+          "User-Agent": "Scuba"
+        }
+      },
+      "response": {
+        "eventsJsonPaths": [
+          "$.value"
+        ],
+        "format": "json"
+      },
+      "paging": {
+        "pagingType": "LinkHeader",
+        "linkHeaderTokenJsonPath": "$.['@odata.nextLink']"
+      }
+    }
+}
@@ -0,0 +1,148 @@
+{
+    "name": "SAPS4PublicAlerts",
+    "apiVersion": "2025-06-01",
+    "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+    "location": "{{location}}",
+    "kind": "Customizable",
+    "properties": {
+      "connectorUiConfig": {
+        "id": "SAPS4PublicAlerts",
+        "title": "SAP S/4HANA Cloud Public Edition",
+        "logo": "SapLogo.svg",
+        "publisher": "SAP",
+        "descriptionMarkdown": "The SAP S/4HANA Cloud Public Edition data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts).",
+        "graphQueriesTableName": "ABAPAuditLog",
+        "graphQueries": [
+          {
+            "metricName": "Total events received",
+            "legend": "SAP SAL Events",
+            "baseQuery": "{{graphQueriesTableName}}"
+          }
+        ],
+        "sampleQueries": [
+          {
+            "description": "Get Sample of SAP SAL Events",
+            "query": "{{graphQueriesTableName}}\n | take 10"
+          }
+        ],
+        "dataTypes": [
+          {
+            "name": "{{graphQueriesTableName}}",
+            "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+          }
+        ],
+        "connectivityCriteria": [
+          {
+            "type": "HasDataConnectors"
+          }
+        ],
+        "availability": {
+          "isPreview": true
+        },
+        "permissions": {
+          "resourceProvider": [
+            {
+              "provider": "Microsoft.OperationalInsights/workspaces",
+              "permissionsDisplayText": "Read and Write permissions are required.",
+              "providerDisplayName": "Workspace",
+              "scope": "Workspace",
+              "requiredPermissions": {
+                "write": true,
+                "read": true,
+                "delete": true
+              }
+            },
+            {
+              "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+              "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+              "providerDisplayName": "Keys",
+              "scope": "Workspace",
+              "requiredPermissions": {
+                "action": true
+              }
+            }
+          ],
+          "customs": [
+            {
+                "name": "Client Id and Client Secret for Audit Retrieval API",
+                "description": "Enable API access in BTP."
+            }
+          ]
+        },
+        "instructionSteps": [
+          {
+            "description": "**Step 1 - Configuration steps for SAP S/4HANA Cloud Public Edition**\n\nTo connect to SAP S/4HANA Cloud Public Edition, you will need:\n\n1. **SAP S/4HANA Cloud Public Edition tenant API URL**\n2. **Valid username and password** for your SAP S/4HANA Cloud system\n3. **Appropriate authorizations** to access audit log data via OData services\n\nEnsure that your SAP S/4HANA Cloud Public Edition system has the necessary OData services enabled for audit log retrieval and that your user account has the required permissions to access security audit logs.\n\n>**NOTE:** Basic authentication must be enabled in your SAP S/4HANA Cloud Public Edition system for this data connector to work properly."
+          },
+          {
+            "description": "Connect using Basic authentication",
+            "title": "Connect events from SAP S/4HANA Cloud Public Edition to Microsoft Sentinel Solution for SAP",
+            "instructions": [
+              {
+                "type": "ContextPane",
+                "parameters": {
+                  "contextPaneType": "DataConnectorsContextPane",
+                  "label": "Add account",
+                  "isPrimary": true,
+                  "title": "S/4HANA Cloud Public Edition connection",
+                  "instructionSteps": [
+                    {
+                      "title": "Account Details",
+                      "instructions": [
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "Username",
+                            "placeholder": "Enter your SAP S/4HANA Cloud username",
+                            "type": "text",
+                            "name": "username"
+                          }
+                        },
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "Password",
+                            "placeholder": "Enter your SAP S/4HANA Cloud password",
+                            "type": "password",
+                            "name": "password"
+                          }
+                        },
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "SAP S/4HANA Cloud API URL",
+                            "placeholder": "https://my123456-api.s4hana.cloud.sap",
+                            "type": "text",
+                            "name": "s4hanaHost"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          {
+            "title": "S/4HANA Cloud Public Edition connections",
+            "description": "Each row represents a connected S/4HANA Cloud Public Edition system",
+            "instructions": [
+              {
+                "type": "DataConnectorsGrid",
+                "parameters": {
+                  "mapping": [
+                    {
+                      "columnName": "S/4HANA Cloud API endpoint",
+                      "columnValue": "properties.request.apiEndpoint"
+                    }
+                  ],
+                  "menuItems": [
+                    "DeleteConnector"
+                  ]
+                }
+              }
+            ]
+          }
+        ]
+      }
+    }
+}
@@ -0,0 +1,24 @@
+{
+    "Name": "SAP S4 Cloud Public Edition",
+    "Author": "SAP",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "SAP S/4HANA Cloud is a next-generation enterprise resource planning (ERP) suite designed to help businesses run more efficiently and effectively.\n\nThe SAP S/4HANA Cloud Public Edition add-on for the Microsoft Sentinel Solution for SAP will collect logs from the SAP S/4HANA Cloud security audit log, detect threats, suspicious activities, illegitimate activities, and more. Find additional details here: https://learn.microsoft.com/azure/sentinel/sap/solution-partner-overview.\n\nLooking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts). ",
+    "WorkbookDescription": [],
+    "Workbooks": [],
+    "Analytic Rules": [],
+    "Playbooks": [],
+    "PlaybookDescription": [],
+    "Parsers": [],
+    "SavedSearches": [],
+    "Hunting Queries": [],
+    "Data Connectors": [
+        "/Data Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json"
+    ],
+    "Watchlists": [],
+    "WatchlistDescription": [],
+    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP S4 Cloud Public Edition",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false
+}