Merge pull request #222741 from limwainstein/sap-profiles-page

Stacyrch140 · web-flow · commit 1b73e223925b · 2023-01-09T14:21:25.000-05:00
Adding new page on SAP ingestion profiles
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -486,7 +486,9 @@
       - name: Deploy SAP connector manually
         href: sap/sap-solution-deploy-alternate.md
       - name: Configure SAP audit log monitoring rules
-        href: sap/configure-audit-log-rules.md 
+        href: sap/configure-audit-log-rules.md
+      - name: Select SAP ingestion profile
+        href: sap/select-ingestion-profiles.md 
 - name: Troubleshoot
   items:
   - name: Troubleshoot CEF/Syslog data collection
diff --git a/articles/sentinel/sap/deploy-sap-security-content.md b/articles/sentinel/sap/deploy-sap-security-content.md
@@ -30,7 +30,7 @@ Track your SAP solution deployment journey through this series of articles:
 1. Optional deployment steps
    - [Configure auditing](configure-audit.md)
    - [Configure data connector to use SNC](configure-snc.md)
-
+   - [Select SAP ingestion profiles](select-ingestion-profiles.md)
 
 ## Deploy SAP security content
 
diff --git a/articles/sentinel/sap/deployment-overview.md b/articles/sentinel/sap/deployment-overview.md
@@ -46,7 +46,7 @@ Follow your deployment journey through this series of articles, in which you'll
 | **4. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |
 | **5. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)
 | **6. Microsoft Sentinel Solution for SAP** | [Configure Microsoft Sentinel Solution for SAP](deployment-solution-configuration.md) |
-| **7. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)
+| **7. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |
 
 ## Next steps
 
diff --git a/articles/sentinel/sap/deployment-solution-configuration.md b/articles/sentinel/sap/deployment-solution-configuration.md
@@ -38,6 +38,7 @@ Track your SAP solution deployment journey through this series of articles:
 1. Optional deployment steps
    - [Configure auditing](configure-audit.md)
    - [Configure data connector to use SNC](configure-snc.md)
+   - [Select SAP ingestion profiles](select-ingestion-profiles.md)
 
 ## Configure watchlists
 
diff --git a/articles/sentinel/sap/preparing-sap.md b/articles/sentinel/sap/preparing-sap.md
@@ -21,7 +21,7 @@ This article discusses the installation of the following CRs:
 
 |CR |Required/optional |Description |
 |---------|---------|---------|
-|NPLK900271 |Required |This CR creates and configures a role. Alternatively, you can can load the authorizations directly from a file. [Review how to create and configure a role](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required).  |
+|NPLK900271 |Required |This CR creates and configures a role. Alternatively, you can load the authorizations directly from a file. [Review how to create and configure a role](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required).  |
 |NPLK900201 or NPLK900202 |Optional |[Retrieves additional information from SAP](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#retrieve-additional-information-from-sap-optional). You select one of these CRs according to your SAP version. |
 
 ## Prerequisites
@@ -56,6 +56,7 @@ Track your SAP solution deployment journey through this series of articles:
 1. Optional deployment steps
    - [Configure auditing](configure-audit.md)
    - [Configure data connector to use SNC](configure-snc.md)
+   - [Select SAP ingestion profiles](select-ingestion-profiles.md)
 
 To deploy the CRs, follow the steps outlined below. The steps below may differ according to the version of the SAP system and should be considered for demonstration purposes only.
 
diff --git a/articles/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring.md b/articles/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring.md
@@ -29,6 +29,7 @@ Track your SAP solution deployment journey through this series of articles:
 1. Optional deployment steps
    - [Configure auditing](configure-audit.md)
    - [Configure data connector to use SNC](configure-snc.md)
+   - [Select SAP ingestion profiles](select-ingestion-profiles.md)
 
 ## Table of prerequisites
 
diff --git a/articles/sentinel/sap/select-ingestion-profiles.md b/articles/sentinel/sap/select-ingestion-profiles.md
@@ -0,0 +1,210 @@
+---
+title: Select the SAP ingestion profile for your Microsoft Sentinel for SAP solution
+description: This article shows you how to select the profile for your Microsoft Sentinel for SAP solution.
+author: kobymon
+ms.author: kobymin
+ms.topic: how-to
+ms.date: 01/03/2023
+---
+
+# Select SAP ingestion profile
+
+This article explains how to select the profile for your SAP solution. We recommend that you select an ingestion profile that maximizes your security coverage while meeting your budget requirements. 
+
+Because SAP is a business application, and business processes tend to be seasonal, it may be difficult to predict the overall volume of logs over time. To address this issue, we recommend that you keep all logs on for two weeks, and learn from the observed activity. This learning can later be revised during business activity peaks, or major landscape transformations. 
+
+The following sections show typical customer configuration profiles for SAP log ingestion.
+
+### Default profile (recommended)
+
+This profile includes complete coverage for:
+
+- Built-in analytics
+- The SAP user authorization master data tables, with users and privilege information
+- The ability to track changes and activities on the SAP landscape. This profile provides more logging information to allow for post-breach investigations and extended hunting abilities.
+
+### systemconfig.ini file
+
+```
+[Logs Activation Status]
+# ABAP RFC Logs - Retrieved by using RFC interface
+ABAPAuditLog = True
+ABAPJobLog = True
+ABAPSpoolLog = True
+ABAPSpoolOutputLog = True
+ABAPChangeDocsLog = True
+ABAPAppLog = True
+ABAPWorkflowLog = True
+ABAPCRLog = True
+ABAPTableDataLog = False
+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+ABAPFilesLogs = False
+SysLog = False
+ICM = False
+WP = False
+GW = False
+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+JAVAFilesLogs = False
+[ABAP Table Selector]
+AGR_TCODES_FULL = True
+USR01_FULL = True
+USR02_FULL = True
+USR02_INCREMENTAL = True
+AGR_1251_FULL = True
+AGR_USERS_FULL = True
+AGR_USERS_INCREMENTAL = True
+AGR_PROF_FULL = True
+UST04_FULL = True
+USR21_FULL = True
+ADR6_FULL = True
+ADCP_FULL = True
+USR05_FULL = True
+USGRP_USER_FULL = True
+USER_ADDR_FULL = True
+DEVACCESS_FULL = True
+AGR_DEFINE_FULL = True
+AGR_DEFINE_INCREMENTAL = True
+PAHI_FULL = True
+AGR_AGRS_FULL = True
+USRSTAMP_FULL = True
+USRSTAMP_INCREMENTAL = True
+AGR_FLAGS_FULL = True
+AGR_FLAGS_INCREMENTAL = True
+SNCSYSACL_FULL = False
+USRACL_FULL = False
+```
+
+## Detection focused profile
+
+This profile includes the core security logs of the SAP landscape required for the most of the analytics rules to perform well. Post-breach investigations and hunting capabilities are limited.
+
+### systemconfig.ini file
+
+```
+[Logs Activation Status]
+# ABAP RFC Logs - Retrieved by using RFC interface
+ABAPAuditLog = True
+ABAPJobLog = False
+ABAPSpoolLog = False
+ABAPSpoolOutputLog = False
+ABAPChangeDocsLog = True
+ABAPAppLog = False
+ABAPWorkflowLog = False
+ABAPCRLog = True
+ABAPTableDataLog = False
+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+ABAPFilesLogs = False
+SysLog = False
+ICM = False
+WP = False
+GW = False
+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+JAVAFilesLogs = False
+[ABAP Table Selector]
+AGR_TCODES_FULL = True
+USR01_FULL = True
+USR02_FULL = True
+USR02_INCREMENTAL = True
+AGR_1251_FULL = True
+AGR_USERS_FULL = True
+AGR_USERS_INCREMENTAL = True
+AGR_PROF_FULL = True
+UST04_FULL = True
+USR21_FULL = True
+ADR6_FULL = True
+ADCP_FULL = True
+USR05_FULL = True
+USGRP_USER_FULL = True
+USER_ADDR_FULL = True
+DEVACCESS_FULL = True
+AGR_DEFINE_FULL = True
+AGR_DEFINE_INCREMENTAL = True
+PAHI_FULL = False
+AGR_AGRS_FULL = True
+USRSTAMP_FULL = True
+USRSTAMP_INCREMENTAL = True
+AGR_FLAGS_FULL = True
+AGR_FLAGS_INCREMENTAL = True
+SNCSYSACL_FULL = False
+USRACL_FULL = False
+```
+## Minimal profile
+
+The SAP Security Audit Log is the most important source of data the Microsoft Sentinel Solution for SAP uses to analyze activities on the SAP landscape. Enabling this log is the minimal requirement to provide any security coverage.  
+
+### systemconfig.ini file
+
+```
+[Logs Activation Status]
+# ABAP RFC Logs - Retrieved by using RFC interface
+ABAPAuditLog = True
+ABAPJobLog = False
+ABAPSpoolLog = False
+ABAPSpoolOutputLog = False
+ABAPChangeDocsLog = False
+ABAPAppLog = False
+ABAPWorkflowLog = False
+ABAPCRLog = False
+ABAPTableDataLog = False
+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+ABAPFilesLogs = False
+SysLog = False
+ICM = False
+WP = False
+GW = False
+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
+JAVAFilesLogs = False
+[ABAP Table Selector]
+AGR_TCODES_FULL = False
+USR01_FULL = False
+USR02_FULL = False
+USR02_INCREMENTAL = False
+AGR_1251_FULL = False
+AGR_USERS_FULL = False
+AGR_USERS_INCREMENTAL = False
+AGR_PROF_FULL = False
+UST04_FULL = False
+USR21_FULL = False
+ADR6_FULL = False
+ADCP_FULL = False
+USR05_FULL = False
+USGRP_USER_FULL = False
+USER_ADDR_FULL = False
+DEVACCESS_FULL = False
+AGR_DEFINE_FULL = False
+AGR_DEFINE_INCREMENTAL = False
+PAHI_FULL = False
+AGR_AGRS_FULL = False
+USRSTAMP_FULL = False
+USRSTAMP_INCREMENTAL = False
+AGR_FLAGS_FULL = False
+AGR_FLAGS_INCREMENTAL = False
+SNCSYSACL_FULL = False
+USRACL_FULL = False
+```
+## Next steps
+
+Learn more about the Microsoft Sentinel Solution for SAP:
+
+- [Deploy Microsoft Sentinel Solution for SAP](deployment-overview.md)
+- [Prerequisites for deploying Microsoft Sentinel Solution for SAP](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
+- [Deploy SAP Change Requests (CRs) and configure authorization](preparing-sap.md)
+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)
+- [Deploy SAP security content](deploy-sap-security-content.md)
+- [Deploy the Microsoft Sentinel for SAP data connector with SNC](configure-snc.md)
+- [Enable and configure SAP auditing](configure-audit.md)
+- [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)
+
+Troubleshooting:
+
+- [Troubleshoot your Microsoft Sentinel Solution for SAP solution deployment](sap-deploy-troubleshoot.md)
+- [Configure SAP Transport Management System](configure-transport.md)
+
+Reference files:
+
+- [Microsoft Sentinel Solution for SAP data reference](sap-solution-log-reference.md)
+- [Microsoft Sentinel Solution for SAP: security content reference](sap-solution-security-content.md)
+- [Update script reference](reference-update.md)
+- [Systemconfig.ini file reference](reference-systemconfig.md)
+
+For more information, see [Microsoft Sentinel solutions](../sentinel-solutions.md).
