Merge pull request #295205 from batamig/agentless-keyvalue

SAP Agentless keyvalue + public preview

Author: JamesJBarnett

articles/sentinel/TOC.yml

@@ -156,17 +156,17 @@
           - name: Connect your SAP system
             displayName: disable, stop ingestion, stop 
             href: sap/deploy-data-connector-agent-container.md
-          - name: Troubleshoot SAP data connector agent
+          - name: Troubleshoot SAP data connector
             href: sap/sap-deploy-troubleshoot.md    
           - name: Extra deployment steps
             items:
             - name: Collect SAP HANA audit logs
               href: sap/collect-sap-hana-audit-logs.md
             - name: Update the data connector agent
               href: sap/update-sap-data-connector.md      
-            - name: Deploy from the command line
+            - name: Deploy the agent from the command line
               href: sap/deploy-command-line.md
-            - name: Deploy with expert options
+            - name: Deploy the agent with expert options
               href: sap/sap-solution-deploy-alternate.md
           - name: SAP deployment reference (advanced)
             items:

articles/sentinel/feature-availability.md

@@ -161,7 +161,7 @@ For more information, see [Microsoft Defender XDR for US Government customers](/
 |Feature  |Feature stage |Azure commercial  |Azure Government |Azure China 21Vianet  |
 |---------|---------|---------|---------|---------|
 |[Threat protection for SAP](sap/deployment-overview.md)</sup> |GA |&#x2705;|&#x2705; |&#x2705; |
-|[Agentless data connector](sap/deployment-overview.md#data-connector) | Limited preview | &#x2705; |&#10060; | &#10060;|
+|[Agentless data connector](sap/deployment-overview.md#data-connector) | Public preview | &#x2705; |&#10060; | &#10060;|
 
 ## Threat intelligence support		
 

articles/sentinel/includes/sap-agentless-prerequisites.md

@@ -0,0 +1,40 @@
+---
+title: SAP agentless data connector prerequisites checker
+ms.date: 03/13/2025
+ms.topic: include
+---
+
+<!-- docutune:disable -->
+
+**To run the tool**:
+
+1. Open the integration package, navigate to the artifacts tab, and select the **Prerequisite checker** iflow > **Configure**.
+1. Set the target RFC destination to the SAP system you want to check.
+1. Deploy the iflow as you would otherwise for your SAP systems. For example, use the following sample PowerShell script, modifying the sample placeholder values for your environment:
+
+    ```powershell
+    $cpiEndpoint = "https://my-cpi-uri.it-cpi012-rt.cfapps.eu01-010.hana.ondemand.com" # CPI endpoint URL
+    $credentialsUrl = "https://my-uaa-uri.authentication.eu01.hana.ondemand.com/oauth/token" # SAP authorization server URL
+    $serviceKey = 'sb-12324cd-a1b2-5678-a1b2-1234cd5678ef!g9123|it-rt-my-cpi!h45678' # Process Integration Runtime Service client ID
+    $serviceSecret = '< client secret >' # Your Process Integration Runtime service secret (make sure to use single quotes)
+
+    $credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$serviceKey`:$serviceSecret"))
+    $headers = @{
+        "Authorization" = "Basic $credentials"
+        "Content-Type"  = "application/json"
+    }
+    $authResponse = Invoke-WebRequest -Uri $credentialsUrl"?grant_type=client_credentials" `
+        -Method Post `
+        -Headers $headers
+    $token = ($authResponse.Content | ConvertFrom-Json).access_token
+    $path = "/http/checkSAP"
+    $param = "?startTimeUTC=$((Get-Date).AddMinutes(-1).ToString("yyyy-MM-ddTHH:mm:ss"))&endTimeUTC=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ss"))"
+    $headers = @{
+        "Authorization"      = "Bearer $token"
+        "Content-Type"       = "application/json"
+    }
+    $response = Invoke-WebRequest -Uri "$cpiEndpoint$path$param" -Method Get -Headers $headers
+    Write-Host $response.RawContent
+    ```
+
+Make sure that the prerequisites checker runs successfully before connecting to Microsoft Sentinel.

articles/sentinel/monitor-sap-system-health.md

@@ -28,10 +28,8 @@ For a video demonstration of the procedures in this article, watch the following
 :::zone pivot="connection-agentless"
 
 > [!IMPORTANT]
-> Monitoring the health of your SAP systems is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The agentless data connector for SAP is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
-> Microsoft Sentinel's **Agentless solution** is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the **Agentless solution** also [requires registration](https://aka.ms/SentinelSAPAgentlessSignUp) and is only available to approved customers and partners during the preview period. For more information, see [Microsoft Sentinel for SAP goes agentless ](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/microsoft-sentinel-for-sap-goes-agentless/ba-p/13960238).
-
 :::zone-end
 
 ## Prerequisites
@@ -66,7 +64,7 @@ This procedure describes how to check your data connector's connection status fr
         |---------|---------|
         |**Production**     |  The system is defined by the SAP admin as a production system.       |
         |**Unknown (Production)**     | Microsoft Sentinel couldn't retrieve the system status. Microsoft Sentinel regards this type of system as a production system for both security and billing purposes.  <br><br>In such cases, we recommend that you check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version.       |
-        |**Non production**     | Indicates roles like developing, testing, and customizing.        |
+        |**Non-production**     | Indicates roles like developing, testing, and customizing.        |
 
     - **Agent name**. Unique ID of the installed data connector agent.
 

articles/sentinel/sap/collect-sap-hana-audit-logs.md

@@ -23,7 +23,7 @@ Content in this article is intended for your **security**, **infrastructure**, a
 > Microsoft Sentinel SAP HANA support is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 > [!NOTE]
-> This article is relevant only for the data connector agent, and isn't relevant for the [SAP agentless solution](deployment-overview.md#data-connector) (limited preview).
+> This article is relevant only for the data connector agent, and isn't relevant for the [SAP agentless data connector](deployment-overview.md#data-connector) (Preview).
 >
 
 ## Prerequisites

articles/sentinel/sap/cross-workspace.md

@@ -31,8 +31,6 @@ This article discusses how to work with the Microsoft Sentinel solution for SAP
 > [!IMPORTANT]
 > Working with multiple workspaces is currently in preview. This feature is provided without a service-level agreement. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-> [!NOTE]
-> Multi-workspace support is available only with the data connector agent, and isn't supported with the [SAP agentless solution](deployment-overview.md#data-connector) (limited preview).
 
 ## SAP and SOC data maintained in separate workspaces
 

articles/sentinel/sap/deploy-command-line.md

@@ -21,7 +21,7 @@ However, if you're using a configuration file to store your credentials instead
 While you can run multiple data connector agents on a single machine, we recommend that you start with one only, monitor the performance, and then increase the number of connectors slowly. We also recommend that your **security** team perform this procedure with help from the **SAP BASIS** team. 
 
 > [!NOTE]
-> This article is relevant only for the data connector agent, and isn't relevant for the [SAP agentless solution](deployment-overview.md#data-connector) (limited preview).
+> This article is relevant only for the data connector agent, and isn't relevant for the [SAP agentless data connector](deployment-overview.md#data-connector) (Preview).
 >
 
 ## Prerequisites

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -32,42 +32,28 @@ Content in this article is relevant for your **security**, **infrastructure**, a
 
 :::zone pivot="connection-agentless"
 
-:::image type="content" source="media/deployment-steps/deploy-data-connector-agentless.png" alt-text="Diagram of the SAP solution deployment flow, highlighting the Connect your SAP system step."  :::
+:::image type="content" source="media/deployment-steps/deploy-data-connector-agentless.png" alt-text="Diagram of the SAP solution deployment flow, highlighting the Connect your SAP system step." border="false":::
 
-Content in this article is relevant for your **security** team, using information provided by your **SAP BASIS** teams.
+Content in this article is relevant for your **security** team.
 
 :::zone-end
 
 
 > [!IMPORTANT]
-> Microsoft Sentinel's **Agentless solution** is in limited preview as a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here. Access to the **Agentless solution** also [requires registration](https://aka.ms/SentinelSAPAgentlessSignUp) and is only available to approved customers and partners during the preview period. For more information, see [Microsoft Sentinel for SAP goes agentless ](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/microsoft-sentinel-for-sap-goes-agentless/ba-p/13960238).
+> Microsoft Sentinel's agentless data connector for SAP is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 ## Prerequisites
 
 Before you connect your SAP system to Microsoft Sentinel:
 
 - Make sure that all of the deployment prerequisites are in place. For more information, see [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md).
 
-:::zone pivot="connection-agent"
-
 - Make sure that you have the Microsoft Sentinel solution for **SAP applications** [installed in your Microsoft Sentinel workspace](deploy-sap-security-content.md)
 
 - Make sure that your SAP system is fully [prepared for the deployment](preparing-sap.md).
 
 - If you're deploying the data connector agent to communicate with Microsoft Sentinel over SNC, make sure that you completed [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).
 
-:::zone-end
-
-:::zone pivot="connection-agentless"
-
-- Make sure that you have the Microsoft Sentinel **SAP Agentless** solution [installed in your Microsoft Sentinel workspace](deploy-sap-security-content.md)
-
-- Make sure that your SAP system is fully [prepared for the deployment](preparing-sap.md).
-
-- Make sure your DCR is configured as described in [Install the solution from the content hub](deploy-sap-security-content.md#install-the-solution-from-the-content-hub).
-
-:::zone-end
-
 :::zone pivot="connection-agent"
 
 ## Watch a demo video
@@ -235,7 +221,7 @@ While deployment is also supported from the command line, we recommend that you
 
 1. In Microsoft Sentinel, select **Configuration > Data connectors**.
 
-1. In the search bar, enter *SAP*. Select **Microsoft Sentinel for SAP** from the search results and then **Open connector page**.
+1. In the search bar, enter *SAP*. Select **Microsoft Sentinel for SAP - agent-based** from the search results and then **Open connector page**.
 
 1. In the **Configuration** area, select **Add new agent (Preview)**.
 
@@ -346,22 +332,65 @@ At this stage, the system's **Health** status is **Pending**. If the agent is up
 
 :::zone pivot="connection-agentless"
 
-## Connect your agentless data connector
+## Connect your agentless data connector (Preview)
 
-1. In Microsoft Sentinel, go to the **Configuration > Data connectors** page and locate the **SAP ABAP and S/4 via cloud connector (Preview)** data connector.
+1. In Microsoft Sentinel, go to the **Configuration > Data connectors** page and locate the **Microsoft Sentinel for SAP - agent-less (Preview)** data connector.
 
-1. In the **Configuration** area, under **Connect an SAP integration suite to Microsoft Sentinel**, select **Add connection**.
+1. In the **Configuration** area, scroll down and select **Add SAP client**.
 
-1. In the **Agentless connection** side pane, enter the following details:
+1. In the **Connect to an SAP Client** side pane, enter the following details:
 
     | Field        | Description                      |
     |-------------------------------|---------------------------------------|
     | **RFC destination name**      | The name of the RFC destination, taken from your BTP destination.                |
     | **SAP Agentless Client ID**   | The *clientid* value taken from the Process Integration Runtime service key JSON file.                 |
     | **SAP Agentless Client Secret** | The *clientsecret* value taken from the Process Integration Runtime service key JSON file.             |
-    | **Authorization server URL**  | The *tokenurlurl* value taken from the Process Integration Runtime service key JSON file. For example: `https://your-tenant.authentication.region.hana.ondemand.com/oauth/token` |
+    | **Authorization server URL**  | The *tokenurl* value taken from the Process Integration Runtime service key JSON file. For example: `https://your-tenant.authentication.region.hana.ondemand.com/oauth/token` |
     | **Integration Suite Endpoint** | The *url* value taken from the Process Integration Runtime service key JSON file. For example: `https://your-tenant.it-account-rt.cfapps.region.hana.ondemand.com` |
 
+1. Select **Connect**.
+
+## Customize data connector behavior (optional)
+
+If you have an SAP agentless data connector for Microsoft Sentinel, you can use the SAP Integration Suite to customize how the agentless data connector ingests data from your SAP system into Microsoft Sentinel.
+
+This procedure is only relevant when you want to customize the SAP agentless data connector behavior. Skip this procedure if you're satisfied with the default functionality. For example, if you're using Sybase, we recommend that you turn off ingestion for Change Docs logs in the iflow by configuring the **collect-changedocs-logs** parameter. Due to database performance issues, ingesting Change Docs logs Sybase isn't supported.
+
+### Prerequisites for customizing data connector behavior
+
+- You must have access to the [SAP Integration Suite](https://help.sap.com/docs/cloud-integration/sap-cloud-integration/sap-cloud-integration), with permissions to [edit value mappings](https://help.sap.com/docs/cloud-integration/sap-cloud-integration/working-with-mapping).
+- An SAP integration package, either existing or new, to upload the default value mapping file.
+
+### Download the configuration file and customize settings
+
+1. Download the default [**example-parameters.zip**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/Agentless/example-parameters.zip) file, which provides settings that define default behavior and is a good starting point to start customizing.
+
+    Save the **example-parameters.zip** file to a location accessible to your SAP Integration Suite environment.
+
+1. Use the standard SAP procedures for uploading a Value Mapping file and making changes to customize your data connector settings:
+
+    1. Upload the **example-parameters.zip** file to the SAP Integration Suite as a value mapping artifact. For more information, see the [SAP documentation](https://help.sap.com/docs/cloud-integration/sap-cloud-integration/creating-value-mapping).
+    1. Use one of the following methods to customize your settings:
+
+        - **To customize settings across all SAP systems**, add value mappings for the **global** bi-directional mapping agency.
+        - **To customize settings for specific SAP systems**, add new bi-directional mapping agencies for each SAP system, and then add value mappings for each one. Name your agencies to exactly match the name of the RFC destination that you want to customize, such as myRfc, key, myRfc, value.
+
+        For more information, see [SAP documentation on configuring Value Mappings](https://help.sap.com/docs/cloud-integration/sap-cloud-integration/configuring-value-mappings)
+
+    Make sure to deploy the artifact when you're done customizing to activate the updated settings.
+
+The following table lists the customizable parameters for the SAP agentless data connector for Microsoft Sentinel:
+
+| Parameter | Description | Allowed values | Default value |
+|-----------|-------------|----------------|---------------|
+| **changedocs-object-classes** | List of object classes that are ingested from Change Docs logs. | Comma separated list of object classes | `BANK, CLEARING, IBAN, IDENTITY, KERBEROS, OA2_CLIENT, PCA_BLOCK, PCA_MASTER, PFCG, SECM, SU_USOBT_C, SECURITY_POLICY, STATUS, SU22_USOBT, SU22_USOBX, SUSR_PROF, SU_USOBX_C, USER_CUA` |
+| **collect-audit-logs** | Determines whether Audit Log data is ingested or not. | **true**: Ingested<br>**false**: Not ingested | **true** |
+| **collect-changedocs-logs** | Determines whether Change Docs logs are ingested or not. | **true**: Ingested<br>**false**: Not ingested | **true** |
+| **collect-user-master-data** | Determines whether User Master data is ingested or not. | **true**: Ingested<br>**false**: Not ingested | **true** |
+| **force-audit-log-to-read-from-all-clients** | Determines whether the Audit Log is read from all clients. | **true**: Read from all clients<br>**false**: Not read from all clients | **false** |
+| **ingestion-cycle-days** | Time, in days, given to ingest the full User Master data, including all roles and users. This parameter doesn't affect the ingestion of changes to User Master data. | Integer, between **1**-**14** | **1** |
+| **offset-in-seconds** | Determines the offset, in seconds, for both the start and end times of a data collection window. Use this parameter to delay data collection by the configured number of seconds. | Integer, between **1**-**600** | **60** |
+
 :::zone-end
 
 ## Check connectivity and health