Merge pull request #291804 from batamig/attack-disrupt-remove

removing attack disrupt for SAP

Author: v-ccolin

articles/sap/workloads/integration-get-started.md

@@ -4,7 +4,7 @@ description: Learn about the various integration points in the Microsoft ecosyst
 ms.service: sap-on-azure
 ms.subservice: sap-vm-workloads
 ms.topic: concept-article
-ms.date: 12/15/2022
+ms.date: 06/22/2025
 author: MartinPankraz
 ms.author: mapankra
 
@@ -234,7 +234,7 @@ Discover partner offerings for SAP security on the [Azure Marketplace](https://a
 
 #### Microsoft Sentinel for SAP
 
-Microsoft Sentinel integrates natively with Microsoft Defender XDR in the Defender portal. See the integration in action with [Automatic attack disruption for SAP](../../sentinel/sap/deployment-attack-disrupt.md).
+Microsoft Sentinel integrates directly with Microsoft Defender XDR and the Microsoft Defender portal. SAP solutions are available in the Defender portal as part of [Microsoft's unified security operations platform](/unified-secops-platform/), and with [Microsoft Sentinel in the Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal).
 
 For more information about [SAP certified](https://www.sap.com/dmc/exp/2013_09_adpd/enEN/#/solutions?id=s:33db1376-91ae-4f36-a435-aafa892a88d8) threat monitoring with Microsoft Sentinel for SAP, see the following Microsoft resources:
 

articles/sap/workloads/rise-integration-security.md

@@ -53,7 +53,7 @@ It can be used with any data source that Defender XDR and Sentinel support, incl
    This image shows an example of the Microsoft Security Copilot experience using a prompt to investigate an SAP incident.
 :::image-end:::
 
-In addition to that the Security Copilot experience is embedded on the Defender XDR portal. Next to an AI-generated summary, recommendations and remediation like password reset for SAP are provided out-of-the-box. Learn more about automatic SAP attack disruption [here](../../sentinel/sap/deployment-attack-disrupt.md).
+In addition to that, the Security Copilot experience is embedded on the Defender XDR portal, with an out-of-the-box AI-generated summary and recommendations for SAP. 
 
 :::image type="complex" source="./media/sap-rise-integration/sap-rise-security-copilot-defender-portal.png" alt-text="Screenshot of embedded Security Copilot experience in Defender with SAP RISE/ECS incidents." lightbox="./media/sap-rise-integration/sap-rise-security-copilot-defender-portal.png":::
    This image shows an example of Microsoft Security Copilot analyzing an incident detected on SAP RISE through Defender XDR. Data ingestion is done through the Microsoft Sentinel solution for SAP applications.

articles/sentinel/TOC.yml

@@ -188,8 +188,6 @@
               href: sap/reference-systemconfig.md
         - name: Enable SAP detections and threat protection
           href: sap/deployment-solution-configuration.md
-        - name: Automatic attack disruption for SAP
-          href: sap/deployment-attack-disrupt.md
         - name: Integrate SAP across multiple workspaces
           href: sap/cross-workspace.md
         - name: Monitor SAP systems

articles/sentinel/feature-availability.md

@@ -6,7 +6,7 @@ ms.author: bagol
 ms.topic: feature-availability
 ms.custom: references_regions
 ms.service: microsoft-sentinel
-ms.date: 11/26/2024
+ms.date: 06/22/2025
 
 
 #Customer intent: As a security operations manager, I want to understand the Microsoft Sentinel's feature availability across different Azure environments so that I can effectively plan and manage our security operations.
@@ -25,8 +25,6 @@ This article describes the features available in Microsoft Sentinel across diffe
 
 Microsoft Sentinel is also available in the [Microsoft Defender portal](microsoft-sentinel-defender-portal.md). In the Defender portal, all features in general availability are available in commercial, GCC, GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
 
-While [attack disruption in the Defender portal](/defender-xdr/automatic-attack-disruption) is generally available, [SAP support for attack disruption](/defender-xdr/automatic-attack-disruption#automated-response-actions-for-sap-with-microsoft-sentinel) in the Defender portal available only in the commercial cloud.
-
 For more information, see [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov).
 
 ## Analytics		

articles/sentinel/microsoft-sentinel-defender-portal.md

@@ -4,7 +4,7 @@ description: Learn about the Microsoft Sentinel experience when you onboard Micr
 author: batamig
 ms.author: bagol
 ms.topic: conceptual
-ms.date: 05/04/2025
+ms.date: 06/22/2025
 appliesto: 
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.collection: usx-security

articles/sentinel/sap/deployment-attack-disrupt.md

@@ -4,7 +4,7 @@ description: This article shows you how to configure initial security content fo
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 09/15/2024
+ms.date: 12/11/2024
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -94,6 +94,5 @@ For more information, see:
 
 For more information, see:
 
-- [Automatic attack disruption for SAP (Preview)](deployment-attack-disrupt.md)
 - [Monitor the health of your SAP system](../monitor-sap-system-health.md)
 - [Update Microsoft Sentinel's SAP data connector agent](update-sap-data-connector.md)

articles/sentinel/sap/deployment-solution-configuration.md

@@ -52,15 +52,13 @@ To allow the SAP data connector to connect to your SAP system, you must create a
 
 :::zone pivot="connection-agent"
 
-- **To include both log retrieval and [attack disruption response actions](https://aka.ms/attack-disrupt-defender)**, we recommend creating this role by loading role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
+We recommend creating this role by deploying the *NPLK900271* SAP change request (CR): [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL) | [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL)
 
-- **To include log retrieval only**, we recommend creating this role by deploying the *NPLK900271* SAP change request (CR): [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL) | [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL)
+Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).
 
-    Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).
-
-    Alternately, load the role authorizations from the [**MSFTSEN_SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file, which includes all the basic permissions for the data connector to operate.
+Alternately, load the role authorizations from the [**MSFTSEN_SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file, which includes all the basic permissions for the data connector to operate.
 
-    Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see [Required ABAP authorizations](required-abap-authorizations.md). Examples in our documentation use the **/MSFTSEN/SENTINEL_RESPONDER** name.
+Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see [Required ABAP authorizations](required-abap-authorizations.md). Examples in our documentation use the **/MSFTSEN/SENTINEL_RESPONDER** name.
 
 When configuring the role, we recommend that you:
 

articles/sentinel/sap/preparing-sap.md

@@ -4,7 +4,7 @@ description: Understand the ABAP authorizations required if you want to manually
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 09/16/2024
+ms.date: 12/11/2024
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -15,16 +15,12 @@ ms.collection: usx-security
 
 # Required ABAP authorizations
 
-This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems and [run attack disruption response actions](/defender-xdr/automatic-attack-disruption).
+This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems.
 
-The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel and the attack disruption response actions you want to apply.
+The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel.
 
-> [!TIP]
-> To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
->
-> Alternately, to enable only log retrieval, without attack disruption response actions, deploy the SAP *NPLK900271* CR on the SAP system to create the **/MSFTSEN/SENTINEL_CONNECTOR** role, or load the role authorizations from the [**/MSFTSEN/SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file.
-
-If needed, you can [remove the user role and any optional CR installed on your ABAP system](stop-collection.md#remove-the-user-role-and-any-optional-cr-installed-on-your-abap-system).
+- To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
+- If needed, you can [remove the user role and any optional CR installed on your ABAP system](stop-collection.md#remove-the-user-role-and-any-optional-cr-installed-on-your-abap-system).
 
 ## ABAP application log
 
@@ -140,20 +136,6 @@ If needed, you can [remove the user role and any optional CR installed on your A
 | S_TABU_NAM | ACTVT | Display |
 | S_TABU_NAM | TABLE | T000 |
 
-## Attack disruption response actions
-
-<a name=attack-disrupt></a>
-
-| Authorization object | Field | Value |
-| -------------------- | ----- | ----- |
-|S_RFC |RFC_TYPE |Function Module |
-|S_RFC |RFC_NAME |BAPI_USER_LOCK |
-|S_RFC |RFC_NAME |BAPI_USER_UNLOCK |
-|S_RFC |RFC_NAME |TH_DELETE_USER <br>In contrast to its name, this function doesn't delete users, but ends the active user session. |
-|S_USER_GRP |CLASS |* <br>We recommend replacing S_USER_GRP CLASS with the relevant classes in your organization that represent dialog users. |
-|S_USER_GRP |ACTVT |03 |
-|S_USER_GRP |ACTVT |05 |
-
 ## Configuration history
 
 | Authorization object | Field | Value |