Update deploy-sap-btp-solution.md

kingwil · web-flow · commit 607cf9f8fbb9 · 2024-03-15T16:39:42.000Z
diff --git a/articles/sentinel/sap/deploy-sap-btp-solution.md b/articles/sentinel/sap/deploy-sap-btp-solution.md
@@ -25,11 +25,7 @@ Before you begin, verify that:
 - Your organization uses SAP BTP (in a Cloud Foundry environment) to streamline interactions with SAP applications and other business applications.
 - You have an SAP BTP account (which supports BTP accounts in the Cloud Foundry environment). You can also use a [SAP BTP trial account](https://cockpit.hanatrial.ondemand.com/).
 - You have the SAP BTP auditlog-management service and service key (see [Set up the BTP account and solution](#set-up-the-btp-account-and-solution)).
-- You can create an [Azure function app](../../azure-functions/functions-overview.md) by using the Microsoft.Web/Sites, Microsoft.Web/ServerFarms, Microsoft.Insights/Components, and Microsoft.Storage/StorageAccounts permissions.
-- You can create [data collection rules and endpoints](../../azure-monitor/essentials/data-collection-rule-overview.md) by using these permissions:
-  - Microsoft.Insights/DataCollectionEndpoints and Microsoft.Insights/DataCollectionRules.
-  - Assign the Monitoring Metrics Publisher role to the function app.
-- You have an [Azure Key Vault](../../key-vault/general/overview.md) to hold the SAP BTP client secret.
+- You have the Sentinel Contributor role on the target Sentinel workspace.
 
 ## Set up the BTP account and solution
 
@@ -69,14 +65,14 @@ To set up the BTP account and the solution:
 1. Select the resource group and the Microsoft Sentinel workspace in which to deploy the solution.
 1. Select **Next** until you pass validation, and then select **Create**.
 1. When the solution deployment is finished, return to your Microsoft Sentinel workspace and select **Data connectors**.
-1. In the search bar, enter **BTP**, and then select **SAP BTP (using Azure Function)**.
+1. In the search bar, enter **BTP**, and then select **SAP BTP**.
 1. Select **Open connector page**.
-1. On the connector page, make sure that you meet the required prerequisites and complete the configuration steps. In step 2 of the data connector configuration, specify the parameters that you defined in step 4 in this section.
+1. On the connector page, make sure that you meet the required prerequisites and complete the configuration steps. Click **Add account**.
+1. Specify the parameters that you defined in step 4 in this section. The subaccount name specified will be projected as a column in the SAPBTPAuditLog_CL table. This can be used to filter the logs when adding multiple subaccounts.
 
     > [!NOTE]
     > Retrieving audits for the global account doesn't automatically retrieve audits for the subaccount. Follow the connector configuration steps for each of the subaccounts you want to monitor, and also follow these steps for the global account. Review these [account auditing configuration considerations](#consider-your-account-auditing-configurations).
 
-1. Complete all configuration steps, including the function app deployment and the Azure Key Vault access policy configuration.
 1. Make sure that BTP logs are flowing into the Microsoft Sentinel workspace:
 
     1. Sign in to your BTP subaccount and run a few activities that generate logs, such as sign-ins, adding users, changing permissions, and changing settings.
@@ -105,6 +101,59 @@ You also can retrieve the logs via the UI:
 1. In the new instance, create a service key.
 1. View the service key and retrieve the required parameters from step 4 of the configuration instructions in the data connector UI (**url**, **uaa.url**, **uaa.clientid**, and **uaa.clientsecret**).
 
+## Rotating the BTP client secret
+
+It is recommended to periodically rotate the client secrets of the BTP subaccounts. The following example script can be used to demonstrate the process of updating a data connector. The script will fetch the secret from Azure Key Vault and update the existing data connector with a new secret.
+
+1. Collect the required parameters for the script, subscription id, resource group and workspace name of the Sentinel workspace. The key vault and name of the key vault secret, and the name of the data connector to update.
+
+    > [!NOTE]
+    > Identify the name of the data connector by opening the SAP BTP data connector in data connectors blade. It should look like "BTP_{connector name}".
+
+```powershell
+param(
+    [Parameter(Mandatory = $true)] [string]$subscriptionId,
+    [Parameter(Mandatory = $true)] [string]$workspaceName,
+    [Parameter(Mandatory = $true)] [string]$resourceGroupName,
+    [Parameter(Mandatory = $true)] [string]$connectorName,
+    [Parameter(Mandatory = $true)] [string]$clientId,
+    [Parameter(Mandatory = $true)] [string]$keyVaultName,
+    [Parameter(Mandatory = $true)] [string]$secretName
+)
+
+# Import the required modules
+Import-Module Az.Accounts
+Import-Module Az.KeyVault
+
+try {
+    # Login to Azure
+    Login-AzAccount
+
+    # Retrieve BTP client secret from Key Vault
+    $clientSecret = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName).SecretValue
+    if (!($clientSecret)) {
+        throw "Failed to retrieve the client secret from Azure Key Vault"
+    }
+
+    # Get the connector from data connectors API
+    $path = "/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/dataConnectors/{3}?api-version=2024-01-01-preview" -f $subscriptionId, $resourceGroupName, $workspaceName, $connectorName
+    $connector = (Invoke-AzRestMethod -Path $path -Method GET).Content | ConvertFrom-Json
+    if (!($connector)) {
+        throw "Failed to retrieve the connector"
+    }
+
+    # Add the updated client ID and client secret to the connector
+    $connector.properties.auth | Add-Member -Type NoteProperty -Name "clientId" -Value $clientId
+    $connector.properties.auth | Add-Member -Type NoteProperty -Name "clientSecret" -Value ($clientSecret | ConvertFrom-SecureString -AsPlainText)
+
+    # Update the connector with the new auth object
+    Invoke-AzRestMethod -Path $path -Method PUT -Payload ($connector | ConvertTo-Json -Depth 10)
+}
+catch {
+    Write-Error "An error occurred: $_"
+}
+```
+
 ## Related content
 
 - [Learn how to enable the security content](../sentinel-solutions-deploy.md#analytics-rule)
