Merge pull request #289560 from batamig/patch-570676

ttorble · web-flow · commit 96db85f802ed · 2024-11-05T08:46:58.000Z
moving pahi table recs and json file samples
diff --git a/articles/sentinel/sap/deploy-command-line.md b/articles/sentinel/sap/deploy-command-line.md
@@ -5,7 +5,7 @@ author: batamig
 ms.author: bagol
 ms.topic: how-to
 ms.custom: devx-track-azurecli
-ms.date: 09/15/2024
+ms.date: 10/31/2024
 ms.collection: usx-security
 
 #Customer intent: As a security, infrastructure, or SAP BASIS team member, I want to deploy and configure a containerized SAP data connector agent from the command line so that I can ingest SAP data into Microsoft Sentinel for enhanced monitoring and threat detection.
@@ -264,6 +264,12 @@ This procedure describes how to prepare the deployment script to configure setti
 
 For more information, see [Kickstart deployment script reference for the Microsoft Sentinel for SAP applications data connector agent](reference-kickstart.md).
 
+## Optimize SAP PAHI table monitoring (recommended)
+
+For optimal results in monitoring the SAP PAHI table, open the **systemconfig.json** file for editing and under the `[ABAP Table Selector](reference-systemconfig-json.md#abap-table-selector)` section, enable both the `PAHI_FULL` and the `PAHI_INCREMENTAL` parameters.
+
+For more information, see [Systemconfig.json file reference](reference-systemconfig-json.md#abap-table-selector) and [Verify that the PAHI table is updated at regular intervals](preparing-sap.md#verify-that-the-pahi-table-is-updated-at-regular-intervals).
+
 ## Check connectivity and health
 
 After you deploy the SAP data connector agent, check your agent's health and connectivity. For more information, see [Monitor the health and role of your SAP systems](../monitor-sap-system-health.md).
diff --git a/articles/sentinel/sap/preparing-sap.md b/articles/sentinel/sap/preparing-sap.md
@@ -91,10 +91,12 @@ The SAP PAHI table includes data on the history of the SAP system, the database,
 - [SAP note 12103](https://launchpad.support.sap.com/#/notes/12103)
 - [Monitoring the configuration of static SAP security parameters (Preview)](sap-solution-security-content.md#monitor-the-configuration-of-static-sap-security-parameters-preview)
 
-> [!TIP]
-> For optimal results, in the *systemconfig.json* file on your data connector agent machine, under the `[ABAP Table Selector](reference-systemconfig-json.md#abap-table-selector)` section, enable both the `PAHI_FULL` and the `PAHI_INCREMENTAL` parameters. For more information, see [Systemconfig.json file reference](reference-systemconfig-json.md#abap-table-selector).
+If the PAHI table is updated regularly, the `SAP_COLLECTOR_FOR_PERFMONITOR` job is scheduled and runs hourly. If the `SAP_COLLECTOR_FOR_PERFMONITOR` job doesn't exist, make sure to configure it as needed. 
 
-If the PAHI table is updated regularly, the `SAP_COLLECTOR_FOR_PERFMONITOR` job is scheduled and runs hourly. If the `SAP_COLLECTOR_FOR_PERFMONITOR` job doesn't exist, make sure to configure it as needed. For more information, see the SAP documentation: [Database Collector in Background Processing](https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/c4/3a735b505211d189550000e829fbbd/frameset.htm) and [Configuring the Data Collector](https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/3364beced9d145a5ad185c89a1e04658/c43a818c505211d189550000e829fbbd.html)
+For more information, see:
+
+- SAP documentation: [Database Collector in Background Processing](https://help.sap.com/doc/saphelp_nw75/7.5.5/c4/3a735b505211d189550000e829fbbd/frameset.htm) and [Configuring the Data Collector](https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/3364beced9d145a5ad185c89a1e04658/c43a818c505211d189550000e829fbbd.html)
+- [Optimize SAP PAHI table monitoring (recommended)](deploy-command-line.md#optimize-sap-pahi-table-monitoring-recommended)
 
 ## Configure your system to use SNC for secure connections
 
diff --git a/articles/sentinel/sap/sap-solution-deploy-alternate.md b/articles/sentinel/sap/sap-solution-deploy-alternate.md
@@ -185,9 +185,9 @@ For more information, see [Systemconfig.json file reference](reference-systemcon
 
 ### Define the SAP logs that are sent to Microsoft Sentinel
 
-The default **systemconfig** file is configured to cover built-in analytics, the SAP user authorization master data tables, with users and privilege information, and the ability to track changes and activities on the SAP landscape. The default configuration provides more logging information to allow for post-breach investigations and extended hunting abilities.
+The default **systemconfig.json** file is configured to cover built-in analytics, the SAP user authorization master data tables, with users and privilege information, and the ability to track changes and activities on the SAP landscape. 
 
-However you might want to customize your configuration over time, especially as business processes tend to be seasonal.
+The default configuration provides more logging information to allow for post-breach investigations and extended hunting abilities. However you might want to customize your configuration over time, especially as business processes tend to be seasonal.
 
 Use the following sets of code to configure the **systemconfig.json** file to define the logs that are sent to Microsoft Sentinel.
 
@@ -197,133 +197,127 @@ For more information, see [Microsoft Sentinel solution for SAP applications solu
 
 The following code configures a default configuration:
 
-```python
-##############################################################
-# Enter True OR False for each log to send those logs to Microsoft Sentinel
-[Logs Activation Status]
-ABAPAuditLog = True
-ABAPJobLog = True
-ABAPSpoolLog = True
-ABAPSpoolOutputLog = True
-ABAPChangeDocsLog = True
-ABAPAppLog = True
-ABAPWorkflowLog = True
-ABAPCRLog = True
-ABAPTableDataLog = False
-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-ABAPFilesLogs = False
-SysLog = False
-ICM = False
-WP = False
-GW = False
-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-JAVAFilesLogs = False
-##############################################################
+```json
+"logs_activation_status": {
+      "abapauditlog": "True",
+      "abapjoblog": "True",
+      "abapspoollog": "True",
+      "abapspooloutputlog": "True",
+      "abapchangedocslog": "True",
+      "abapapplog": "True",
+      "abapworkflowlog": "True",
+      "abapcrlog": "True",
+      "abaptabledatalog": "False",
+      "abapfileslogs": "False",
+      "syslog": "False",
+      "icm": "False",
+      "wp": "False",
+      "gw": "False",
+      "javafileslogs": "False"
 ```
 
 #### Configure a detection-focused profile
 
 Use the following code to configure a detection-focused profile, which includes the core security logs of the SAP landscape required for the most of the analytics rules to perform well. Post-breach investigations and hunting capabilities are limited.
 
-```python
-##############################################################
-[Logs Activation Status]
-# ABAP RFC Logs - Retrieved by using RFC interface
-ABAPAuditLog = True
-ABAPJobLog = False
-ABAPSpoolLog = False
-ABAPSpoolOutputLog = False
-ABAPChangeDocsLog = True
-ABAPAppLog = False
-ABAPWorkflowLog = False
-ABAPCRLog = True
-ABAPTableDataLog = False
-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-ABAPFilesLogs = False
-SysLog = False
-ICM = False
-WP = False
-GW = False
-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-JAVAFilesLogs = False
-[ABAP Table Selector]
-AGR_TCODES_FULL = True
-USR01_FULL = True
-USR02_FULL = True
-USR02_INCREMENTAL = True
-AGR_1251_FULL = True
-AGR_USERS_FULL = True
-AGR_USERS_INCREMENTAL = True
-AGR_PROF_FULL = True
-UST04_FULL = True
-USR21_FULL = True
-ADR6_FULL = True
-ADCP_FULL = True
-USR05_FULL = True
-USGRP_USER_FULL = True
-USER_ADDR_FULL = True
-DEVACCESS_FULL = True
-AGR_DEFINE_FULL = True
-AGR_DEFINE_INCREMENTAL = True
-PAHI_FULL = False
-AGR_AGRS_FULL = True
-USRSTAMP_FULL = True
-USRSTAMP_INCREMENTAL = True
-AGR_FLAGS_FULL = True
-AGR_FLAGS_INCREMENTAL = True
-SNCSYSACL_FULL = False
-USRACL_FULL = False
+```json
+"logs_activation_status": {
+      "abapauditlog": "True",
+      "abapjoblog": "False",
+      "abapspoollog": "False",
+      "abapspooloutputlog": "False",
+      "abapchangedocslog": "True",
+      "abapapplog": "False",
+      "abapworkflowlog": "False",
+      "abapcrlog": "True",
+      "abaptabledatalog": "False",
+      "abapfileslogs": "False",
+      "syslog": "False",
+      "icm": "False",
+      "wp": "False",
+      "gw": "False",
+      "javafileslogs": "False"
+    },
+....
+  "abap_table_selector": {
+      "agr_tcodes_full": "True",
+      "usr01_full": "True",
+      "usr02_full": "True",
+      "usr02_incremental": "True",
+      "agr_1251_full": "True",
+      "agr_users_full": "True",
+      "agr_users_incremental": "True",
+      "agr_prof_full": "True",
+      "ust04_full": "True",
+      "usr21_full": "True",
+      "adr6_full": "True",
+      "adcp_full": "True",
+      "usr05_full": "True",
+      "usgrp_user_full": "True",
+      "user_addr_full": "True",
+      "devaccess_full": "True",
+      "agr_define_full": "True",
+      "agr_define_incremental": "True",
+      "pahi_full": "True",
+      "pahi_incremental": "True",
+      "agr_agrs_full": "True",
+      "usrstamp_full": "True",
+      "usrstamp_incremental": "True",
+      "agr_flags_full": "True",
+      "agr_flags_incremental": "True",
+      "sncsysacl_full": "False",
+      "usracl_full": "False",
 ```
 
 Use the following code to configure a minimal profile, which includes the SAP Security Audit Log, which is the most important source of data that the Microsoft Sentinel solution for SAP applications uses to analyze activities on the SAP landscape. Enabling this log is the minimal requirement to provide any security coverage.
 
-```python
-[Logs Activation Status]
-# ABAP RFC Logs - Retrieved by using RFC interface
-ABAPAuditLog = True
-ABAPJobLog = False
-ABAPSpoolLog = False
-ABAPSpoolOutputLog = False
-ABAPChangeDocsLog = False
-ABAPAppLog = False
-ABAPWorkflowLog = False
-ABAPCRLog = False
-ABAPTableDataLog = False
-# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-ABAPFilesLogs = False
-SysLog = False
-ICM = False
-WP = False
-GW = False
-# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login
-JAVAFilesLogs = False
-[ABAP Table Selector]
-AGR_TCODES_FULL = False
-USR01_FULL = False
-USR02_FULL = False
-USR02_INCREMENTAL = False
-AGR_1251_FULL = False
-AGR_USERS_FULL = False
-AGR_USERS_INCREMENTAL = False
-AGR_PROF_FULL = False
-UST04_FULL = False
-USR21_FULL = False
-ADR6_FULL = False
-ADCP_FULL = False
-USR05_FULL = False
-USGRP_USER_FULL = False
-USER_ADDR_FULL = False
-DEVACCESS_FULL = False
-AGR_DEFINE_FULL = False
-AGR_DEFINE_INCREMENTAL = False
-PAHI_FULL = False
-AGR_AGRS_FULL = False
-USRSTAMP_FULL = False
-USRSTAMP_INCREMENTAL = False
-AGR_FLAGS_FULL = False
-AGR_FLAGS_INCREMENTAL = False
-SNCSYSACL_FULL = False
-USRACL_FULL = False
+```json
+"logs_activation_status": {
+      "abapauditlog": "True",
+      "abapjoblog": "False",
+      "abapspoollog": "False",
+      "abapspooloutputlog": "False",
+      "abapchangedocslog": "True",
+      "abapapplog": "False",
+      "abapworkflowlog": "False",
+      "abapcrlog": "True",
+      "abaptabledatalog": "False",
+      "abapfileslogs": "False",
+      "syslog": "False",
+      "icm": "False",
+      "wp": "False",
+      "gw": "False",
+      "javafileslogs": "False"
+    },
+....
+  "abap_table_selector": {
+      "agr_tcodes_full": "False",
+      "usr01_full": "False",
+      "usr02_full": "False",
+      "usr02_incremental": "False",
+      "agr_1251_full": "False",
+      "agr_users_full": "False",
+      "agr_users_incremental": "False",
+      "agr_prof_full": "False",
+      "ust04_full": "False",
+      "usr21_full": "False",
+      "adr6_full": "False",
+      "adcp_full": "False",
+      "usr05_full": "False",
+      "usgrp_user_full": "False",
+      "user_addr_full": "False",
+      "devaccess_full": "False",
+      "agr_define_full": "False",
+      "agr_define_incremental": "False",
+      "pahi_full": "False",
+      "pahi_incremental": "False",
+      "agr_agrs_full": "False",
+      "usrstamp_full": "False",
+      "usrstamp_incremental": "False",
+      "agr_flags_full": "False",
+      "agr_flags_incremental": "False",
+      "sncsysacl_full": "False",
+      "usracl_full": "False",
 ```
 
 ### SAL logs connector settings
@@ -332,15 +326,13 @@ Add the following code to the Microsoft Sentinel for SAP data connector **system
 
 For more information, see [Perform an expert / custom SAP data connector installation](#perform-an-expert--custom-installation).
 
-```python
-##############################################################
-[Connector Configuration]
-extractuseremail = True
-apiretry = True
-auditlogforcexal = False
-auditlogforcelegacyfiles = False
-timechunk = 60
-##############################################################
+```json
+    "connector_configuration": {
+      "extractuseremail": "True",
+      "apiretry": "True",
+      "auditlogforcexal": "False",
+      "auditlogforcelegacyfiles": "False",
+      "timechunk": "60"
 ```
 
 This section enables you to configure the following parameters:
@@ -381,23 +373,35 @@ To ingest tables directly from your SAP system with details about your users and
 
 For example:
 
-```python
-[ABAP Table Selector] 
-USR01_FULL = True
-USR02_FULL = True
-USR02_INCREMENTAL = True
-UST04_FULL = True
-AGR_USERS_FULL = True
-AGR_USERS_INCREMENTAL = True
-USR21_FULL = True
-AGR_1251_FULL = True
-ADR6_FULL = True
-AGR_TCODES_FULL = True 
-DEVACCESS_FULL = True
-AGR_DEFINE_FULL = True
-AGR_DEFINE_INCREMENTAL = True
-AGR_PROF_FULL = True
-PAHI_FULL = True
+```json
+    "abap_table_selector": {
+      "agr_tcodes_full": "True",
+      "usr01_full": "True",
+      "usr02_full": "True",
+      "usr02_incremental": "True",
+      "agr_1251_full": "True",
+      "agr_users_full": "True",
+      "agr_users_incremental": "True",
+      "agr_prof_full": "True",
+      "ust04_full": "True",
+      "usr21_full": "True",
+      "adr6_full": "True",
+      "adcp_full": "True",
+      "usr05_full": "True",
+      "usgrp_user_full": "True",
+      "user_addr_full": "True",
+      "devaccess_full": "True",
+      "agr_define_full": "True",
+      "agr_define_incremental": "True",
+      "pahi_full": "True",
+      "pahi_incremental": "True",
+      "agr_agrs_full": "True",
+      "usrstamp_full": "True",
+      "usrstamp_incremental": "True",
+      "agr_flags_full": "True",
+      "agr_flags_incremental": "True",
+      "sncsysacl_full": "False",
+      "usracl_full": "False",
 ```
 
 For more information, see [Reference of tables retrieved directly from SAP systems](sap-solution-log-reference.md#reference-of-tables-retrieved-directly-from-sap-systems).
