Merge pull request #231696 from limwainstein/sap-cross-workspace-query

SAP multi-workspace

Author: ttorble

articles/sentinel/TOC.yml

@@ -177,6 +177,8 @@
     items:
     - name: Solution overview
       href: sap/solution-overview.md
+    - name: Working with the solution across multiple workspaces
+      href: sap/cross-workspace.md
 - name: How-tos
   items:
   - name: Plan architecture

articles/sentinel/sap/cross-workspace.md

@@ -0,0 +1,86 @@
+---
+title: Working with the Microsoft Sentinel solution for SAP® applications across multiple workspaces
+description: This article discusses working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: conceptual
+ms.date: 03/22/2023
+---
+
+# Working with the Microsoft Sentinel solution for SAP® applications across multiple workspaces
+
+When you set up your Microsoft Sentinel workspace, there are [multiple architecture options](../design-your-workspace-architecture.md#decision-tree) and considerations. Considering geography, regulation, access control, and other factors, you may choose to have multiple Sentinel workspaces in your organization. 
+
+This article discusses working with the Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios.
+
+The Microsoft Sentinel solution for SAP® applications natively supports a cross-workspace architecture to allow improved flexibility for: 
+
+- Managed security service providers (MSSPs) or a global or federated SOC
+- Data residency requirements 
+- Organizational hierarchy/IT design 
+- Insufficient role-based access control (RBAC) in a single workspace
+
+> [!IMPORTANT]
+> Working with multiple workspaces is currently in PREVIEW. This feature is provided without a service level agreement. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+You can define multiple workspaces when you [deploy the SAP security content](deploy-sap-security-content.md#deploy-sap-security-content).  
+
+## Collaboration between the SOC and SAP teams in your organization
+
+In this article, we focus on a specific and common use case, where collaboration between the security operations center (SOC) and SAP teams in your organization requires a multi-workspace setup.
+
+Your organization's SAP team has technical knowledge that's critical to successfully and effectively implement the Microsoft Sentinel solution for SAP® applications. Therefore, it's important for the SAP team see the relevant data and collaborate with the SOC on the required configuration and incident response procedures. 
+
+As part of this collaboration, there are two possible scenarios, depending on your organization's needs:
+
+1. **The SAP data and the SOC data reside in separate workspaces**. Both teams can see the SAP data, using [cross-workspace queries](#scenario-1-sap-and-soc-data-reside-in-separate-workspaces).
+1. **The SAP data is kept in the SOC workspace**, and SAP team can query the data using [resource context queries](#scenario-2-sap-data-is-kept-in-the-soc-workspace). 
+
+## Scenario 1: SAP and SOC data reside in separate workspaces 
+
+In this scenario, the SAP and SOC teams have separate Microsoft Sentinel workspaces. 
+
+:::image type="content" source="media/cross-workspace/sap-cross-workspace-separate.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications in separate workspaces for the SAP and SOC data." border="false":::
+
+When your organization [deploys the Microsoft Sentinel solution for SAP® applications](deploy-sap-security-content.md#deploy-sap-security-content), each team specifies its SAP workspace. 
+
+A common practice is to provide some or all of the SOC team members with the **Sentinel Reader** role on the SAP workspace. 
+
+Creating separate workspaces for the SAP and SOC data has these benefits:
+
+- Microsoft Sentinel can trigger alerts that include both SOC and SAP data, and run those alerts on the SOC workspace. 
+
+   > [!NOTE]
+   > For larger SAP landscapes, running queries made by the SOC on data from the SAP workspace can impact performance, because the SAP data must travel to the SOC workspace when being queried. For improved performance and cost optimizations, consider having both the SOC and SAP workspaces on the same [dedicated cluster](../../azure-monitor/logs/logs-dedicated-clusters.md?tabs=cli#cluster-pricing-model).
+
+- The SAP team has its own Microsoft Sentinel workspace, including all features, except for detections that include both SOC and SAP data. 
+- Flexibility: The SAP team can focus on the control and internal threats in its landscape, while the SOC can focus on external threats. 
+- There is no additional charge for ingestion fees, because data is only ingested once into Microsoft Sentinel. However, note that each workspace has its own [pricing tier](../design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). 
+- The SOC can see and investigate SAP incidents: If the SAP team faces an event they can't explain with the existing data, they can assign the incident to the SOC.   
+
+This table maps out the access of data and features for the SAP and SOC teams in this scenario.
+
+|Function  |SOC team  |SAP team  |
+|---------|---------|---------|
+|SOC workspace access     | ✅         | ❌     |
+|SAP workspace data, analytics rules, functions, watchlists, and workbooks access     | &#x2705;         | &#x2705;<sup>1</sup>         |
+|SAP incident access and collaboration     | &#x2705;          | &#x2705;<sup>1</sup>          |
+
+<sup>1</sup>The SOC team can see these functions on both workspaces, while the SAP team can see these functions only on the SAP workspace.
+
+## Scenario 2: SAP data is kept in the SOC workspace 
+
+In this scenario, you want to keep all of the data in one workspace and to apply access controls. You can do this using Log Analytics to [manage access to data by resource](../resource-context-rbac.md). You can also associate SAP resources with an Azure resource ID by specifying the required `azure_resource_id` field in the [connector configuration section](reference-systemconfig.md#connector-configuration-section) on the data collector used to ingest data from the SAP system into Microsoft Sentinel. 
+
+:::image type="content" source="media/cross-workspace/sap-cross-workspace-combined.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications using the same workspace for the SAP and SOC data." border="false":::
+
+Once the data collector agent is configured with the correct resource ID, the SAP team can access the specific SAP data in the SOC workspace using a resource-scoped query. The SAP team cannot read any of the other, non-SAP data types. 
+
+There are no costs associated with this approach, as the data is only ingested once into Microsoft Sentinel. Using this mode of access, the SAP team only sees raw and unformatted data and cannot use any Microsoft Sentinel features. In addition to accessing the raw data via log analytics, the SAP team can also access the same data [via Power BI](../resource-context-rbac.md).
+
+## Next steps
+
+In this article, you learned about working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios.
+
+> [!div class="nextstepaction"]
+> [Deploy the Sentinel solution for SAP® applications](deployment-overview.md)

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -19,6 +19,8 @@ Deployment of the Microsoft Sentinel solution for SAP® applications is divided
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. **Deploy data connector agent (*You are here*)**
@@ -132,7 +134,7 @@ If you're not using SNC, then your SAP configuration and authentication secrets
     ```bash
     wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh --cloud fairfax
     ```
-    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the number of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
 
 2. **Follow the on-screen instructions** to enter your SAP and key vault details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 
@@ -210,7 +212,7 @@ If you're not using SNC, then your SAP configuration and authentication secrets
     ./sapcon-sentinel-kickstart.sh --keymode kvsi --appid aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --appsecret ssssssssssssssssssssssssssssssssss -tenantid bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb -kvaultname <key vault name>
     ```
 
-    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the number of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
 
 1. **Follow the on-screen instructions** to enter the requested details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 
@@ -245,7 +247,7 @@ If you're not using SNC, then your SAP configuration and authentication secrets
     ./sapcon-sentinel-kickstart.sh --keymode cfgf
     ```
 
-    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the number of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).
 
 1. **Follow the on-screen instructions** to enter the requested details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 

articles/sentinel/sap/deploy-sap-security-content.md

@@ -1,16 +1,18 @@
 ---
 title: Deploy SAP security content in Microsoft Sentinel
 description: This article shows you how to deploy Microsoft Sentinel security content into your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP® applications.
-author: MSFTandrelom
-ms.author: andrelom
+author: limwainstein
+ms.author: lwainstein
 ms.topic: how-to
-ms.date: 04/27/2022
+ms.date: 03/23/2023
 ---
 
 # Deploy SAP security content in Microsoft Sentinel
 
 This article shows you how to deploy Microsoft Sentinel security content into your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP® applications.
 
+Learn about [working with the solution across multiple workspaces](cross-workspace.md) (PREVIEW), or [define multiple workspaces](#deploy-sap-security-content). 
+
 ## Deployment milestones
 
 Track your SAP solution deployment journey through this series of articles:
@@ -19,6 +21,8 @@ Track your SAP solution deployment journey through this series of articles:
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. [Deploy data connector agent](deploy-data-connector-agent-container.md)
@@ -46,9 +50,22 @@ To deploy SAP solution security content, do the following:
 
 1. To open the SAP solution page, select **Microsoft Sentinel solution for SAP® applications**.
 
-    :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot of the 'Microsoft Sentinel solution for SAP® applications' solution pane." lightbox="media/deploy-sap-security-content/sap-solution.png":::
+    :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot of the 'Microsoft Sentinel solution for SAP® applications' solution pane." lightbox="./media/deploy-sap-security-content/sap-solution.png":::
+
+1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription and resource group.
+
+1. For the **Deployment target workspace**, select the Log Analytics workspace (the one used by Microsoft Sentinel) where you want to deploy the solution. <a id="multi-workspace"></a>
+
+1. If you want to [work with the Microsoft Sentinel solution for SAP® applications across multiple workspaces](cross-workspace.md) (PREVIEW), do one of the following, select **Some of the data is on a different workspace**.
+    1. Under **Configure the workspace where the SOC data resides in**, select the SOC subscription and workspace. 
+    1. Under **Configure the workspace where the SAP data resides in**, select the SAP subscription and workspace.
+
+    For example:
+
+    :::image type="content" source="./media/deploy-sap-security-content/sap-multi-workspace.png" alt-text="Screenshot of how to configure the Microsoft Sentinel solution for SAP® applications to work across multiple workspaces.":::
 
-1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription, resource group, and Log Analytics workspace (the one used by Microsoft Sentinel) where you want to deploy the solution.
+    > [!Note]
+    > If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select **Some of the data is on a different workspace**. If you want the SOC and SAP data to be kept on the same workspace, but to apply additional access controls, review [this scenario](cross-workspace.md#scenario-2-sap-data-is-kept-in-the-soc-workspace).      
 
 1. Select **Next** to cycle through the **Data Connectors**, **Analytics**, and **Workbooks** tabs, where you can learn about the components that will be deployed with this solution.
 
@@ -68,11 +85,11 @@ To deploy SAP solution security content, do the following:
 
 1. In Microsoft Sentinel, go to the **Microsoft Sentinel for SAP** data connector to confirm the connection:
 
-    [![Screenshot of the Microsoft Sentinel for SAP data connector page.](./media/deploy-sap-security-content/sap-data-connector.png)](./media/deploy-sap-security-content/sap-data-connector.png#lightbox)
+    :::image type="content" source="./media/deploy-sap-security-content/sap-data-connector.png" alt-text="Screenshot of the Microsoft Sentinel for SAP data connector page." lightbox="media/deploy-sap-security-content/sap-data-connector.png":::
 
     SAP ABAP logs are displayed on the Microsoft Sentinel **Logs** page, under **Custom logs**:
 
-    [![Screenshot of the SAP ABAP logs in the 'Custom Logs' area in Microsoft Sentinel.](./media/deploy-sap-security-content/sap-logs-in-sentinel.png)](./media/deploy-sap-security-content/sap-logs-in-sentinel.png#lightbox)
+    :::image type="content" source="./media/deploy-sap-security-content/sap-logs-in-sentinel.png" alt-text="Screenshot of the SAP ABAP logs in the 'Custom Logs' area in Microsoft Sentinel." lightbox="media/deploy-sap-security-content/sap-logs-in-sentinel.png":::
 
     For more information, see [Microsoft Sentinel solution for SAP® applications solution logs reference](sap-solution-log-reference.md).
 

articles/sentinel/sap/deployment-overview.md

@@ -42,12 +42,13 @@ Follow your deployment journey through this series of articles, in which you'll
 | Milestone | Article |
 | --------- | ------- |
 | **1. Deployment overview** | **YOU ARE HERE** |
-| **2. Deployment prerequisites** | [Prerequisites for deploying the Microsoft Sentinel solution for SAP® applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) |
-| **3. Prepare SAP environment** | [Deploying SAP CRs and configuring authorization](preparing-sap.md) |
-| **4. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |
-| **5. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)
-| **6. Microsoft Sentinel solution for SAP® applications** | [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md) |
-| **7. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |
+| **2. Plan architecture** | Learn about [working with the solution across multiple workspaces](cross-workspace.md) (PREVIEW) |
+| **3. Deployment prerequisites** | [Prerequisites for deploying the Microsoft Sentinel solution for SAP® applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) |
+| **4. Prepare SAP environment** | [Deploying SAP CRs and configuring authorization](preparing-sap.md) |
+| **5. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |
+| **6. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)
+| **7. Microsoft Sentinel solution for SAP® applications** | [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md) |
+| **8. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |
 
 ## Next steps
 

articles/sentinel/sap/deployment-solution-configuration.md

@@ -27,6 +27,8 @@ Track your SAP solution deployment journey through this series of articles:
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. [Deploy data connector agent](deploy-data-connector-agent-container.md)