Merge pull request #206953 from oferInbar/Ofers-pre-GA1

Added new rules, new watchlists, removed global Preview and converted…

Author: GitHubber17

articles/sentinel/sap/deployment-solution-configuration.md

@@ -9,8 +9,14 @@ ms.date: 04/27/2022
 
 # Configure Microsoft Sentinel Solution for SAP
 
+[!INCLUDE [Banner for top of topics](../includes/banner.md)]
+
 This article provides best practices for configuring the Microsoft Sentinel Solution for SAP. The full deployment process is detailed in a whole set of articles linked under [Deployment milestones](deployment-overview.md#deployment-milestones).
 
+> [!IMPORTANT]
+> Some components of the Microsoft Sentinel Solution for SAP are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
 Deployment of the data collector agent and solution in Microsoft Sentinel provides you with the ability to monitor SAP systems for suspicious activities and identify threats. However, for best results, best practices for operating the solution strongly recommend carrying out several additional configuration steps that are very dependent on the SAP deployment.
 
 ## Deployment milestones
@@ -43,11 +49,11 @@ Microsoft Sentinel Solution for SAP configuration is accomplished by providing c
 > If you edit a watchlist and find it is empty, please wait a few minutes and retry opening the watchlist for editing.
 
 ### SAP - Systems watchlist
-SAP - Systems watchlist defines which SAP Systems are present in the monitored environment. For every system, specify its SID, whether it is a production system or a dev/test environment, as well as a description.
+SAP - Systems watchlist defines which SAP Systems are present in the monitored environment. For every system, specify its SID, whether it's a production system or a dev/test environment, as well as a description.
 This information is used by some analytics rules, which may react differently if relevant events appear in a Development or a Production system.
 
 ### SAP - Networks watchlist
-SAP - Networks watchlist outlines all networks used by the organization. It is primarily used to identify whether or not user logons are originating from within known segments of the network, also if user logon origin changes unexpectedly.
+SAP - Networks watchlist outlines all networks used by the organization. It's primarily used to identify whether or not user logons are originating from within known segments of the network, also if user logon origin changes unexpectedly.
 
 There are a number of approaches for documenting network topology. You could define a broad range of addresses, like 172.16.0.0/16, and name it "Corporate Network", which will be good enough for tracking logons from outside that range. A more segmented approach, however, allows you better visibility into potentially atypical activity. 
 
@@ -76,19 +82,36 @@ All of these watchlists identify sensitive actions or data that can be carried o
 - SAP - Sensitive Roles
 - SAP - Privileged Users
 
-Microsoft Sentinel Solution for SAP uses User Master data gathered from SAP systems to identify which users, profiles, and roles should be considered sensitive. Some sample data is included in the watchlists, though we recommend you consult with the SAP BASIS team to identify sensitive users, roles and profiles and populate the watchlists accordingly.
+The Microsoft Sentinel Solution for SAP uses User Master data gathered from SAP systems to identify which users, profiles, and roles should be considered sensitive. Some sample data is included in the watchlists, though we recommend you consult with the SAP BASIS team to identify sensitive users, roles and profiles and populate the watchlists accordingly.
 
 ## Start enabling analytics rules
-By default, all analytics rules provided in the Microsoft Sentinel Solution for SAP are disabled. When you install the solution, it's best if you don't enable all the rules at once so you don't end up with a lot of noise. Instead, use a staged approach, enabling rules over time, ensuring you are not receiving noise or false positives. Ensure alerts are operationalized, that is, have a response plan for each of the alerts. We consider the following rules to be easiest to implement, so best to start with them:
+By default, all analytics rules provided in the Microsoft Sentinel Solution for SAP are provided as [alert rule templates](../manage-analytics-rule-templates.md#manage-template-versions-for-your-scheduled-analytics-rules-in-microsoft-sentinel). We recommend a staged approach, where a few rules are created from templates at a time, allowing time for fine tuning each scenario.
+ We consider the following rules to be easiest to implement, so best to start with those:
 
-1. Deactivation of Security Audit Log
-1. Client Configuration Change
 1. Change in Sensitive Privileged User
-1. Client configuration change
-1. Sensitive privileged user logon
-1. Sensitive privileged user makes a change in other
-1. Sensitive privilege user password change and login
-1. System configuration change
-1. Brute force (RFC)
-1. Function module tested
+2. Client configuration change
+3. Sensitive privileged user logon
+4. Sensitive privileged user makes a change in other
+5. Sensitive privilege user password change and login
+6. Brute force (RFC)
+7. Function module tested
+8. The SAP audit log monitoring analytics rules
+
+#### Configuring the SAP audit log monitoring analytics rules
+The two [SAP Audit log monitor rules](sap-solution-security-content.md#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log) are delivered as ready to run out of the box, and allow for further fine tuning using watchlists:
+- **SAP_Dynamic_Audit_Log_Monitor_Configuration**
+  The **SAP_Dynamic_Audit_Log_Monitor_Configuration** is a watchlist detailing all available SAP standard audit log message IDs and can be extended to contain additional message IDs you might create on your own using ABAP enhancements on your SAP NetWeaver systems.This watchlist allows for customizing an SAP message ID (=event type), at different levels:
+    -	Severities per production/ non-production systems -for example, debugging activity gets “High” for production systems, and “Disabled” for other systems
+    -	Assigning different thresholds for production/ non-production systems- which are considered as “speed limits”. Setting a threshold of 60 events an hour, will trigger an incident if more than 30 events were observed within 30 minutes
+    -	Assigning Rule Types- either “Deterministic” or “AnomaliesOnly” determines by which manner this event is considered
+    -	Roles and Tags to Exclude- specific users can be excluded from specific event types. This field can either accept SAP roles, SAP profiles or Tags:
+        -	Listing SAP roles or SAP profiles ([see User Master data collection](sap-solution-deploy-alternate.md#configuring-user-master-data-collection)) would exclude any user bearing those roles/ profiles from these event types for the same SAP system. For example, specifying the “BASIC_BO_USERS” ABAP role for the RFC related event types will ensure Business Objects users won't trigger incidents when making massive RFC calls.
+        - Listing tags to be used as identifiers. Tagging an event type works just like specifying SAP roles or profiles, except that tags can be created within the Sentinel workspace, allowing the SOC personnel freedom in excluding users per activity without the dependency on the SAP team. For example, the audit message IDs AUB (authorization changes) and AUD (User master record changes) are assigned with the tag “MassiveAuthChanges”. Users assigned with this tag are excluded from the checks for these activities. Running the workspace function **SAPAuditLogConfigRecommend** will produce a list of recommended tags to be assigned to users, such as 'Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist'
+- **SAP_User_Config** 
+  This configuration-based watchlist is there to allow for specifying user related tags and other active directory identifiers for the SAP user. Tags are then used for identifying the user in specific contexts. For example, assigning the user GRC_ADMIN with the tag “MassiveAuthChanges” will prevent incidents from being created on user master record and authorization events made by GRC_ADMIN.
+
+More information is available [in this blog](https://aka.ms/Sentinel4sapDynamicDeterministicAuditRuleBlog)
+
+
+
 

articles/sentinel/sap/sap-solution-log-reference.md

@@ -31,6 +31,7 @@ Users are *strongly encouraged* to use the functions as the subjects of their an
 - [SAPUsersEmail](#sapusersemail)
 - [SAPAuditLogConfiguration](#sapauditlogconfiguration)
 - [SAPAuditLogAnomalies](#sapauditloganomalies)
+- [SAPAuditLogConfigRecommend](#sapauditlogconfigrecommend)
 - [SAPSystems](#sapsystems)
 - [SAPUsersGetVIP](#sapusersgetvip)
 - [SAPUsersHeader](#sapusersheader)
@@ -287,6 +288,11 @@ SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=0h, SelectedSystems= dyna
 | MaxTime | Time of last event observed|
 | Score | the anomaly scores as produced by the anomaly model|
 
+See [Built-in SAP analytics rules for monitoring the SAP audit log](sap-solution-security-content.md#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log) for more information.
+
+### SAPAuditLogConfigRecommend
+The **SAPAuditLogConfigRecommend** is a helper function designed to offer recommendations for the configuration of the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](sap-solution-security-content.md#sap---dynamic-anomaly-based-audit-log-monitor-alerts-preview) analytics rule. See detailed explanation in the [Configuring the SAP audit log monitoring analytics rules](deployment-solution-configuration.md#configuring-the-sap-audit-log-monitoring-analytics-rules) guide.
+
 ### SAPUsersGetVIP
 
 The Sentinel for SAP solution uses a concept of central user tagging, designed to allow for lower false positive rate with minimal effort on the customer end: