Adding new how to section

Author: limwainstein

articles/sentinel/TOC.yml

@@ -177,6 +177,8 @@
     items:
     - name: Solution overview
       href: sap/solution-overview.md
+    - name: Working with the solution across multiple workspaces
+      href: sap/cross-workspace.md
 - name: How-tos
   items:
   - name: Plan architecture

articles/sentinel/sap/cross-workspace.md

@@ -13,64 +13,71 @@ When you set up your Microsoft Sentinel workspace, there are [multiple architect
 
 This article discusses working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios.
 
-The Microsoft Sentinel solution for SAP® applications natively supports a cross-workspace ar architecture to allow improved flexibility for: 
+The Microsoft Sentinel solution for SAP® applications natively supports a cross-workspace architecture to allow improved flexibility for: 
 
 - Managed security service providers (MSSPs) or a global or federated SOC
 - Data residency requirements 
 - Organizational hierarchy/IT design 
-- Insufficient role-based access control (RBAC) in a single workspace.
+- Insufficient role-based access control (RBAC) in a single workspace
 
-In this article, we focus on a specific and common use case, where collaboration between the security operations center (SOC) and SAP teams in your organization requires a multi-workspace setup.
+> [!IMPORTANT]
+> The cross-workspace architecture and querying is currently in PREVIEW. This feature is provided without a service level agreement. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+You can define multiple workspaces when you [deploy the SAP security content](deploy-sap-security-content.md#multi-workspace).  
 
-## Collaboration between the SAP and SOC teams and multi-workspace architecture 
+## Collaboration between the SOC and SAP teams in your organization
 
-Your organization's SAP team has technical knowledge that's critical to a successfully and effectively implement the Microsoft Sentinel solution for SAP® applications. Therefore, it's important for the SAP team see the relevant data and collaborate with the SOC on the required configuration and incident response procedures. 
+In this article, we focus on a specific and common use case, where collaboration between the security operations center (SOC) and SAP teams in your organization requires a multi-workspace setup.
+
+Your organization's SAP team has technical knowledge that's critical to successfully and effectively implement the Microsoft Sentinel solution for SAP® applications. Therefore, it's important for the SAP team see the relevant data and collaborate with the SOC on the required configuration and incident response procedures. 
 
 As part of this collaboration, there are two possible scenarios, depending on your organization's needs:
 
-1. **The SAP data and the SOC data reside in separate workspaces**. Both teams can see the SAP data, [using cross-workspace queries](#scenario-1-sap-and-soc-data-reside-in-separate-workspaces) 
-1. **The SAP data is kept in the SOC workspace**, and SAP team can query the data using [resource context queries] 
+1. **The SAP data and the SOC data reside in separate workspaces**. Both teams can see the SAP data, using [cross-workspace queries](#scenario-1-sap-and-soc-data-reside-in-separate-workspaces) 
+1. **The SAP data is kept in the SOC workspace**, and SAP team can query the data using [resource context queries](#scenario-2-sap-data-is-kept-in-the-soc-workspace). 
 
-### Scenario 1: SAP and SOC data reside in separate workspaces 
+## Scenario 1: SAP and SOC data reside in separate workspaces 
 
 In this scenario, the SAP and SOC teams have separate Microsoft Sentinel workspaces. When your organization deploys the Microsoft Sentinel solution for SAP® applications, each team specifies its SAP workspace under **Instance details** > **Configure the workspace where the SAP data resides**. 
 
+You define multiple workspaces when you [deploy the SAP security content](deploy-sap-security-content.md#multi-workspace).
+
 :::image type="content" source="media/cross-workspace/sap-cross-workspace-separate.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications in separate workspaces for the SAP and SOC data." border="false":::
 
-A common practice is to provide some or all of the SOC team members with read permissions to the SAP workspace. 
+A common practice is to provide some or all of the SOC team members with the **Sentinel Reader** role on the SAP workspace. 
 
 Creating separate workspaces for the SAP and SOC data has these benefits:
 
 - Microsoft Sentinel can create alerts that include both SOC and SAP data, and to run those alerts on the SOC workspace. 
-- The SAP has its own Microsoft Sentinel workspace, including all features, except for detections that include both SOC and SAP data. 
+
+   > [!NOTE]
+   > For larger SAP landscapes, running queries made by the SOC on data from the SAP workspace can impact performance, because the SAP data must travel to the SOC workspace when being queried. For improved performance and cost optimizations, consider having both the SOC and SAP workspaces on the same [dedicated cluster](../../azure-monitor/logs/logs-dedicated-clusters.md?tabs=cli#cluster-pricing-model).
+
+- The SAP team has its own Microsoft Sentinel workspace, including all features, except for detections that include both SOC and SAP data. 
 - Flexibility: The SAP team can focus on the control and internal threats in its landscape, while the SOC can focus on external threats. 
 - There is no additional charge for ingestion fees, because data is only ingested once into Microsoft Sentinel. However, note that each workspace has its own [pricing tier](../design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). 
-- The SOC can see and investigate SAP incidents: If the SAP team faces an event they can't explain with the existing data, they can assign the incident to the SOC. 
-
-For larger SAP landscapes, working in this scenario can impact the performance of queries made by the SOC on data from the SAP workspace. This is because the SAP data must travel to the SOC workspace when being queried. For improved performance and cost optimizations, consider having both SOC and SAP workspaces to be on the same [dedicated cluster](./../azure-monitor/logs/logs-dedicated-clusters?tabs=cli#cluster-pricing-model). 
+- The SOC can see and investigate SAP incidents: If the SAP team faces an event they can't explain with the existing data, they can assign the incident to the SOC.   
 
-This table shows the best practice for managing the SAP and SOC data and permissions in this scenario.
+This table maps out the access of data and features for the SAP and SOC teams in this scenario.
 
-|Function  |SOC team  |SAP team |
+|Function  |SOC team  |SAP team  |
 |---------|---------|---------|
-|SOC workspace access   |❌      |✅ |
-|SAP workspace data, analytics rules, functions, watchlists, and workbooks access     |✅         |✅ |
-|SAP incident access and collaboration     |✅         |✅ |  
+|SOC workspace access     | ❌         | ✅         |
+|SAP workspace data, analytics rules, functions, watchlists, and workbooks access     | ✅         | ✅         |
+|SAP incident access and collaboration     | ✅          | ✅          |
 
-TBD - how this is done - separate page? + screenshot
-
-### Scenario 2: SAP data is kept in the SOC workspace 
+## Scenario 2: SAP data is kept in the SOC workspace 
 
 In this scenario, you want to keep all of the data in one workspace. You can do this using Log Analytics to [manage access to data by resource](../resource-context-rbac.md). You can also associate SAP resources with an Azure resource ID by specifying the required `azure_resource_id` field in the connector configuration section on the data collector used to ingest data from the SAP system into Microsoft Sentinel. 
 
+You can define multiple workspaces when you [deploy the SAP security content](deploy-sap-security-content.md#multi-workspace).
+
 :::image type="content" source="media/cross-workspace/sap-cross-workspace-combined.png" alt-text="Diagram of working with the Microsoft Sentinel solution for SAP® applications using the same workspace for the SAP and SOC data." border="false":::
 
 Once the data collector agent is configured with the correct resource ID, the SAP team can access the specific SAP data in the SOC workspace using a resource-scoped query. The SAP team cannot read any of the other, non-SAP data types. 
 
 There are no costs associated with this approach, as the data is only ingested once into Microsoft Sentinel. Using this mode of access, the SAP team only sees raw and unformatted data and cannot use any Microsoft Sentinel features. In addition to accessing the raw data via log analytics, the SAP team can also access the same data [via Power BI](../resource-context-rbac.md).
 
-TBD - how this is done - separate page? + screenshot
-  
 ## Next steps
 
 In this article, you learned about working with Microsoft Sentinel solution for SAP® applications across multiple workspaces in different scenarios.

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -19,6 +19,8 @@ Deployment of the Microsoft Sentinel solution for SAP® applications is divided
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. **Deploy data connector agent (*You are here*)**

articles/sentinel/sap/deploy-sap-security-content.md

@@ -1,16 +1,18 @@
 ---
 title: Deploy SAP security content in Microsoft Sentinel
 description: This article shows you how to deploy Microsoft Sentinel security content into your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP® applications.
-author: MSFTandrelom
-ms.author: andrelom
+author: limwainstein
+ms.author: lwainstein
 ms.topic: how-to
-ms.date: 04/27/2022
+ms.date: 03/23/2023
 ---
 
 # Deploy SAP security content in Microsoft Sentinel
 
 This article shows you how to deploy Microsoft Sentinel security content into your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP® applications.
 
+Learn about [working with the solution across multiple workspaces](cross-workspace.md) (PREVIEW), or [define multiple workspaces](#multi-workspace). 
+
 ## Deployment milestones
 
 Track your SAP solution deployment journey through this series of articles:
@@ -19,6 +21,8 @@ Track your SAP solution deployment journey through this series of articles:
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. [Deploy data connector agent](deploy-data-connector-agent-container.md)
@@ -48,7 +52,29 @@ To deploy SAP solution security content, do the following:
 
     :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot of the 'Microsoft Sentinel solution for SAP® applications' solution pane." lightbox="media/deploy-sap-security-content/sap-solution.png":::
 
-1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription, resource group, and Log Analytics workspace (the one used by Microsoft Sentinel) where you want to deploy the solution.
+1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription and resource group.
+
+1. For the **Deployment target workspace**, select the Log Analytics workspace (the one used by Microsoft Sentinel) where you want to deploy the solution. 
+
+<a id="multi-workspace"></a>
+
+1. If you want to [work with the Microsoft Sentinel solution for SAP® applications across multiple workspaces](cross-workspace.md) (PREVIEW), do one of the following: 
+
+    - [If you want the SOC and SAP data to reside in separate workspaces](cross-workspace.md#scenario-1-sap-and-soc-data-reside-in-separate-workspaces): 
+        1. Select **Some of the data is on a different workspace**.
+        1. Under **Configure the workspace where the SOC data resides in**, select the SOC subscription and workspace. 
+        1. Under **Configure the workspace where the SAP data resides in**, select the SAP subscription and workspace.
+
+        For example:
+
+        :::image type="content" source="./media/deploy-sap-security-content/sap-multi-workspace.png" alt-text="Screenshot of how to configure the Microsoft Sentinel solution for SAP® applications to work across multiple workspaces." lightbox="media/deploy-sap-security-content/sap-multi-workspace.png":::
+
+    - [If you want the SOC and SAP data to be kept on the same workspace](cross-workspace.md#scenario-2-sap-data-is-kept-in-the-soc-workspace): 
+        - If the SAP team doesn't have permissions to the SAP workspace, under **Subscription** and **Resource group**, select the SAP workspace. Do not select **Some of the data is on a different workspace**. 
+        - If the SAP team has permissions to the SAP workspace:
+            1. Select **Some of the data is on a different workspace**.
+            1. Under **Configure the workspace where the SOC data resides in**, select the SOC subscription and workspace. 
+            1. Under **Configure the workspace where the SAP data resides in**, select the SAP subscription and workspace.
 
 1. Select **Next** to cycle through the **Data Connectors**, **Analytics**, and **Workbooks** tabs, where you can learn about the components that will be deployed with this solution.
 
@@ -68,11 +94,11 @@ To deploy SAP solution security content, do the following:
 
 1. In Microsoft Sentinel, go to the **Microsoft Sentinel for SAP** data connector to confirm the connection:
 
-    [![Screenshot of the Microsoft Sentinel for SAP data connector page.](./media/deploy-sap-security-content/sap-data-connector.png)](./media/deploy-sap-security-content/sap-data-connector.png#lightbox)
+    :::image type="content" source="./media/deploy-sap-security-content/sap-data-connector.png" alt-text="Screenshot of the Microsoft Sentinel for SAP data connector page." lightbox="media/deploy-sap-security-content/sap-data-connector.png":::
 
     SAP ABAP logs are displayed on the Microsoft Sentinel **Logs** page, under **Custom logs**:
 
-    [![Screenshot of the SAP ABAP logs in the 'Custom Logs' area in Microsoft Sentinel.](./media/deploy-sap-security-content/sap-logs-in-sentinel.png)](./media/deploy-sap-security-content/sap-logs-in-sentinel.png#lightbox)
+    :::image type="content" source="./media/deploy-sap-security-content/sap-logs-in-sentinel.png" alt-text="Screenshot of the SAP ABAP logs in the 'Custom Logs' area in Microsoft Sentinel." lightbox="media/deploy-sap-security-content/sap-logs-in-sentinel.png":::
 
     For more information, see [Microsoft Sentinel solution for SAP® applications solution logs reference](sap-solution-log-reference.md).
 

articles/sentinel/sap/deployment-overview.md

@@ -42,12 +42,13 @@ Follow your deployment journey through this series of articles, in which you'll
 | Milestone | Article |
 | --------- | ------- |
 | **1. Deployment overview** | **YOU ARE HERE** |
-| **2. Deployment prerequisites** | [Prerequisites for deploying the Microsoft Sentinel solution for SAP® applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) |
-| **3. Prepare SAP environment** | [Deploying SAP CRs and configuring authorization](preparing-sap.md) |
-| **4. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |
-| **5. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)
-| **6. Microsoft Sentinel solution for SAP® applications** | [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md) |
-| **7. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |
+| **2. Plan architecture** | Learn about [working with the solution across multiple workspaces](cross-workspace.md) (PREVIEW) |
+| **3. Deployment prerequisites** | [Prerequisites for deploying the Microsoft Sentinel solution for SAP® applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) |
+| **4. Prepare SAP environment** | [Deploying SAP CRs and configuring authorization](preparing-sap.md) |
+| **5. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |
+| **6. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)
+| **7. Microsoft Sentinel solution for SAP® applications** | [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md) |
+| **8. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |
 
 ## Next steps
 

articles/sentinel/sap/deployment-solution-configuration.md

@@ -27,6 +27,8 @@ Track your SAP solution deployment journey through this series of articles:
 
 1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)
 
+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)
+
 1. [Prepare SAP environment](preparing-sap.md)
 
 1. [Deploy data connector agent](deploy-data-connector-agent-container.md)