removing attack disrupt for SAP

Author: batamig

articles/sentinel/TOC.yml

@@ -180,8 +180,6 @@
               href: sap/reference-systemconfig.md
         - name: Enable SAP detections and threat protection
           href: sap/deployment-solution-configuration.md
-        - name: Automatic attack disruption for SAP
-          href: sap/deployment-attack-disrupt.md
         - name: Integrate SAP across multiple workspaces
           href: sap/cross-workspace.md
         - name: Monitor SAP systems

articles/sentinel/feature-availability.md

@@ -25,8 +25,6 @@ This article describes the features available in Microsoft Sentinel across diffe
 
 Microsoft Sentinel is also available in the [Microsoft Defender portal](microsoft-sentinel-defender-portal.md) as Microsoft's unified security operations (SecOps) platform. In the Defender portal, all features in general availability are available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
 
-While [attack disruption in the Defender portal](/defender-xdr/automatic-attack-disruption) is generally available, [SAP support for attack disruption](/defender-xdr/automatic-attack-disruption#automated-response-actions-for-sap-with-microsoft-sentinel) with Microsoft's unified SecOps platform is available only in the commercial cloud.
-
 For more information, see [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov).
 
 ## Analytics		

articles/sentinel/microsoft-sentinel-defender-portal.md

@@ -4,7 +4,7 @@ description: Learn about the Microsoft Sentinel experience when you onboard Micr
 author: cwatson-cat
 ms.author: cwatson
 ms.topic: conceptual
-ms.date: 11/21/2024
+ms.date: 12/11/2024
 appliesto: 
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.collection: usx-security
@@ -39,7 +39,6 @@ The following table describes the additional capabilities available in the Defen
 
 | Capabilities      | Description              |
 | ----------------- | ------------------------ |
-| Attack disrupt    |  Deploy automatic attack disruption for SAP with both the Defender portal and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.  <br><br>Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity. <br><br>  For more information, see [Automatic attack disruption for SAP](sap/deployment-attack-disrupt.md).  |
 | Unified entities  | Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.<br><br>For more information, see [Investigate entities with entity pages in Microsoft Sentinel](/azure/sentinel/entity-pages). |
 | Unified incidents | Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Security Copilot to summarize, respond, and report. Incidents include:<br>- Data from the breadth of sources<br>- AI analytics tools of security information and event management (SIEM)<br>- Context and mitigation tools offered by extended detection and response (XDR) <br><br> For more information, see the following articles:<br>- [Incident response in the Microsoft Defender portal](/microsoft-365/security/defender/incidents-overview)<br>- [Investigate Microsoft Sentinel incidents in Security Copilot](sentinel-security-copilot.md) |
 |Microsoft Copilot in Microsoft Defender| When investigating incidents with Microsoft Sentinel integrated with Defender XDR, <br>- [Triage and investigate incidents with guided responses](/defender-xdr/security-copilot-m365d-guided-response)<br>- [Summarize device information](/defender-xdr/copilot-in-defender-device-summary)<br>- [Summarize identity information](/defender-xdr/security-copilot-defender-identity-summary) <br><br>Summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry by using Security Copilot in threat intelligence. For more information, see [Using Microsoft Security Copilot for threat intelligence](/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr). |
@@ -53,7 +52,6 @@ This section covers the Microsoft Sentinel capabilities or integrations that are
 | Capability |Availability |Description |
 | ------------ | ----------- |----------- |
 | Advanced hunting using bookmarks | Azure portal only |Bookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the **Microsoft Sentinel > Threat management > Hunting**. <br><br> For more information, see [Keep track of data during hunting with Microsoft Sentinel](/azure/sentinel/bookmarks). |
-| Attack disruption for SAP | Defender portal only with Defender XDR| This functionality is unavailable in the Azure portal. <br><br>For more information, see [Automatic attack disruption in the Microsoft Defender portal](/microsoft-365/security/defender/automatic-attack-disruption). |
 | Automation |Some automation procedures are available only in the Azure portal.<br><br>Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the Defender portal and workspaces that aren't.  | <br><br>For more information, see [Automation with the unified security operations platform](automation.md#automation-with-the-unified-security-operations-platform). |
 | Data connectors: visibility of connectors used by the unified security operations platform | Azure portal only|In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the **Data connectors** page:<li>Microsoft Defender for Cloud Apps<li>Microsoft Defender for Endpoint<li>Microsoft Defender for Identity<li>Microsoft Defender for Office 365 (Preview)<li>Microsoft Defender XDR<li>Subscription-based Microsoft Defender for Cloud (Legacy)<li>Tenant-based Microsoft Defender for Cloud (Preview)<br><br>In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel. |
 | Entities: Add entities to threat intelligence from incidents |Azure portal only |This functionality is unavailable in the Defender portal. <Br><br>For more information, see [Add entity to threat indicators](add-entity-to-threat-intelligence.md). |

articles/sentinel/sap/deployment-attack-disrupt.md

@@ -4,7 +4,7 @@ description: This article shows you how to configure initial security content fo
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 09/15/2024
+ms.date: 12/11/2024
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -83,6 +83,5 @@ For more information, see:
 
 For more information, see:
 
-- [Automatic attack disruption for SAP (Preview)](deployment-attack-disrupt.md)
 - [Monitor the health of your SAP system](../monitor-sap-system-health.md)
 - [Update Microsoft Sentinel's SAP data connector agent](update-sap-data-connector.md)

articles/sentinel/sap/deployment-solution-configuration.md

@@ -32,15 +32,13 @@ The procedures in this article are typically performed by your **SAP BASIS** tea
 
 To allow the SAP data connector to connect to your SAP system, you must create an SAP system role specifically for this purpose. 
 
-- **To include both log retrieval and [attack disruption response actions](https://aka.ms/attack-disrupt-defender)**, we recommend creating this role by loading role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
+We recommend creating this role by deploying the *NPLK900271* SAP change request (CR): [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL) | [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL)
 
-- **To include log retrieval only**, we recommend creating this role by deploying the *NPLK900271* SAP change request (CR): [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL) | [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL)
+Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).
 
-    Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).
-
-    Alternately, load the role authorizations from the [**MSFTSEN_SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file, which includes all the basic permissions for the data connector to operate.
+Alternately, load the role authorizations from the [**MSFTSEN_SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file, which includes all the basic permissions for the data connector to operate.
 
-    Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see [Required ABAP authorizations](required-abap-authorizations.md). Examples in our documentation use the **/MSFTSEN/SENTINEL_RESPONDER** name.
+Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see [Required ABAP authorizations](required-abap-authorizations.md). Examples in our documentation use the **/MSFTSEN/SENTINEL_RESPONDER** name.
 
 When configuring the role, we recommend that you:
 

articles/sentinel/sap/preparing-sap.md

@@ -4,7 +4,7 @@ description: Understand the ABAP authorizations required if you want to manually
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 09/16/2024
+ms.date: 12/11/2024
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -15,16 +15,12 @@ ms.collection: usx-security
 
 # Required ABAP authorizations
 
-This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems and [run attack disruption response actions](/defender-xdr/automatic-attack-disruption).
+This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems.
 
-The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel and the attack disruption response actions you want to apply.
+The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel.
 
-> [!TIP]
-> To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
->
-> Alternately, to enable only log retrieval, without attack disruption response actions, deploy the SAP *NPLK900271* CR on the SAP system to create the **/MSFTSEN/SENTINEL_CONNECTOR** role, or load the role authorizations from the [**/MSFTSEN/SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file.
-
-If needed, you can [remove the user role and any optional CR installed on your ABAP system](stop-collection.md#remove-the-user-role-and-any-optional-cr-installed-on-your-abap-system).
+- To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
+- If needed, you can [remove the user role and any optional CR installed on your ABAP system](stop-collection.md#remove-the-user-role-and-any-optional-cr-installed-on-your-abap-system).
 
 ## ABAP application log
 
@@ -140,20 +136,6 @@ If needed, you can [remove the user role and any optional CR installed on your A
 | S_TABU_NAM | ACTVT | Display |
 | S_TABU_NAM | TABLE | T000 |
 
-## Attack disruption response actions
-
-<a name=attack-disrupt></a>
-
-| Authorization object | Field | Value |
-| -------------------- | ----- | ----- |
-|S_RFC |RFC_TYPE |Function Module |
-|S_RFC |RFC_NAME |BAPI_USER_LOCK |
-|S_RFC |RFC_NAME |BAPI_USER_UNLOCK |
-|S_RFC |RFC_NAME |TH_DELETE_USER <br>In contrast to its name, this function doesn't delete users, but ends the active user session. |
-|S_USER_GRP |CLASS |* <br>We recommend replacing S_USER_GRP CLASS with the relevant classes in your organization that represent dialog users. |
-|S_USER_GRP |ACTVT |03 |
-|S_USER_GRP |ACTVT |05 |
-
 ## Configuration history
 
 | Authorization object | Field | Value |