Merge pull request #223632 from limwainstein/sap-health-monitoring

Maggiemouse1 · web-flow · commit caebf257d42d · 2023-01-22T11:30:10.000Z
SAP system health
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -456,6 +456,8 @@
         href: monitor-data-connector-health.md
       - name: Monitor automation rules and playbooks health
         href: monitor-automation-health.md
+      - name: Monitor SAP system health and role
+        href: monitor-sap-system-health.md 
     - name: Auditing Microsoft Sentinel with Azure Activity Logs
       href: audit-sentinel-data.md
     - name: Remove Microsoft Sentinel from your workspaces
diff --git a/articles/sentinel/health-audit.md b/articles/sentinel/health-audit.md
@@ -34,6 +34,10 @@ Health data is collected in the *SentinelHealth* table in your Log Analytics wor
 
 [Is the data connector receiving data](./monitor-data-connector-health.md)? For example, if you've instructed Microsoft Sentinel to run a query every 5 minutes, you want to check whether that query is being performed, how it's performing, and whether there are any risks or vulnerabilities related to the query.
 
+**Are my SAP systems running correctly?**
+
+[Are the SAP systems managed by your organization running correctly](monitor-sap-system-health.md)?. Are the systems up and running, or ar they unreachable? Does Microsoft Sentinel identify these systems as production systems?
+
 **Did an automation rule run as expected?**
 
 [Did my automation rule run when it was supposed to](./monitor-automation-health.md) - that is, when its conditions were met? Did all the actions in the automation rule run successfully? 
diff --git a/articles/sentinel/media/monitor-sap-system-health/alert-rule-example.png b/articles/sentinel/media/monitor-sap-system-health/alert-rule-example.png
diff --git a/articles/sentinel/media/monitor-sap-system-health/health-status.png b/articles/sentinel/media/monitor-sap-system-health/health-status.png
diff --git a/articles/sentinel/monitor-data-connector-health.md b/articles/sentinel/monitor-data-connector-health.md
@@ -12,16 +12,18 @@ ms.service: microsoft-sentinel
 
 To ensure complete and uninterrupted data ingestion in your Microsoft Sentinel service, keep track of your data connectors' health, connectivity, and performance. 
 
-This article describes how to use the following features, which allow you to perform this monitoring from within Microsoft Sentinel:
+The following features allow you to perform this monitoring from within Microsoft Sentinel:
 
-- **Data connectors health monitoring workbook:** This workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status. You can use the workbook’s logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.
+- **Data connectors health monitoring workbook**: This workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status. You can use the workbook’s logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.
 
-- ***SentinelHealth* data table (Preview):** Querying this table provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions. The *SentinelHealth* data table is currently supported only for [selected data connectors](#supported-data-connectors).
+- ***SentinelHealth* data table (Preview)**: Querying this table provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions. The *SentinelHealth* data table is currently supported only for [selected data connectors](#supported-data-connectors).
 
     > [!IMPORTANT]
     >
     > The *SentinelHealth* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
+- [**View the health and status of your connected SAP systems**](monitor-sap-system-health.md): Review health information for your SAP systems under the SAP data connector, and use an alert rule template to get information about the health of the SAP agent's data collection.
+
 ## Use the health monitoring workbook
 
 1. From the Microsoft Sentinel portal, select **Workbooks** from the **Threat management** menu.
diff --git a/articles/sentinel/monitor-sap-system-health.md b/articles/sentinel/monitor-sap-system-health.md
@@ -0,0 +1,70 @@
+---
+title: Monitor the health and role of your Microsoft Sentinel SAP systems
+description: Use the SAP connector page and a dedicated alert rule template to keep track of your SAP systems' connectivity and performance.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: how-to
+ms.date: 11/09/2022
+ms.service: microsoft-sentinel
+---
+
+# Monitor the health and role of your SAP systems
+
+After you [deploy the SAP solution](sap/deployment-overview.md), you want to ensure proper functioning and performance of your SAP systems, and keep track of your system health, connectivity, and performance. 
+
+This article describes how to use the following features, which allow you to perform this monitoring from within Microsoft Sentinel:
+
+- [**Use the SAP data connector page**](#use-the-sap-data-connector). Review the **System Health** area under the Microsoft Sentinel for SAP connector to get information on the health of your connected SAP systems.
+- [**Use the Data collection health check alert rule**](#use-an-alert-rule-template). Get proactive alerts on the health of the SAP agent's data collection.
+
+> [!IMPORTANT]
+> Monitoring the health of your SAP systems is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Use the SAP data connector
+
+1. From the Microsoft Sentinel portal, select **Data connectors**.
+1. In the search bar, type *Microsoft Sentinel for SAP*.
+1. Select the **Microsoft Sentinel for SAP** connector and select **Open connector**.
+1. In the **Configuration > System Health** area, you can view information on the health of your SAP systems. 
+
+:::image type="content" source="media/monitor-sap-system-health/health-status.png" alt-text="Screenshot of the Configuration area showing the status of the connected SAP systems." lightbox="media/monitor-sap-system-health/health-status.png":::
+
+|Field  |Description  |Values  |Notes  |
+|---------|---------|---------|---------|
+|Agent name |Unique ID of the installed data connector agent. |         |         |
+|SID     |The name of the connected SAP system ID (SID).  |         |         |
+|Health  |Indicates whether the SID is healthy. To troubleshoot health issues, [review the container execution logs](sap/sap-deploy-troubleshoot.md#view-all-container-execution-logs) and review other [troubleshooting steps](sap/sap-deploy-troubleshoot.md). |The **System healthy** status indicates that Microsoft Sentinel identified both logs and a heartbeat from the system. Other statuses, like **System unreachable for over 1 day**, indicate the connectivity status.          |         |
+|System role     |Indicates whether the system is productive or not. The data connector agent retrieves the value by reading the SAP T000 table. This value also impacts billing. To change the role, an SAP admin needs to change the configuration in the SAP system.   |• **Production**. The system is defined by the SAP admin as a production system.<br>• **Unknown (Production)**. Microsoft Sentinel couldn't retrieve the system status. Microsoft Sentinel regards this type of system as a production system for both security and billing purposes.<br>• **Non production**. Indicates roles like developing, testing, and customizing.<br>• **Agent update available**. Displayed in addition to the health status to indicate that a newer SAP connector version exists. In this case, we recommended that you [update the connector](sap/update-sap-data-connector.md).  | If the system role is **Production (unknown)**, check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version. |
+
+## Use an alert rule template
+
+The Microsoft Sentinel for SAP solution includes an alert rule template designed to give you insight into the health of your SAP agent's data collection. 
+
+To turn on the analytics rule:
+1. From the Microsoft Sentinel portal, select **Analytics**. 
+1. Under **Rule templates**, locate the *SAP - Data collection health check* alert rule. 
+
+The analytics rule: 
+
+- Evaluates signals sent from the agent.
+- Evaluates telemetry data. 
+- Evaluates alerts on log continuation and other system connectivity issues, if any are found. 
+- Learns the log ingestion history, and therefore works better with time. 
+
+The rule needs at least seven days of loading history to detect the different seasonality patterns. We recommend a value of 14 days for the alert rule **Look back** parameter to allow detection of weekly activity profiles. 
+
+Once activated, the rule judges the recent telemetry and log volume observed on the workspace according to the history learned. The rule then alerts on potential issues, dynamically assigning severities according to the scope of the problem. 
+
+This screenshot shows an example of an alert generated by the *SAP - Data collection health check* alert rule.
+
+:::image type="content" source="media/monitor-sap-system-health/alert-rule-example.png" alt-text="Screenshot of an alert triggered by the SAP - Data collection health check alert rule.":::
+
+## Next steps
+
+- Learn what [health monitoring in Microsoft Sentinel](health-audit.md) can do for you.
+- [Turn on health monitoring](enable-monitoring.md) in Microsoft Sentinel.
+- Monitor the health of your [automation rules and playbooks](monitor-automation-health.md).
+- See more information about the [*SentinelHealth* table schema](health-table-reference.md).
+
+ 
+
diff --git a/articles/sentinel/sap/deployment-overview.md b/articles/sentinel/sap/deployment-overview.md
@@ -9,7 +9,7 @@ ms.date: 04/12/2022
 
 # Deploy Microsoft Sentinel Solution for SAP
 
-This article introduces you to the process of deploying the Microsoft Sentinel Solution for SAP. The full process is detailed in a whole set of articles linked under [Deployment milestones](#deployment-milestones) below.
+This article introduces you to the process of deploying the Microsoft Sentinel Solution for SAP. The full process is detailed in a whole set of articles linked under [Deployment milestones](#deployment-milestones).
 
 > [!NOTE]
 > If needed, you can [update an existing Microsoft Sentinel for SAP data connector](update-sap-data-connector.md) to its latest version. 
@@ -28,8 +28,9 @@ This article introduces you to the process of deploying the Microsoft Sentinel S
 >
 > - The additional hourly charge applies to connected production systems only. 
 > - Microsoft Sentinel identifies a production system by looking at the configuration on the SAP system. To do this, Microsoft Sentinel searches for a production entry in the T000 table. 
+> - [View the roles of your connected production systems](../monitor-sap-system-health.md).
 
-The Microsoft Sentinel for SAP data connector is an agent, installed on a VM or a physical server, that collects application logs from across the entire SAP system landscape. It then sends those logs to your Log Analytics workspace in Microsoft Sentinel. You can then use the other content in the Threat Monitoring for SAP solution – the analytics rules, workbooks, and watchlists – to gain insight into your organization's SAP environment and to detect and respond to security threats.
+The Microsoft Sentinel for SAP data connector is an agent, installed on a VM or a physical server that collects application logs from across the entire SAP system landscape. It then sends those logs to your Log Analytics workspace in Microsoft Sentinel. You can then use the other content in the Threat Monitoring for SAP solution – the analytics rules, workbooks, and watchlists – to gain insight into your organization's SAP environment and to detect and respond to security threats.
 
 ## Deployment milestones
 
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -18,9 +18,14 @@ The listed features were released in the last three months. For information abou
 
 ## January 2023
 
+- [Monitor SAP system health (Preview)](#monitor-sap-system-health-and-role-preview)
 - [New incident investigation experience (Preview)](#new-incident-investigation-experience-preview)
 - [Microsoft Purview Information Protection connector (Preview)](#microsoft-purview-information-protection-connector-preview)
 
+### Monitor SAP system health and role (Preview)
+
+To ensure proper functioning and performance of your SAP systems, you can now use the SAP data connector page to [monitor information about the health of your SAP systems](monitor-sap-system-health.md) and the status of the SAP roles for the system. You can also use an alert rule template to get information about the health of the SAP agent's data collection.
+
 ### New incident investigation experience (Preview)
 
 SOC analysts need to understand the full scope of an attack as fast as possible to respond effectively. 
@@ -212,7 +217,7 @@ Learn how to [add a condition based on a custom detail](create-manage-use-automa
 
 ### Add advanced "Or" conditions to automation rules (Preview)
 
-You can now add OR conditions to automation rules. Also known as condition groups, these allow you to combine several rules with identical actions into a single rule, greatly increasing your SOC's efficiency.
+You can now add OR conditions or condition groups to automation rules. These conditions allow you to combine several rules with identical actions into a single rule, greatly increasing your SOC's efficiency.
 
 For more information, see [Add advanced conditions to Microsoft Sentinel automation rules](add-advanced-conditions-to-automation-rules.md).
 
@@ -267,7 +272,7 @@ Microsoft Sentinel **incidents** have two main sources:
 
 - They are ingested directly from other connected Microsoft security services (such as [Microsoft 365 Defender](microsoft-365-defender-sentinel-integration.md)) that created them.
 
-There can, however, be data from sources *not ingested into Microsoft Sentinel*, or events not recorded in any log, that justify launching an investigation. For this reason, Microsoft Sentinel now allows security analysts to manually create incidents from scratch for any type of event, regardless of its source or associated data, in order to manage and document the investigation.
+However, in some cases, data from sources *not ingested into Microsoft Sentinel*, or events not recorded in any log, may justify launching an investigation. For this reason, Microsoft Sentinel now allows security analysts to manually create incidents from scratch for any type of event, regardless of its source or associated data, in order to manage and document the investigation.
 
 Since this capability raises the possibility that you'll create an incident in error, Microsoft Sentinel also allows you to delete incidents right from the portal as well.
 
