fixing solution installation

Author: batamig

articles/sentinel/includes/sap-agentless-prerequisites.md

@@ -0,0 +1,40 @@
+---
+title: SAP agentless data connector prerequisites checker
+ms.date: 03/13/2025
+ms.topic: include
+---
+
+<!-- docutune:disable -->
+
+**To run the tool**:
+
+1. Open the integration package, navigate to the artifacts tab, and select the **Prerequisite checker** iflow > **Configure**.
+1. Set the target RFC destination to the SAP system you want to check.
+1. Deploy the iflow as you would otherwise for your SAP systems. For example, use the following sample PowerShell script, modifying the sample placeholder values for your environment:
+
+    ```powershell
+    $cpiEndpoint = "https://my-cpi-uri.it-cpi012-rt.cfapps.eu01-010.hana.ondemand.com" # CPI endpoint URL
+    $credentialsUrl = "https://my-uaa-uri.authentication.eu01.hana.ondemand.com/oauth/token" # SAP authorization server URL
+    $serviceKey = 'sb-12324cd-a1b2-5678-a1b2-1234cd5678ef!g9123|it-rt-my-cpi!h45678' # Process Integration Runtime Service client ID
+    $serviceSecret = '< client secret >' # Your Process Integration Runtime service secret (make sure to use single quotes)
+
+    $credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$serviceKey`:$serviceSecret"))
+    $headers = @{
+        "Authorization" = "Basic $credentials"
+        "Content-Type"  = "application/json"
+    }
+    $authResponse = Invoke-WebRequest -Uri $credentialsUrl"?grant_type=client_credentials" `
+        -Method Post `
+        -Headers $headers
+    $token = ($authResponse.Content | ConvertFrom-Json).access_token
+    $path = "/http/checkSAP"
+    $param = "?startTimeUTC=$((Get-Date).AddMinutes(-1).ToString("yyyy-MM-ddTHH:mm:ss"))&endTimeUTC=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ss"))"
+    $headers = @{
+        "Authorization"      = "Bearer $token"
+        "Content-Type"       = "application/json"
+    }
+    $response = Invoke-WebRequest -Uri "$cpiEndpoint$path$param" -Method Get -Headers $headers
+    Write-Host $response.RawContent
+    ```
+
+Make sure that the prerequisites checker runs successfully before connecting to Microsoft Sentinel.

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -48,26 +48,12 @@ Before you connect your SAP system to Microsoft Sentinel:
 
 - Make sure that all of the deployment prerequisites are in place. For more information, see [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md).
 
-:::zone pivot="connection-agent"
-
 - Make sure that you have the Microsoft Sentinel solution for **SAP applications** [installed in your Microsoft Sentinel workspace](deploy-sap-security-content.md)
 
 - Make sure that your SAP system is fully [prepared for the deployment](preparing-sap.md).
 
 - If you're deploying the data connector agent to communicate with Microsoft Sentinel over SNC, make sure that you completed [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).
 
-:::zone-end
-
-:::zone pivot="connection-agentless"
-
-- Make sure that you have the Microsoft Sentinel **SAP Agentless** solution [installed in your Microsoft Sentinel workspace](deploy-sap-security-content.md) <!--what is this solution's new name?-->
-
-- Make sure that your SAP system is fully [prepared for the deployment](preparing-sap.md).
-
-<!--removed- Make sure your DCR is configured as described in [Install the solution from the content hub](deploy-sap-security-content.md#install-the-solution-from-the-content-hub).-->
-
-:::zone-end
-
 :::zone pivot="connection-agent"
 
 ## Watch a demo video

articles/sentinel/sap/deploy-sap-security-content.md

@@ -18,9 +18,7 @@ zone_pivot_groups: sentinel-sap-connection
 
 # Install a Microsoft Sentinel solution for SAP applications
 
-The Microsoft Sentinel solutions for SAP applications include an SAP data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats. Installing your solution is a required step before you can configure your data connector agent container.
-
-Microsoft Sentinel supports both a containerized data collector agent and an agentless solution. Select the deployment option at the top of the page that matches your environment.
+The Microsoft Sentinel solutions for SAP applications include an SAP data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats. Installing your solution is a required step before you can configure your data connector.
 
 :::zone pivot="connection-agent"
 
@@ -55,20 +53,13 @@ Make sure that you also review the [prerequisites for deploying Microsoft Sentin
 
 ## Install the solution from the content hub
 
-:::zone pivot="connection-agent"
-Installing the Microsoft Sentinel **SAP applications** solution makes the **Microsoft Sentinel for SAP** data connector available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the **SAP -Audit Controls** workbook and SAP-related analytics rules.
-
-1. In the Microsoft Sentinel **Content hub**, search for **SAP applications** to install the solution with the containerized data connector agent on your Log Analytics workspace enabled for Microsoft Sentinel.
+Installing the **Microsoft Sentinel Solution for SAP** makes both the data connector agent and the agentless data connector available to you from the Microsoft Sentinel **Configuration > Data connectors** page. The solution also deploys security content, such as the **SAP -Audit Controls** workbook and SAP-related analytics rules.
 
-1. On the **Microsoft Sentinel solution for SAP applications** page, select **Create** to define deployment settings. For example:
+1. In the Microsoft Sentinel **Content hub**, search for **SAP** to install the **SAP applications** solution. On the **Microsoft Sentinel solution for SAP applications** page, select **Create** to define deployment settings. For example:
 
     :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot that shows the Microsoft Sentinel solution for SAP applications solution pane." lightbox="./media/deploy-sap-security-content/sap-solution.png":::
 
-1. On the **Basics** tab, under **Project details**, select the **Subscription** and **Resource group** where you want to install the solution.
-
-1. Under **Instance details**, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.
-
-    If you're working with [the Microsoft Sentinel solution for SAP applications in multiple workspaces](cross-workspace.md), select **Some of the data is on a different workspace**, and then define your target workspace, your SOC workspace, and SAP workspace. For example:
+1. On the default **Basics** tab, scroll down to select where to install the solution. If you're working with [the Microsoft Sentinel solution for SAP applications in multiple workspaces](cross-workspace.md), select **Some of the data is on a different workspace**, and then define your target workspace, your SOC workspace, and SAP workspace. For example:
 
     For example:
 
@@ -81,47 +72,6 @@ Installing the Microsoft Sentinel **SAP applications** solution makes the **Micr
 > [!TIP]
 > If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select **Some of the data is on a different workspace**. In such cases, for more information, see [SAP and SOC data maintained in the same workspace](cross-workspace.md#sap-and-soc-data-maintained-in-the-same-workspace).
 
-:::zone-end
-
-:::zone pivot="connection-agentless"
-
-Installing the Microsoft Sentinel **SAP Agentless** solution makes the agentless **Microsoft Sentinel for SAP** available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the **SAP -Audit Controls** workbook and SAP-related analytics rules, a data collection endpoint, and a data collection rule (DCR).
-
-1. In the Microsoft Sentinel **Content hub**, search for **SAP Agentless (Preview)** to install the solution with the agentless data connector on your Log Analytics workspace enabled for Microsoft Sentinel.
-
-1. On the **Sentinel Solution for SAP (Agentless) (preview)** page, select **Create** to define deployment settings.
-
-1. On the **Basics** tab, under **Project details**, select the **Subscription** and **Resource group** where you want to install the solution.
-
-1. Under **Instance details**, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.
-
-1. Select **Review + create** or **Next** to browse through the solution components. When you're ready, select **Create**
-
-    The deployment process can take a few minutes. After the deployment is finished, you can view the deployed content in Microsoft Sentinel.
-
-1. In the Microsoft Sentinel **Configuration > Data connectors** page, locate and select the **SAP ABAP and S/4 via cloud connector (Preview)** data connector.
-
-1. On the **SAP ABAP and S/4 via cloud connector (Preview)** page,  in the **Configuration** area, select **Deploy push connector resources** to deploy a data collection rule (DCR) and Microsoft Entra ID app registration to your subscription.
-
-    When Microsoft Sentinel and Microsoft Entra ID permissions are separated across different people, deployment must be done in two steps. In such cases, the DCR and DCE are deployed successfully in your Microsoft Sentinel resource group, and errors are shown to indicate the missing rights required to create an app registration in Microsoft Entra ID. For more information, see:
-	
-	- [Create Microsoft Entra application](/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-microsoft-entra-application)
-	- [Assign permissions to the DCR](/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#assign-permissions-to-the-dcr)
-
-1. <a name="deployment"></a>Once deployed, note the following values for later use:
-
-    - **Immutable ID**
-    - **Logs Ingestion URL**
-    - **Tenant ID**
-    - **Entra Application ID**
-    - **Entra Application Secret**
-
-> [!IMPORTANT]
-> Make sure to complete all SAP deployment steps in [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md) before selecting [**Add connection** to create the connector](deploy-data-connector-agent-container.md). The SAP iflow must be fully configured and deployed before you can connect your SAP system to Microsoft Sentinel.
->
-
-:::zone-end
-
 For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md).
 
 ## View deployed content

articles/sentinel/sap/preparing-sap.md

@@ -28,7 +28,7 @@ The procedures in this article are typically performed by your **SAP BASIS** tea
 :::zone-end
 
 :::zone pivot="connection-agentless"
-This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications. While steps that are performed in Microsoft Sentinel require that the solution be installed first, other preparations in the SAP environment can happen in parallel. <!--need new images across-->
+This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications. While steps that are performed in Microsoft Sentinel require that the solution be installed first, other preparations in the SAP environment can happen in parallel.
 
 :::image type="content" source="media/deployment-steps/prepare-sap-environment-agentless.png" alt-text="Diagram of the deployment flow for the Microsoft Sentinel solution for SAP applications, with the preparing SAP step highlighted." border="false":::
 
@@ -199,6 +199,10 @@ This procedure starts in Microsoft Sentinel and requires that the solution be in
 
     If, after you deploy the Azure resources step 1, the values in the steps 2 and 3 aren't automatically populated, close and re-expand step 1 to refresh the values in steps 2 and 3.
 
+1. Included in the package is **Prerequisite checker** iflow. We recommend running this iflow before continuing to the next step to ensure that your SAP system meets the system prerequisites.
+
+    [!INCLUDE [sap-agentless-prerequisites](../includes/sap-agentless-prerequisites.md)]
+
 1. Scroll further down in the **Configuration** area, and expand and follow the instructions in the **Add monitored SAP Systems - Run the steps below for each monitored SAP system:** area for each SAP system you want to monitor.
 
 ## Configure SAP Cloud Connector settings

articles/sentinel/sap/sap-deploy-troubleshoot.md

@@ -29,39 +29,9 @@ If you don't see a related error to your issue, turn on trace logging for more i
 
 ## Check for prerequisites
 
-The agentless solution package, deployed while [perform the initial connector configuration](preparing-sap.md#perform-initial-connector-configuration), includes a tool to help SAP admins diagnose and fix issues related to the SAP environment configuration. 
-
-**To run the tool**:
-
-1. Select the **Prerequisite checker** iflow > **Configure**, and then set the target RFC destination to the SAP system you want to check.
-1. Deploy the iflow as you would otherwise for your SAP systems. For example, use the following sample PowerShell script, modifying the sample, placeholder values for your environment:
-
-    ```powershell
-    $cpiEndpoint = "https://my-cpi-uri.it-cpi012-rt.cfapps.eu01-010.hana.ondemand.com" # CPI endpoint URL
-    $credentialsUrl = "https://my-uaa-uri.authentication.eu01.hana.ondemand.com/oauth/token" # SAP authorization server URL
-    $serviceKey = 'sb-12324cd-a1b2-5678-a1b2-1234cd5678ef!g9123|it-rt-my-cpi!h45678' # Process Integration Runtime Service client ID
-    $serviceSecret = '< client secret >' # Your Process Integration Runtime service secret (make sure to use single quotes)
-
-    $credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$serviceKey`:$serviceSecret"))
-    $headers = @{
-        "Authorization" = "Basic $credentials"
-        "Content-Type"  = "application/json"
-    }
-    $authResponse = Invoke-WebRequest -Uri $credentialsUrl"?grant_type=client_credentials" `
-        -Method Post `
-        -Headers $headers
-    $token = ($authResponse.Content | ConvertFrom-Json).access_token
-    $path = "/http/checkSAP"
-    $param = "?startTimeUTC=$((Get-Date).AddMinutes(-1).ToString("yyyy-MM-ddTHH:mm:ss"))&endTimeUTC=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ss"))"
-    $headers = @{
-        "Authorization"      = "Bearer $token"
-        "Content-Type"       = "application/json"
-    }
-    $response = Invoke-WebRequest -Uri "$cpiEndpoint$path$param" -Method Get -Headers $headers
-    Write-Host $response.RawContent
-    ```
+The agentless solution package, deployed while [performing the initial connector configuration](preparing-sap.md#perform-initial-connector-configuration), includes a tool to help SAP admins diagnose and fix issues related to the SAP environment configuration. 
 
-Make sure that the prerequisites checker runs successfully before connecting to Microsoft Sentinel.
+[!INCLUDE [sap-agentless-prerequisites](../includes/sap-agentless-prerequisites.md)]
 
 ## Missing functionality in legacy SAP systems
 

articles/sentinel/whats-new.md

@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
 author: yelevin
 ms.author: yelevin
 ms.topic: concept-article
-ms.date: 03/03/2025
+ms.date: 03/13/2025
 
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
 
@@ -28,7 +28,7 @@ The Microsoft Sentinel SAP agentless solution is now in public preview and inclu
 
 - More data ingested, such as Change Docs logs and User Master data.
 - Optional parameters to customize data collection
-- A new tool to verify system prerequisites and compatibility
+- A new troubleshooting tool to verify system prerequisites and compatibility
 
 For more information, see: