Merge pull request #232841 from limwainstein/sap-btp

SAP BTP solution

Author: v-regandowner

articles/sentinel/TOC.yml

@@ -169,10 +169,14 @@
     href: microsoft-365-defender-sentinel-integration.md
   - name: Integrate SAP
     items:
-    - name: Solution overview
+    - name: SAP solution overview
       href: sap/solution-overview.md
-    - name: Working with the solution across multiple workspaces
+    - name: Working with the SAP solution across multiple workspaces
       href: sap/cross-workspace.md
+    - name: SAP BTP solution
+      items:
+      - name: Overview
+        href: sap/sap-btp-solution-overview.md
 - name: How-tos
   items:
   - name: Plan architecture
@@ -959,7 +963,7 @@
       href: offboard.md
   - name: Integrate SAP
     items: 
-    - name: Deployment guide
+    - name: SAP solution deployment guide
       items: 
       - name: Deployment overview
         href: sap/deployment-overview.md
@@ -992,6 +996,10 @@
         href: sap/configure-audit-log-rules.md
       - name: Select SAP ingestion profile
         href: sap/select-ingestion-profiles.md 
+    - name: SAP BTP solution
+      items:
+      - name: Deploy SAP BTP
+        href: sap/deploy-sap-btp-solution.md
 - name: Troubleshoot
   items:
   - name: Troubleshoot CEF/Syslog data collection
@@ -1007,7 +1015,7 @@
 - name: Reference
   items:
   - name: SAP solution
-    items:
+    items:    
     - name: SAP solution data reference
       href: sap/sap-solution-log-reference.md
     - name: SAP solution content overview
@@ -1022,6 +1030,10 @@
       href: sap/reference-update.md
     - name: Systemconfig.ini file reference
       href: sap/reference-systemconfig.md
+    - name: SAP BTP
+      items:
+      - name: SAP BTP solution content overview
+        href: sap/sap-btp-security-content.md
   - name: Service limits
     href: sentinel-service-limits.md
   - name: Microsoft Sentinel REST-API

articles/sentinel/sap/deploy-sap-btp-solution.md

@@ -0,0 +1,109 @@
+---
+title: Deploy Microsoft Sentinel Solution for SAP® BTP
+description: This article introduces you to the process of deploying the Microsoft Sentinel Solution for SAP® BTP.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: how-to
+ms.date: 03/30/2023
+---
+
+# Deploy Microsoft Sentinel Solution for SAP® BTP
+
+This article describes how to deploy the Microsoft Sentinel Solution for SAP® BTP. The Microsoft Sentinel Solution for SAP® BTP monitors and protects your SAP Business Technology Platform (BTP) system: It collects audits and activity logs from the BTP infrastructure and BTP based apps, and detects threats, suspicious activities, illegitimate activities, and more. Read more about the solution. [Read more about the solution](sap-btp-solution-overview.md).
+
+> [!IMPORTANT]
+> The Microsoft Sentinel Solution for SAP® BTP solution is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Prerequisites
+
+### Fill in the sign-up form
+
+To get started, **first [complete the sign-up form](https://forms.microsoft.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR5CavmNiVgxCqhcQeRrOyvxUM0Q3NVdHU1hWNjMzQkM3RVNNNldTR1hYOS4u)** so that we can provision your subscription with access to the preview. We’ll send a confirmation email once your subscription is active.
+
+### Additional prerequisites
+
+Before you begin, verify that:
+
+- The Microsoft Sentinel solution is enabled. 
+- You have a defined Microsoft Sentinel workspace and have read and write permissions to the workspace.
+- Your organization uses SAP BTP (in a Cloud Foundry environment) to streamline interactions with SAP applications and other business applications.
+- You have an SAP BTP account (which supports BTP accounts in the Cloud Foundry environment). You can also use a [SAP BTP trial account](https://cockpit.hanatrial.ondemand.com/).
+- You have the SAP BTP auditlog-management service and service key (see [Set up the BTP account and solution](#set-up-the-btp-account-and-solution)). 
+- You can create an [Azure Function App](../../azure-functions/functions-overview.md) with the `Microsoft.Web/Sites`, `Microsoft.Web/ServerFarms`, `Microsoft.Insights/Components`, and `Microsoft.Storage/StorageAccounts` permissions.
+- You can create [Data Collection Rules/Endpoints](../../azure-monitor/essentials/data-collection-rule-overview.md) with the permissions: 
+    - `Microsoft.Insights/DataCollectionEndpoints`, and `Microsoft.Insights/DataCollectionRules`.
+    - Assign the Monitoring Metrics Publisher role to the Azure Function. 
+- You have an [Azure Key Vault](../../key-vault/general/overview.md) to hold the SAP BTP client secret. 
+
+## Set up the BTP account and solution
+
+1. After you can log into your BTP account (see the [prerequisites](#prerequisites),) follow these [audit log retrieval steps](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment) on the SAP BTP system. 
+1. In the SAP BTP Cockpit, select the **Audit Log Management Service**.
+
+    :::image type="content" source="./media/deploy-sap-btp-solution/btp-audit-log-management-service.png" alt-text="Screenshot of selecting the BTP Audit Log Management Service." lightbox="./media/deploy-sap-btp-solution/btp-audit-log-management-service.png":::
+
+1. Create an instance of the Audit Log Management Service in the sub account.
+
+    :::image type="content" source="./media/deploy-sap-btp-solution/btp-audit-log-sub-account.png" alt-text="Screenshot of creating an instance of the BTP subaccount." lightbox="./media/deploy-sap-btp-solution/btp-audit-log-sub-account.png":::
+ 
+1.	Create a service key and record the `url`, `uaa.clientid`, `uaa.clientecret` and `uaa.url` values. These are required to deploy the data connector.
+    
+    Here's an example of these field values.
+
+    - **url**: `https://auditlog-management.cfapps.us10.hana.ondemand.com`
+    - **uaa.clientid**: `sb-ac79fee5-8ad0-4f88-be71-d3f9c566e73a!b136532|auditlog-management!b1237`
+    - **uaa.clientsecret**: `682323d2-42a0-45db-a939-74639efde986$gR3x3ohHTB8iyYSKHW0SNIWG4G0tQkkMdBwO7lKhwcQ=`
+    - **uaa.url**: `https://915a0312trial.authentication.us10.hana.ondemand.com`
+
+1. Log into the Azure portal with the [solution preview feature flag](https://portal.azure.com/?feature.loadTemplateSolutions=true). 
+1. Navigate to the **Microsoft Sentinel** service.
+1. Select **Content hub**, and in the search bar, search for *BTP*.
+1. Select **Sentinel Solution for SAP BTP**.
+1. Select **Install**.
+
+    For more information about how to manage the solution components, see [Discover and deploy out-of-the-box content](../sentinel-solutions-deploy.md).
+
+1. Select **Create**.
+
+    :::image type="content" source="./media/deploy-sap-btp-solution/sap-btp-create-solution.png" alt-text="Screenshot of how to create the Microsoft Sentinel Solution® for SAP BTP." lightbox="./media/deploy-sap-btp-solution/sap-btp-create-solution.png":::
+
+1. Select the resource group and the Sentinel workspace in which you want to deploy the solution. 
+1. Select **Next** until you pass validation and select **Create**.
+1. Once the solution deployment is complete, return to your Sentinel workspace and select **Data connectors**. 
+1. In the search bar, type *BTP*, and select **SAP BTP (using Azure Function)**. 
+1. Select **Open connector page**.
+1. In the connector page, make sure that you meet the required prerequisites and follow the configuration steps. In step 2 of the data connector configuration, specify the parameters you defined in step 4 of this procedure.    
+    
+    > [!NOTE]
+    > Retrieving audits for the global account doesn't automatically retrieve audits for the subaccount. Follow the connector configuration steps for each of the subaccounts you want to monitor, and also follow these steps for the global account. Review these [account auditing configuration considerations](#account-auditing-configuration-considerations).
+
+1. Complete all configuration steps, including the Function App deployment and the Key Vault access policy configuration. 
+1. Make sure that BTP logs are flowing into the Microsoft Sentinel workspace:
+    1. Log in to your BTP subaccount and run a few activities that generate logs, such as logins, adding users, changing permissions, changing settings, and so on.
+    1. Allow 20-30 minutes for the logs to start flowing.
+    1. In the **SAP BTP** connector page, confirm that Microsoft Sentinel receives the BTP data, or query the `SAPBTPAuditLog_CL` table directly. 
+
+1. Enable the [workbook](sap-btp-security-content.md#sap-btp-workbook) and the [analytics rules](sap-btp-security-content.md#built-in-analytics-rules) provided as part of the solution by following [these guidelines](../sentinel-solutions-deploy.md#analytics-rule).
+
+## Account auditing configuration considerations
+
+### Global account auditing configuration
+
+When you enable audit log retrieval in the BTP cockpit for the Global account: If the subaccount for which you want to entitle the Audit Log Management Service is under a directory, you must entitle the service at the directory level first, and only then you can entitle the service at the subaccount level.
+
+### Subaccount auditing configuration 
+
+To enable auditing for a subaccount, follow the steps in the [SAP subaccounts audit retrieval API documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment).
+
+However, while this guide explains how to enable the audit log retrieval using the Cloud Foundry CLI, you can also retrieve the logs via the UI:
+
+1. In your subaccount Service Marketplace, create an instance of the **Audit Log Management Service**.
+1. Create a service key in the new **Audit Log Management Service** instance.
+1. View the Service key and retrieve the required parameters mentioned in step 2 of the configuration instructions in the data connector UI (**url**, **uaa.url**, **uaa.clientid**, **uaa.clientsecret**).
+
+## Next steps
+
+In this article, you learned how to deploy the Microsoft Sentinel Solution® for SAP BTP.
+> 
+> - [Learn how to enable the security content](../sentinel-solutions-deploy.md#analytics-rule)
+> - [Review the solution's security content](sap-btp-security-content.md)

articles/sentinel/sap/media/deploy-sap-btp-solution/btp-audit-log-management-service.png

@@ -0,0 +1,54 @@
+---
+title: Microsoft Sentinel Solution for SAP® BTP - security content reference
+description: Learn about the built-in security content provided by the  Microsoft Sentinel Solution for SAP® BTP.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: reference
+ms.date: 03/30/2023
+---
+
+#  Microsoft Sentinel Solution for SAP® BTP: security content reference
+
+This article details the security content available for the Microsoft Sentinel Solution for SAP® BTP.
+
+> [!IMPORTANT]
+> The Microsoft Sentinel Solution for SAP® BTP is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Available security content currently includes a built-in workbook and analytics rules. You can also add SAP-related [watchlists](../watchlists.md) to use in your search, detection rules, threat hunting, and response playbooks.
+
+[Learn more about the solution](sap-btp-solution-overview.md).
+
+## SAP BTP workbook
+
+The BTP Activity Workbook provides a dashboard overview of BTP activity. 
+
+:::image type="content" source="./media/sap-btp-security-content/sap-btp-workbook-btp-overview.png" alt-text="Screenshot of the Overview tab of the SAP BTP workbook." lightbox="./media/sap-btp-security-content/sap-btp-workbook-btp-overview.png":::
+
+The **Overview** tab shows: 
+
+- An overview of BTP subaccounts, helping analysts identify the most active accounts and the type of ingested data. 
+- Subaccount sign-in activity, helping analysts identify spikes and trends that may be associated with sign-in failures in SAP Business Application Studio (BAS). 
+- Timeline of BTP activity and number of BTP security alerts, helping analysts search for any correlation between the two.
+ 
+The **Identity Management** tab shows a grid of identity management events, such as user and security role changes, in a human-readable format. The search bar lets you quickly find specific changes.
+
+:::image type="content" source="./media/sap-btp-security-content/sap-btp-workbook-identity-management.png" alt-text="Screenshot of the Identity Management tab of the SAP BTP workbook." lightbox="./media/sap-btp-security-content/sap-btp-workbook-identity-management.png":::
+
+For more information, see [Tutorial: Visualize and monitor your data](../monitor-your-data.md) and [Deploy Microsoft Sentinel Solution for SAP® BTP](deploy-sap-btp-solution.md).
+
+## Built-in analytics rules
+
+| Rule name | Description | Source action | Tactics |
+| --------- | --------- | --------- | --------- |
+| **BTP - Failed access attempts across multiple BAS subaccounts** |Identifies failed Business Application Studio (BAS) access attempts over a predefined number of subaccounts.<br>Default threshold: 3 | | |
+| **BTP - Malware detected in BAS dev space** |Identifies instances of malware detected by the SAP internal malware agent within BAS developer spaces. | | |
+| **BTP - User added to sensitive privileged role collection** |Identifies identity management actions where a user is added to a set of monitored privileged role collections. | | |
+| **BTP - Trust and authorization Identity Provider monitor** |Identifies create, read, update, and delete (CRUD) operations on Identity Provider settings within a subaccount. |
+| **BTP - Mass user deletion in a sub account** |Identifies user account deletion activity where the number of deleted users exceeds a predefined threshold.<br>Default threshold: 10 | | |
+
+## Next steps
+
+In this article, you learned about the security content provided with the Microsoft Sentinel Solution for SAP® BTP.
+
+- [Deploy Microsoft Sentinel solution for SAP® BTP](deploy-sap-btp-solution.md)
+- [Microsoft Sentinel Solution for SAP® BTP overview](sap-btp-solution-overview.md)

articles/sentinel/sap/media/deploy-sap-btp-solution/btp-audit-log-sub-account.png

@@ -0,0 +1,54 @@
+---
+title: Microsoft Sentinel Solution for SAP® BTP overview
+description: This article introduces the Microsoft Sentinel Solution for SAP® BTP.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: conceptual
+ms.date: 03/22/2023
+---
+
+# Microsoft Sentinel Solution for SAP® BTP overview
+
+This article introduces the Microsoft Sentinel Solution for SAP® BTP. The solution monitors and protects your SAP Business Technology Platform (BTP) system: It collects audits and activity logs from the BTP infrastructure and BTP based apps, and detects threats, suspicious activities, illegitimate activities, and more.
+
+SAP BTP is a cloud-based solution that provides a wide range of tools and services for developers to build, run, and manage applications. One of the key features of SAP BTP is its low-code development capabilities. Low-code development allows developers to create applications quickly and efficiently by using visual drag-and-drop interfaces and prebuilt components, rather than writing code from scratch.
+
+> [!IMPORTANT]
+> The Microsoft Sentinel Solution for SAP® BTP is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+### Why it's important to monitor BTP activity
+
+While low-code development platforms have become increasingly popular among businesses looking to accelerate their application development processes, there are also security risks that organizations must consider. One key concern is the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter these vulnerabilities, it's crucial for organizations to quickly detect and respond to threats on BTP applications.
+
+Beyond the low-code aspect, BTP applications:
+
+- Access sensitive business data, such as customers, opportunities, orders, financial data, and manufacturing processes.
+- Access and integrate with multiple different business applications and data stores​.
+- Enable key business processes​.
+- Are created by citizen developers who may not be security savvy or aware of cyber threats.
+- Used by wide range of users, internal and external​.
+
+Therefore, it's important to protect your BTP system against these risks.
+
+## How the solution addresses BTP security risks
+
+With the Microsoft Sentinel Solution for SAP® BTP, you can:
+
+- Gain visibility to activities **on** BTP applications, including creation, modification, permissions change, execution, and more.
+- Gain visibility to activities **in** BTP applications, including who uses the application, which business applications the BTP application accesses, business data Create, Read, Update, Delete (CRUD) activities, and more.
+- Detect suspicious or illegitimate activities. The activities include: suspicious logins, illegitimate changes of application settings and user permission, data exfiltration, bypassing of SOD policies, and more.
+- Investigate and respond to threats originating from the BTP application: Find an application owner, understand relationships between applications, suspend applications or users, and more.
+- Monitor on-premises and SaaS​ SAP environments​.
+
+The solution includes:
+
+- The **SAP BTP** connector, which allows you to connect your BTP subaccounts and global account to Microsoft Sentinel via the [Audit Log service for SAP BTP API](https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services). Learn how to [install the solution and data connector](deploy-sap-btp-solution.md).
+- **[Built-in analytics rules](sap-btp-security-content.md#built-in-analytics-rules)** for identity management and low-code application development scenarios using the Trust and Authorization Provider and Business Application Studio (BAS) event sources in BTP.
+- The **[BTP activity workbook](sap-btp-security-content.md#sap-btp-workbook)**, which provides a dashboard overview of subaccounts and a grid of identity management events.
+  
+## Next steps
+
+In this article, you learned about the Microsoft Sentinel solution for SAP® BTP.
+
+> [!div class="nextstepaction"]
+> [Deploy the Microsoft Sentinel Solution for SAP® BTP](deploy-sap-btp-solution.md)