+To enable sign-in for users with a PingOne (Ping Identity) account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the Ping Identity Administrator Console. If you don't already have a PingOne account, you can sign up at [`https://admin.pingone.com/web-portal/register`](https://admin.pingone.com/web-portal/register).

+- License to [Grit's Visual IEF builder](/azure/active-directory-b2c/partner-grit-editor). Contact [Grit support](mailto:info@gritsoftwaresystems.com) for licensing details. For this tutorial you don't need a license.

+1. Navigate to </azure/active-directory-b2c/partner-grit-editor> and enter your email if you're asked for it.

+- [Visual IEF Editor](/azure/active-directory-b2c/partner-grit-editor) is free and works only with Google Chrome browser.

+| 1. | Go to /azure/active-directory-b2c/partner-grit-editor and upload the policies from [Azure AD B2C customer policies starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack) using the upload policy button in the user interface.|

+>Create a virtual host for every application.

+Yes, business hours are reflected for the time zone of the region. Maintenance operations are optimized to start outside the standard business hours of 9 AM to 5 PM. Statistically, that's the best time for any interruptions and restarts of workloads because there's less stress on the system (in customer applications and transitively on the platform itself). If resources are still upgrading by 9 AM in a given region, the upgrade will safely pause before the next critical step and until the end of business hours.

+| useTLS | Specifies if the health check should enforce TLS. If not specified, health check uses the same protocol as the service if the same port is used for health check. If the port is different, health check is cleartext. |

+| useTLS | HTTP for HTTP and HTTPS when TLS is specified. |

+ useTLS: true

+| [Custom health probe](migrate-from-agic-to-agc.md#custom-health-probes) | appgw.ingress.kubernetes.io/health-probe-port | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) | [HealthCheckPolicy](migrate-from-agic-to-agc.md#healthcheckpolicy) |

+ Title: Route traffic using parameter-based path selection in portal - Azure Application Gateway

+description: Use the Azure portal to configure an application gateway to choose the backend pool based on the value of a header, part of a URL, or a query string in the request.

+# Perform parameter-based path selection with Azure Application Gateway - Azure portal

+This article describes how to use the Azure portal to configure an [Azure Application Gateway v2 SKU](./application-gateway-autoscaling-zone-redundant.md) instance to perform parameter-based path selection by combining the capabilities of URL Rewrite with path-based routing.

+You need to have an Application Gateway v2 SKU instance to finish the steps in this article. URL Rewrite and rewriting headers aren't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](./tutorial-autoscale-ps.md) instance before you begin.

+## Configure parameter-based path selection

+For this example, you have a shopping website. The product category is passed as a query string in the URL. To route the request to the backend based on the query string, follow these steps.

+1. Create a path map.

+ :::image type="content" source="./media/rewrite-http-headers-url/url-scenario1-1.png" alt-text="Screenshot that shows a URL Rewrite scenario 1-1.":::

+1. Create a rewrite set that has three rewrite rules:

+ * The first rule has a condition that checks the `query_string` variable for `category=shoes`. An action rewrites the URL path to `/listing1`. **Reevaluate path map** is enabled.

+ * The second rule has a condition that checks the `query_string` variable for `category=bags`. An action rewrites the URL path to `/listing2`. **Reevaluate path map** is enabled.

+ * The third rule has a condition that checks the `query_string` variable for `category=accessories`. An action rewrites the URL path to `/listing3`. **Reevaluate path map** is enabled.

+ :::image type="content" source="./media/rewrite-http-headers-url/url-scenario1-2.png" alt-text="Screenshot that shows the URL Rewrite scenario 1-2.":::

+1. Associate this rewrite set with the default path of the previous path-based rule.

+ :::image type="content" source="./media/rewrite-http-headers-url/url-scenario1-3.png" alt-text="Screenshot that shows the URL rewrite scenario 1-3.":::

+If the user requests `contoso.com/listing?category=any`, it's matched with the default path because the path patterns in the path map (`/listing1`, /`listing2`, /`listing3`) don't match. Because you associated the previous rewrite set with this path, this rewrite set is evaluated. The query string doesn't match the condition in any of the three rewrite rules in this rewrite set, so no rewrite action takes place. The request is routed unchanged to the backend associated with the default path (which is `GenericList`).

+If the user requests `contoso.com/listing?category=shoes`, the default path is matched. In this case, the condition in the first rule matches. The action associated with the condition is executed, which rewrites the URL path to `/listing1` and reevaluates the path map. When the path map is reevaluated, the request matches the path associated with the pattern `/listing1`. The request is routed to the backend associated with this pattern (`ShoesListBackendPool`).

+> You can extend this scenario to any header or cookie value, URL path, query string, or server variables based on the conditions defined. You can then route requests based on those conditions.

+## Related content

+To learn more about how to set up some common use cases, see [Common header rewrite scenarios](./rewrite-http-headers-url.md).

+description: Use the Azure portal to configure an application gateway to rewrite the HTTP headers in the requests and responses that pass through the gateway.

+This article describes how to use the Azure portal to configure an [Azure Application Gateway v2 SKU](./application-gateway-autoscaling-zone-redundant.md) instance to rewrite the HTTP headers in requests and responses.

+You need to have an Application Gateway v2 SKU instance to finish the steps in this article. Rewriting headers isn't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](./tutorial-autoscale-ps.md) instance before you begin.

+To configure HTTP header rewrite, follow these steps.

+1. Create the objects that are required for an HTTP header rewrite:

+ - **Rewrite condition**: An optional configuration. Rewrite conditions evaluate the content of HTTP(S) requests and responses. The rewrite action occurs if the HTTP(S) request or response matches the rewrite condition.

+ If you associate more than one condition with an action, the action occurs only when all the conditions are met. In other words, the operation is a logical `AND` operation.

+ - **Rewrite rule**: Contains multiple rewrite action/rewrite condition combinations.

+ - **Rule sequence**: Helps determine the order in which the rewrite rules execute. This configuration is helpful when you have multiple rewrite rules in a rewrite set. A rewrite rule that has a lower rule sequence value runs first. If you assign the same rule sequence value to two rewrite rules, the order of execution is nondeterministic.

+1. Attach the rewrite set to a routing rule. The rewrite configuration is attached to the source listener via the routing rule.

+ - When you use a basic routing rule, the header rewrite configuration is associated with a source listener and is a global header rewrite.

+ - When you use a path-based routing rule, the header rewrite configuration is defined on the URL path map. In that case, it applies only to the specific path area of a site.

+## Configure a header rewrite

+In this example, we modify a redirection URL by rewriting the location header in the HTTP response sent by a backend application.

+1. In the service pane, select **Rewrites**.

+1. Select **Rewrite set**.

+ 

+1. Provide a name for the rewrite set and associate it with a routing rule:

+ 1. In the **Name** box, enter the name for the rewrite set.

+ 1. In the **Associated routing rules** list, select one or more rules. Select only rules not already associated with other rewrite sets. Rules already associated with other rewrite sets are dimmed.

+ 1. Select **Next**.

+ 

+1. Create a rewrite rule:

+ 1. Select **Add rewrite rule**.

+ 

+ 1. In the **Rewrite rule name** box, enter a name for the rewrite rule. In the **Rule sequence** box, enter a number.

+ 

+1. In this example, we rewrite the location header only when it contains a reference to `azurewebsites.net`. To do this step, add a condition to evaluate whether the location header in the response contains `azurewebsites.net`:

+ 1. Select **Add condition**, and then select the box containing the **If** instructions to expand it.

+ 

+ 1. In the **Type of variable to check** list, select **HTTP header**.

+ 1. In the **Header type** list, select **Response**.

+ 1. Under **Header name**, select **Common header**. In this example, we're evaluating the location header, which is a common header.

+ 1. In the **Common header** list, select **Location**.

+ 1. Under **Case-sensitive**, select **No**.

+ 1. In the **Operator** list, select **equal (=)**.

+ 1. Enter a regular expression pattern. In this example, we use the pattern `(https?):\/\/.*azurewebsites.net(.*)$`.

+ 1. Select **OK**.

+ 

+1. Add an action to rewrite the location header:

+ 1. In the **Action type** list, select **Set**.

+ 1. In the **Header type** list, select **Response**.

+ 1. Under **Header name**, select **Common header**.

+ 1. In the **Common header** list, select **Location**.

+ 1. Enter the header value. In this example, we use `{http_resp_Location_1}://contoso.com{http_resp_Location_2}` as the header value. This value replaces `azurewebsites.net` with `contoso.com` in the location header.

+ 1. Select **OK**.

+ 

+1. Select **Create** to create the rewrite set.

+ 

+1. The **Rewrites** pane opens. Verify that the rewrite set you created is in the list of rewrite sets.

+ 

+## Related content

+To learn more about how to set up some common use cases, see [Common header rewrite scenarios](./rewrite-http-headers-url.md).

+description: Learn how to use the Azure portal to configure an application gateway to rewrite a URL and query string.

+# Rewrite a URL with Azure Application Gateway - Azure portal

+This article describes how to use the Azure portal to configure an [Azure Application Gateway v2 SKU](application-gateway-autoscaling-zone-redundant.md) instance to rewrite a URL.

+> The URL Rewrite feature is available only for the Standard_v2 and Web Application Firewall_v2 SKU of Application Gateway. When URL Rewrite is configured on a Web Application Firewall-enabled gateway, Web Application Firewall evaluation takes place on the rewritten request headers and the URL. For more information, see [Use URL rewrite or host header rewrite with Web Application Firewall (WAF_v2 SKU)](rewrite-http-headers-url.md#using-url-rewrite-or-host-header-rewrite-with-web-application-firewall-waf_v2-sku).

+You need to have an Application Gateway v2 SKU instance to finish the steps in this article. Rewriting a URL isn't supported in the v1 SKU. If you don't have the v2 SKU, create an [Application Gateway v2 SKU](tutorial-autoscale-ps.md) instance before you begin.

+## Configure a URL rewrite

+In the following example, whenever the request URL contains `/article`, the URL path and URL query string are rewritten. For example:

+1. In the service pane, select **Rewrites**.

+1. Select **Rewrite set**.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-1.png" alt-text="Screenshot that shows adding a rewrite set.":::

+1. Enter a name for the rewrite set and associate it with a routing rule:

+ 1. In the **Name** box, enter the name for the rewrite set.

+ 1. In the **Associated routing rules** list, select one or more of the rules. This step associates the rewrite configuration to the source listener via the routing rule. Select only those routing rules not already associated with other rewrite sets. The rules already associated with other rewrite sets are dimmed.

+ 1. Select **Next**.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-2.png" alt-text="Screenshot that shows associating to a rule.":::

+1. Create a rewrite rule:

+ 1. Select **Add rewrite rule**.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-3.png" alt-text="Screenshot that shows Add rewrite rule.":::

+ 1. In the **Rewrite rule name** box, enter a name for the rewrite rule.

+ 1. In the **Rule sequence** box, enter a number.

+1. In this example, we rewrite a URL path and a URL query string only when the path contains `/article`. To do this step, add a condition to evaluate whether the URL path contains `/article`:

+ 1. Select **Add condition**, and then select the box that contains the **If** instructions to expand it.

+ 1. In the **Type of variable to check** list, select **Server variable**. In this example, we want to check the pattern `/article` in the URL path.

+ 1. In the **Server variable** list, select `uri_path`.

+ 1. Under **Case-sensitive**, select **No**.

+ 1. In the **Operator** list, select **equal (=)**.

+ 1. Enter a regular expression pattern. In this example, we use the pattern `.*article/(.*)/(.*)`

+ Parentheses ( ) are used to capture the substring for later use in composing the expression for rewriting the URL path. For more information, see [Pattern matching and capturing](rewrite-http-headers-url.md#pattern-matching-and-capturing).

+ 1. Select **OK**.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-4.png" alt-text="Screenshot that shows the condition.":::

+1. Add an action to rewrite the URL and the URL path:

+ 1. In the **Rewrite type** list, select **URL**.

+ 1. In the **Action type** list, select **Set**.

+ 1. Under **Components**, select **Both URL path and URL query string**.

+ 1. In the **URL path value**, enter the new value of the path. In this example, we use `/article.aspx`.

+ 1. In the **URL query string value**, enter the new value of the URL query string. In this example, we use `id={var_uri_path_1}&title={var_uri_path_2}`.

+ The `{var_uri_path_1}` and `{var_uri_path_2}` paths are used to fetch the substrings captured while evaluating the condition in the expression `.*article/(.*)/(.*)`

+ 1. Select **OK**.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-5.png" alt-text="Screenshot that shows the action.":::

+1. Select **Create** to create the rewrite set.

+1. Verify that the new rewrite set appears in the list of rewrite sets.

+ :::image type="content" source="./media/rewrite-url-portal/rewrite-url-portal-6.png" alt-text="Screenshot that shows adding a rewrite rule.":::

+## Verify the URL rewrite through access logs

+Observe the following fields in access logs to verify if the URL rewrite happened according to your expectations:

+* `originalRequestUriWithArgs`: This field contains the original request URL.

+* `requestUri`: This field contains the URL after the rewrite operation on Application Gateway.

+## Related content

+To learn more about how to set up rewrites for some common use cases, see [Common rewrite scenarios](./rewrite-http-headers-url.md).

+|Using Automation Update Management |Use [Azure Update Manager](../update-manager/overview.md)|

+ Update *Program.cs* with the following code.

+The feature management library also supports the usage of the [`Microsoft Feature Management schema`](https://github.com/microsoft/FeatureManagement/blob/main/Schema/FeatureManagement.v1.0.0.schema.json) to declare feature flags. This schema is language agnostic in origin and is supported by all Microsoft feature management libraries.

+The feature management library supports appsettings.json as a feature flag source since it's a provider for .NET Core's `IConfiguration` system. Feature flags are declared using the [`Microsoft Feature Management schema`](https://github.com/microsoft/FeatureManagement/blob/main/Schema/FeatureManagement.v2.0.0.schema.json). This schema is language agnostic in origin and is supported by all Microsoft feature management libraries.

+An example of its usage can be found in the [VariantAndTelemetryDemo](https://github.com/microsoft/FeatureManagement-Dotnet/tree/preview/examples/VariantAndTelemetryDemo) example.

+This telemetry publisher depends on Application Insights already being setup registered as an application service. For example, that is done [here](https://github.com/microsoft/FeatureManagement-Dotnet/blob/preview/examples/VariantAndTelemetryDemo/Program.cs#L22-L32) in the example application.

+This telemetry publisher depends on Application Insights already being [setup](/azure/azure-monitor/app/asp-net-core#enable-application-insights-server-side-telemetry-no-visual-studio) and registered as an application service.

+|[DOT Personable Inc](https://cloud.personable.com/1/login.htm)|

+|[i3 LLC](https://i3llc.us/)|

+[js render sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-render-rest/samples/v2-beta

+| Italy/Sweden | Italy North | Sweden Central |

+Using any of following Bicep features automatically enables language version 2.0 code generation:

+* [user-defined types](../bicep/user-defined-data-types.md)

+* [user-defined functions](../bicep/user-defined-functions.md)

+* [compile-time imports](../bicep/bicep-import.md)

+* [experimental features](../bicep/bicep-config.md#enable-experimental-features)

+You can enable experimental features by adding the following section to your `bicepconfig.json` file. Using experimental features automatically enables [language version 2.0](../templates/syntax.md#languageversion-20) code generation.

+This article describes the syntax you use to export and import shared functionality and namespaces for Bicep extensions. Using compile-time imports automatically enables [language version 2.0](../templates/syntax.md#languageversion-20) code generation.

+Learn how to create user-defined data types in Bicep. For system-defined data types, see [Data types](./data-types.md). Using user-defined data types automatically enables [language version 2.0](../templates/syntax.md#languageversion-20) code generation.

+Within your Bicep file, you can create your own functions. These functions are available for use in your Bicep files. User-defined functions are separate from the [standard Bicep functions](./bicep-functions.md) that are automatically available within your Bicep files. Create your own functions when you have complicated expressions that are used repeatedly in your Bicep files. Using user-defined functions automatically enables [language version 2.0](../templates/syntax.md#languageversion-20) code generation.

+For limits specific to Media Services v2 (legacy), see [Media Services v2 (legacy)]

+To ensure that Azure is compliant with regulatory requirements, and provide improved security for our customers, **Azure Resource Manager will stop supporting protocols older than TLS 1.2 on March 1, 2025.**

+Using any of following Bicep features automatically enables language version 2.0 code generation:

+* [user-defined types](../bicep/user-defined-data-types.md)

+* [user-defined functions](../bicep/user-defined-functions.md)

+* [compile-time imports](../bicep/bicep-import.md)

+* [experimental features](../bicep/bicep-config.md#enable-experimental-features)

+Azure Web PubSub uses Kusto tables from Azure Monitor Logs. You can query these tables with Log analytics.

+1. To configure cache headers using Azure portal, refer to [How to Manage Streaming Endpoints](/azure/media-services/latest/stream-streaming-endpoint-concept) section Configuring the Streaming Endpoint.

+ Title: Add calling and chat functionality

+description: Add calling and chat functionality using the Azure Communication Services UI Library.

+zone_pivot_groups: acs-plat-ios-android

+#Customer intent: As a developer, I want to add calling and chat functionality to my App.

+# Integrate Calling and Chat UI Libraries

+## Set up the feature

+## Run the code

+To build and run your app on the device.

+### More features

+The list of [use cases](../../concepts/ui-library/ui-library-use-cases.md?branch=main&pivots=platform-mobile) has detailed information about more features.

+## Add notifications to your mobile app

+Azure Communication Services integrates with [Azure Event Grid](../../../event-grid/overview.md) and [Azure Notification Hubs](../../../notification-hubs/notification-hubs-push-notification-overview.md), so you can [add push notifications](../../concepts/notifications.md) to your apps in Azure. You can use push notifications to send information from your application to users' mobile devices. A push notification can show a dialog, play a sound, or display an incoming call UI.

+## Next steps

+- [Learn more about the UI Library](../../concepts/ui-library/ui-library-overview.md)

+ 1. Prepare and download the key release policy to your local disk.

+ 1. Deploy a Disk Encryption Set (DES) using a DES ARM template (`deployDES.json`).

+ 1. Prepare and download the key release policy to your local disk.

+ 1. Deploy your confidential VM using a confidential VM ARM template for Intel TDX and a [deployment parameter file](#example-windows-parameter-file) (for example, `azuredeploy.parameters.win2022.json`) with the customer-managed key.

+ This example continues with the built-in auto-complete trigger named **When messages are available in a queue**. This trigger reads the message from a service bus. If the logic app can get the message and save the trigger response to storage, the trigger automatically completes the message. If a failure happens instead, the trigger abandons the message. These behaviors only apply to stateful workflows. For stateless workflows, the auto-complete or abandon decision happens only after the run completes.

+1. Sign in to the [Azure portal] and go to your application. Copy your **URL**. You use it to configure your GitHub app.

+1. On the application page, make note of the **Client ID**, which you need later.

+1. Make note of the client secret value, which you need later.

+ The secret is stored as a secret in your container app.

+1. If you're configuring the first identity provider for this application, you also see a **Container Apps authentication settings** section. Otherwise, you can move on to the next step.

+You're now ready to use GitHub for authentication in your app. The provider is listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.

+|[Copy activity](copy-activity-overview.md) (source/-)|&#9312;|

+|[Lookup activity](control-flow-lookup-activity.md)|&#9312;|

+If your data store is a managed cloud data service, you can use the Azure Integration Runtime. If the access is restricted to IPs that are approved in the firewall rules, you can add [Azure Integration Runtime IPs](azure-integration-runtime-ip-addresses.md) to the allow list.

+You can also use the [managed virtual network integration runtime](tutorial-managed-virtual-network-on-premise-sql-server.md) feature in Azure Data Factory to access the on-premises network without installing and configuring a self-hosted integration runtime.

+For more information about the network security mechanisms and options supported by Data Factory, see [Data access strategies](data-access-strategies.md).

+| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to be used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. You can only use Azure Integration Runtime. |No |

+| 24.1.5 |09/2024 | Minor |09/2025 |

+| 24.1.4 |07/2024 | Minor |07/2025 |

+| 24.1.3 |06/2024 | Minor |06/2025 |

+| 24.1.2 |04/2024 | Minor |04/2025 |

+| 23.2.0 | 12/2023 | Major | 12/2024 |

+### Version 24.1.5

+**Release date**: 09/2024

+**Supported until**: 09/2025

+This version includes the following updates and enhancements:

+- [Add wildcards to allowlist domain names](how-to-accelerate-alert-incident-response.md#allow-internet-connections-on-an-ot-network)

+- [OCPI protocol is now supported](concept-supported-protocols.md#supported-protocols-for-ot-device-discovery)

+- [New sensor setting type: Public addresses](configure-sensor-settings-portal.md#add-sensor-settings)

+- [Improved OT sensor onboarding](ot-deploy/activate-deploy-sensor.md#activate-your-ot-sensor)

+**Release date**: 07/2024

+**Supported until**: 07/2025

+**Release date**: 06/2024

+**Supported until**: 06/2025

+**Release date**: 04/2024

+**Supported until**: 04/2025

+**Supported until**: 12/2024

+A dev center uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables that a dev center uses, see the [Azure Monitor Logs table reference organized by resource type](/azure/azure-monitor/logs/manage-logs-tables).

+Set-AzContext -SubscriptionId aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ "value": "aaaaaaaa-bbbb-cccc-1111-222222222222"

+New-AzureRmResourceGroupDeployment -Name "MyLabResourceGroup-$(New-Guid)" -ResourceGroupName 'MyLabResourceGroup' -TemplateFile .\azuredeploy.json -roleAssignmentGuid "$(New-Guid)" -labName "MyLab" -principalId "aaaaaaaa-bbbb-cccc-1111-222222222222"

+ "galleryId":"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/mySharedGalleryRg/providers/Microsoft.Compute/galleries/mySharedGallery",

+In the following example, the **ObjectId** of the *SomeUser* user is aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb.

+someuser@hotmail.com aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb

+PS C:\>New-AzRoleAssignment -ObjectId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -RoleDefinitionName "Policy Contributor" -Scope /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.DevTestLab/labs/<LabName>/policySets/default/policies/AllowedVmSizesInLab

+| Region | Region | Region | Region |

+Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics.

+| **[Flo Networks](https://flo.net/)** | &check; | &check; | Dallas<br/>Los Angeles<br/>Miami<br/>Queretaro(Mexico City)<br/>Sao Paulo<br/>Washington DC<br/>**Locations are listed under Neutrona (company name is Neutrona Networks) Networks and Transtelco as providers for circuit creation* |

+| **[IVedha Inc](https://ivedha.com/cloud-managed-services/)**| Equinix | Toronto |

+| **[MainOne](https://www.facebook.com/mainoneservice/posts/mainones-cloud-connect-service-provides-private-connectivity-between-your-data-c/833475925483185/)** |Equinix | Amsterdam |

+[Azure Machine Learning Studio (classic)](https://ml.azure.com/) provides tools to model predictive analytics, and a fully managed service you can use to deploy your predictive models as ready-to-consume web services. Azure Machine Learning provides tools for creating complete predictive analytics solutions in the cloud to quickly create, test, operationalize, and manage predictive models. Select from a large algorithm library, use a web-based studio for building models, and easily deploy your model as a web service.

+For details on the Spark Stream API, see [Apache Spark Streaming Programming Guide](https://spark.apache.org/docs/latest/structured-streaming-programming-guide.html).

+The sliding window functions available in the Spark Streaming API include window, countByWindow, reduceByWindow, and countByValueAndWindow. For details on these functions, see [Transformations on DStreams](https://spark.apache.org/docs/latest/structured-streaming-programming-guide.html).

+* [Apache Spark Streaming Programming Guide](https://spark.apache.org/docs/latest/structured-streaming-programming-guide.html)

+ serializationFormat: 'Json'

+ schemaRef: 'aio-sr://<SCHEMA_NAMESPACE>/<SCHEMA_NAME>:<VERSION>'

+ schemaRef: 'aio-sr://<SCHEMA_NAMESPACE>/<SCHEMA_NAME>:<VERSION>'

+ serializationFormat: 'Delta'

+ schemaRef: 'aio-sr://<SCHEMA_NAMESPACE>/<SCHEMA>:<VERSION>'

+ schemaRef: 'aio-sr://<SCHEMA_NAMESPACE>/<SCHEMA>:<VERSION>'

+- [Manage dataflow profiles](howto-configure-dataflow-profile.md)

+* Secondary IPv4 configurations of a network interface are not supported with outbound rules. For outbound connectivity on secondary IPv4 configurations, attach instance level public IPs or leverage NAT Gateway instead.

+ Title: Define schedules on load tests

+description: 'Learn how to schedule load tests with Azure Load Testing. Scheduling tests allows you to run tests at a later time or run at a regular cadence.'

+# Define schedules on load tests

+In this article, you learn how to schedule load tests with Azure Load Testing. Scheduling tests allows you to run tests at a later time or run at a regular cadence. Azure Load Testing supports adding one schedule to a test. You can add a schedule to a test after creating it.

+## Prerequisites

+- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- An Azure load testing resource and test. If you need to create an Azure Load Testing resource and test, see the quickstart [Create and run a load test](./quickstart-create-and-run-load-test.md).

+## Add a schedule to a test

+1. In the Azure portal, navigate to your load testing resource.

+2. In the left pane, select **Tests**.

+3. Select the test you want to schedule.

+4. In the Schedule pane, select **Add schedule**.

+5. In the Add schedule pane, configure the following settings:

+ | Field | Details |

+ |-||

+ | **Schedule Name** | Enter a name for the schedule. |

+ | **Start date** | Select the date and time when the test should start. |

+ | **Time zone** | Select the time zone for the start date time provided. |

+ | **Recurrence** | Select the frequency at which the test should run. You can choose to run the test once, hourly, daily, weekly, or monthly. Choose cron to specify a custom recurrence pattern. Refer to more settings for each recurrence in the following tables. |

+ | **End**| Select how you want the schedule to end. You can choose to end the schedule after some occurrences or on a specific date. Alternatively, you can choose not to end the schedule. |

+ For an hourly recurrence, configure the following settings:

+ | Field | Details |

+ |-||

+ | **Every** | Enter the number of hours between each test run. For example if you provide six, the schedule runs every six hours at the time specified in start time. |

+ For a daily recurrence, configure the following settings:

+ | Field | Details |

+ |-||

+ | **Every** | Enter the number of days between each test run. For example if you provide two, the schedule runs every two days at the time specified in start time. |

+ For a weekly recurrence, configure the following settings:

+ | Field | Details |

+ |-||

+ | **Every** | Enter the number of weeks between each test run. |

+ | **Days** | Select the days of the week when the test should run. If you provided two weeks and selected Monday, the schedule starts on the Monday after the start date and runs every two weeks at the time specified in start time. |

+ For a monthly recurrence, configure the following settings:

+ | Field | Details |

+ |-||

+ | **Every** | Enter the number of months between each test run. |

+ | **Pattern** | Select the pattern for the test to run. You can choose **Date** to run the test on a specific date of the month, for example, on every 10th of the month. You can choose **Day** to run the test on a specific day of the week, for example, on the first Friday of the month. |

+ For a cron recurrence, configure the following settings:

+

+ | Field | Details |

+ |-||

+ | **Cron expression** | Enter a cron expression to specify the recurrence pattern. For example, `0 0 12 1/1 * ? *` runs the test every day at 12:00 PM. |

+6. Select **Add** to add the schedule to the test.

+> [!NOTE]

+> If a scheduled test run is in progress when the next scheduled run is due, the next run is skipped. The next run will be scheduled for the next recurrence time.

+## View schedules

+You can view the schedule in the Schedule pane of the test. The schedule shows the next run time and the status of the schedule. You can have only one schedule in an active, paused, or disabled state. You can add another schedule after the current schedule is completed or deleted.

+You can view the trigger for a test run in the **Test runs** grid of the test. The trigger shows as Scheduled for a scheduled test run. You can filter the test runs grid to view only the scheduled test runs.

+## Modify a schedule

+You can modify the schedule of a test after adding it. You can also pause or resume a schedule.

+> [!NOTE]

+> A schedule is disabled if three consecutive test runs of a schedule fail. You can resolve the issues with the test and enable the schedule again from the Schedule pane of the test.

+## Next steps

+Advance to the next article to learn how to identify performance regressions by defining test fail criteria and comparing test runs.

+- [Tutorial: automate regression tests](./quickstart-add-load-test-cicd.md)

+- [Define test fail criteria](./how-to-define-test-criteria.md)

+- [View performance trends over time](./how-to-compare-multiple-test-runs.md)

+1. If your Standard logic app uses the hosting option named **Workflow Service Plan**, enable runtime scale monitoring:

+ > [!NOTE]

+ >

+ > If your logic app uses the App Service Environment (ASE) v3 hosting option, skip

+ > the steps for runtime scale monitoring because ASE doesn't support this capability.

+ Title: Questions about importing data

+description: Get answers to common questions about importing RVTools XLSX into Azure migrate

+# Import VMware servers using RVTools XLSX - Common questions

+This article answers common questions about importing servers running in your VMware environment using RVTools XLSX.

+### Which sheets and columns are required to import data into Azure Migrate?

+The following sheets and columns are necessary for importing all data:

+**Sheet** | **Columns**

+ |

+**vInfo** | VM, Powerstate, CPUs, Memory, Provisioned MiB, In use MiB, OS according to the configuration file, VM UUID

+**vPartition** | VM, VM UUID, Capacity MiB, Consumed MiB

+**vMemory** | VM, VM UUID, Size MiB, Reservation

+

+### Will the data import fail if I donΓÇÖt have vPartition and vMemory sheets?

+Storage sizing is captured using data from the vPartition and vMemory sheets. If these sheets aren't available, it is taken from the vInfo sheet and this data might be inaccurate.

+### My RVTools XLSX import keeps failing. What do I need to do?

+Ensure the following:

+- There are no manual edits in the RVTools export file. If there are edits, remove them or export a fresh file for importing into Azure Migrate.

+- The imported file is set to be readable. Set the file sensitivity to **General** as file sensitivity labels might prevent Azure Migrate from reading the file successfully.

+## Next steps

+[Learn more](how-to-create-assessment.md) about creating an assessment.

+

+ **Network Requirements** | Access to the following endpoints: <br/><br/> *.docker.io <br/></br> *.docker.com <br/><br/>api.snapcraft.io <br/><br/> https://dc.services.visualstudio.com/v2/track <br/><br/> [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements) <br/><br/>[Azure CLI endpoints for proxy bypass](/cli/azure/azure-cli-endpoints)

+- The XLSX file should contain the vInfo, vPartition & vMemory sheets. The columns in these sheets are as follows:

+ - **vInfo** - VM, Powerstate, CPUs, Memory, Provisioned MiB, In use MiB, OS according to the configuration file, VM UUID.

+ - **vPartition** - VM, VM UUID, Capacity MiB, Consumed MiB.

+ - **vMemory** - VM, VM UUID, Size MiB, Reservation.

+## Update (October 2024)

+The RVTools XLSX (preview) file import now reads storage data, when available, from vPartition and vMemory (for storage required for unreserved memory) sheets. [Learn more](vmware/tutorial-import-vmware-using-rvtools-xlsx.md#prerequisites).

+Set-AzVMExtension -ResourceGroupName "myResourceGroup1" -Location "WestUS" -VMName "myVM1" -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -ForceRerun "True"

+- PowerShell 7 installed on your machine. For more information, see [Install PowerShell on Windows, Linux, and macOS](/powershell/scripting/install/installing-powershell). This article requires the Az PowerShell module. For more information, see [How to install Azure PowerShell](/powershell/azure/install-azure-powershell). To find the installed version, run `Get-Module -ListAvailable Az`.

+In situations where a shared file system is required, the *nexus-shared* storage class is available. This storage class provides a highly available shared storage solution by enabling multiple pods in the same Nexus Kubernetes cluster to concurrently access and share the same volume. The *nexus-shared* storage class is backed by a highly available NFS storage service. This NFS storage service (storage pool currently limited to a maximum size of 1 TiB) is available per Cloud Service Network (CSN). The NFS storage service is deployed automatically on creation of a CSN resource. Any Nexus Kubernetes cluster attached to the CSN can provision persistent volumes from this shared storage pool. Nexus-shared supports both Read Write Once (RWO) and Read Write Many (RWX) access modes. What that means is that the workload applications can make use of either of these access modes to access the shared storage.

+In Read Write Once (RWO) mode, only one node or claimant can mount the nexus-shared volume at a time. ReadWriteOnce access mode still allows multiple pods to access the volume when the pods are running on the same node.

+In the Read Write Many (RWX) mode, multiple nodes or claimants can mount the nexus-shared volume at the same time.

+This example manifest creates a StatefulSet with PersistentVolumeClaimTemplate using nexus-volume storage class in ReadWriteOnce mode.

+Each pod of the StatefulSet has one PersistentVolumeClaim created.

+Once applied, there are three replicas of the deployment sharing the same PVC.

+## Volume size limits and capacity management

+PVCs created using the nexus-volume and nexus-shared have minimum and maximum claim sizes.

+| Storage Class | Minimum PVC Size | Maximum PVC Size |

+||||

+| nexus-volume | 1 MiB | 12 TiB |

+| nexus-shared | None | 1 TiB |

+> [!IMPORTANT]

+> Volumes that reach their consumption limit will cause out of disk space errors on the workloads that consume them. You must make sure that you provision suitable volume sizes for your workload requirements. You must monitor both the storage appliance and all NFS servers for their percentage storage consumption. You can do this using the metrics documented in the [list of available metrics](./list-of-metrics-collected.md).

+- Both nexus-volume and nexus-shared PVCs have their requested storage capacity enforced as a consumption limit. A volume can't consume more storage than the associated PVC request.

+- All physical volumes are thin-provisioned. You must monitor the total storage consumption on your storage appliance and perform maintenance operations to free up storage space if necessary.

+- A nexus-volume PVC provisioning request fails if the requested size is less than the minimum or more than the maximum supported volume size.

+- Nexus-shared volumes are logically thin-provisioned on the backing NFS server. This NFS server has a fixed capacity of 1 TiB.

+ - A nexus-shared PVC can be provisioned despite requesting more than 1 TiB of storage, however, only 1 TiB can be consumed.

+ - It is possible to provision a set of PVCs where the sum of capacity requests is greater than 1 TiB. However, the consumption limit of 1 TiB applies; the set of associated PVs may not consume more than 1 TiB of storage.

+| nexus-shared volumes have their capacity attribute enforced as a volume size limit | Beginning from v1.27.13-3, v1.27.9-5, v1.28.11-4, v1.28.12-3, v1.29.6-4, v1.29.7-3, v1.30.3-1 | |

+This document is updated periodically with planned dates of the new Kubernetes versions.

+ Title: FAQ for Oracle Database@Azure

+description: Learn answers to frequently asked questions about Oracle Database@Azure.

+# FAQ for Oracle Database@Azure

+In this article, get answers to frequently asked questions about Oracle Database@Azure.

+This section answers general questions about Oracle Database@Azure.

+Oracle Database@Azure is enabled by hosting the Oracle Cloud Infrastructure (OCI) in Azure. In Oracle Database@Azure, OCI is natively integrated with Azure to offer low-latency, high-bandwidth connectivity from your mission-critical database tier to your application tier and other services in Azure. Enterprise-critical features like Oracle Real Application Clusters (Oracle RAC), Oracle Data Guard, Oracle GoldenGate, managed backups, self-managed Oracle Recovery Manager (RMAN) backups, Oracle Zero Downtime Migration (Oracle ZDM), on-premises connectivity, and seamless integration with other Azure services are supported. For more information, see the [overview of Oracle Database@Azure](/azure/oracle/oracle-db/database-overview).

+### How is Oracle Database@Azure different from OCI Interconnect and Oracle on Azure virtual machines?

+- Oracle Database@Azure: Oracle Database@Azure (Oracle Database Service for Azure) is hosted on the OCI infrastructure in Azure datacenters. You can host your mission-critical Oracle databases closer to your application tier hosted in Azure. Azure virtual network integration with subnet delegation enables private IP addresses from customer virtual networks to serve as database endpoints. This solution is Oracle-managed and a supported service in Azure.

+- Oracle on Azure virtual machines (VMs): You can also deploy and self-manage your Oracle workloads on Azure VMs. Specifically, workloads that don't require features like Oracle RAC, Exadata Smart Scan, or Exadata performance are best suited for this operation.

+- OCI Interconnect: OCI Interconnect is used to connect your Oracle deployments in OCI with applications and services in Azure via OCI FastConnect and Azure ExpressRoute. This configuration typically suits workloads and solutions that can work with the high-latency envelope and which have dependency on services, features, and functionalities that run in both clouds.

+### Is Oracle Database@Azure available on a dedicated infrastructure or is it available only as a shared service? What is the isolation level?

+Two services are offered as part of Oracle Database@Azure:

+- Oracle Exadata Database on a dedicated infrastructure runs on a dedicated Exadata infrastructure in Azure. You get dedicated Oracle CPUs (OCPUs) and storage. Isolation is at the node level.

+- Oracle Autonomous Database is the other Oracle Database service offered at Azure. Autonomous Database is on a shared Exadata infrastructure.

+### What Oracle database versions are supported on Oracle Database@Azure?

+Oracle versions supported on Oracle Cloud Infrastructure (OCI) are supported on Oracle Database@Azure. These versions include 11g to 19c, similar to Exadata Cloud Service in OCI. Versions earlier than 19c need upgrade support. For more information, see [Oracle Database releases that support direct upgrade](https://docs.oracle.com/en/database/oracle/oracle-database/18/upgrd/oracle-database-releases-that-support-direct-upgrade.html).

+### Do you have any documented latency benchmark between Azure resources and Oracle Database@Azure?

+Latency between Azure resources and Oracle Database@Azure is within the Azure regional latency envelope because the Exadata infrastructure is inside Azure datacenters. Latency can be further fine-tuned dependent on colocation within availability zones. For more information, see [What are availability zones?](/azure/reliability/availability-zones-overview?tabs=azure-cli).

+### Does Oracle Database@Azure support deploying Oracle Base Database, or do I need to migrate to the Autonomous Database service?

+No, Base Database isn't currently supported with Oracle Database@Azure. You can deploy single-instance, self-managed databases on Azure VMs. If you need Oracle-managed databases with Oracle RAC, we recommend that you use Autonomous Database via Oracle Database@Azure. For more information, see [Autonomous Database](https://www.oracle.com/cloud/azure/oracle-database-at-azure/) and [Provision Oracle Autonomous Database](provision-autonomous-oracle-databases.md).

+### For the Oracle Database@Azure service, does automated disaster recovery use the Azure backbone or the OCI backbone?

+Business continuity and disaster recovery (BCDR) are enabled by using the OCI managed offering (Backup and Data Guard). BCDR uses the Azure/OCI backbone.

+Oracle Database@Azure currently runs on Oracle Exadata X9M hardware and provides a configuration of a minimum of 2 database servers and 3 storage servers. This configuration is called *quarter-rack*. This configuration can be increased to a limit of 32 database servers and 64 storage servers. You can scale up and scale down as needed within the Oracle Exadata system depending on your SKU. For more information about configurations, see [Oracle Exadata Database service on a dedicated infrastructure](https://docs.oracle.com/iaas/exadatacloud/exacs/exa-service-desc.html#ECSCM-GUID-EC1A62C6-DDA1-4F39-B28C-E5091A205DD3). For details, see the [Oracle Exadata Cloud Infrastructure X9M data sheet](https://www.oracle.com/a/ocom/docs/engineered-systems/exadata/exadata-cloud-infrastructure-x9m-ds.pdf).

+### What Oracle applications can run on Azure?

+Various Oracle applications are authorized and supported to run on Azure. For more information, see [Oracle programs eligible for authorized cloud environments](https://www.oracle.com/us/corporate/pricing/authorized-cloud-environments-3493562.pdf).

+### What service-level agreements are available?

+For detailed service-level agreements (SLAs), see [Oracle PaaS and IaaS public cloud services pillars](https://www.oracle.com/contracts/docs/paas_iaas_pub_cld_srvs_pillar_4021422.pdf?download=false).

+## Billing and commerce

+This section includes questions related to billing and commerce for Oracle Database@Azure.

+### How much does Oracle Database@Azure cost?

+Oracle Database@Azure is at parity with the Exadata Cloud costs in OCI. For prices, see the [OCI cloud cost estimator](https://www.oracle.com/cloud/costestimator.html). For specific costs for your scenario and environment, contact your Oracle sales team.

+### Is Oracle Database@Azure eligible for Microsoft Azure Commit to Consume benefits?

+Yes, the Oracle Database@Azure offering is Azure eligible for benefits and therefore eligible for Microsoft Azure Commit to Consume (MACC) decrement.

+### What licensing options are available to deploy Oracle databases by using Oracle Database@Azure?

+You can bring your own license (BYOL) or provision a license that's included with Oracle databases in Oracle Database@Azure.

+### Can I purchase Oracle Database@Azure even if the service isn't available in my region?

+You can purchase the Oracle Database@Azure at any time because it's generally available in multiple regions. However, you can deploy the service in a region only after the service is supported in that region.

+### For Oracle Database@Azure, will automated Oracle Database DBCS disaster recovery incur charges from Azure?

+BCDR for double-byte character set (DBCS) by using the OCI-managed offering (Oracle Backup and Oracle Data Guard) doesn't incur any more charges from Azure.

+### Does ingress and egress incur any charges for the Oracle Database@Azure service?

+Ingress and egress for managed services occurs via the Azure/OCI backbone and doesn't incur charges. Virtual network traffic is charged at the current price.

+## Onboarding, provisioning, and migrating

+This section includes questions related to onboarding, provisioning, and migrating to Oracle Database@Azure.

+### Can a CSP or an outsourcer use Oracle Database@Azure?

+No. Oracle Database@Azure doesn't support cloud service providers (CSPs), Outsourcer Channel Agreement (OCAs), or multi-party private offers (MPPOs).

+### To set up Oracle Database@Azure, what role assignments does the Azure user need?

+For a list of role assignments, see [Groups and roles for Oracle Database@Azure](/azure/oracle/oracle-db/oracle-database-groups-roles).

+### Can you describe the authentication and authorization standards that Oracle Database@Azure supports?

+Oracle Database@Azure is based on Security Assertion Markup Language (SAML) and OpenID standards. OCI Identity and Access Management (IAM) can be federated with Microsoft Entra ID or with other identity providers for OCI Console access for Oracle database users.

+To plan and deploy your Oracle workloads with Oracle Database@Azure, see the [landing zone architecture documentation](/azure/cloud-adoption-framework/scenarios/oracle-iaas/?wt.mc_id=knwlserapi_inproduct_azportal#landing-zone-architecture-for-oracle-databaseazure).

+### Does Azure have any tools to assist with understanding Oracle database sizing, license usage, and total cost of ownership for both Oracle Database@Azure and Oracle Cloud infrastructure as a service (IaaS)?

+For Oracle Database@Azure, sizing is managed by Oracle. For more information about sizing, contact your Oracle representative.

+For Oracle Database on Azure VMs, we currently offer the Oracle Migration Assistance Tool (OMAT). For more information, contact your Microsoft representative.

+### What tools can I use for database migration? Could you share other details about licensing and charges for these tools?

+Multiple tools are available from Oracle, including Oracle ZDM, Oracle Data Guard, Oracle Data Pump, and Oracle GoldenGate. For more information, see [Migrate Oracle workloads to Azure](/azure/cloud-adoption-framework/scenarios/oracle-iaas/oracle-migration-planning?wt.mc_id=knwlserapi_inproduct_azportal#migrate-oracle-workloads-to-azure). For commercial accounts, contact your Oracle representative.

+### If I use Oracle GoldenGate to migrate, do I need to purchase a GoldenGate license?

+Yes. Note that a GoldenGate license isn't included in a private offer. Discuss with your Oracle representative how to enable this service with Oracle Database@Azure.

+This section includes questions related to networking for Oracle Database@Azure.

+We support a comprehensive list of connectivity patterns and network features for Oracle Database@Azure. The list evolves as we continuously release new features and capabilities. For more information, see [Network planning for Oracle Database@Azure](oracle-database-network-plan.md).

+### How does Data Guard route traffic between availability zones in the same Azure region work?

+You can configure an Oracle Data Guard network path when you set up your deployment. You can configure *cross-zone* Data Guard traffic to traverse only the Azure backbone. However, *cross-region* traffic must traverse the Azure and OCI network backbones.

+None. The OCI connection is primarily used for the OCI control plane to manage the service. There's no impact on your application-to-database latencies or on any data-plane latencies.

+### How do I achieve low latencies between my application tier and my database tier?

+For the lowest possible latencies, you can deploy your application and database in the same virtual network or in peered virtual networks in the same region and availability zone.

+This section includes questions related to management for Oracle Database@Azure.

+Oracle manages and hosts the data on OCI hosted in Azure datacenters. Your data resides in the provisioned Oracle Exadata infrastructure in Azure, and within the Azure Virtual Network boundary.

+If you enable backup to Azure, the data resides in the respective Azure storage, such as Azure NetApp Files and Azure Blob Storage.

+We ensure compliance with both companiesΓÇÖ data privacy and compliance policies through physical isolation of systems in Azure datacenters and through enforced access assignment policies. For more information about compliance, see [Overview of Oracle Database@Azure](database-overview.md) and [Oracle Cloud compliance](https://docs.oracle.com/iaas/Content/multicloud/compliance.htm).

+Data is encrypted at rest. All traffic between sites, including to the Oracle Database@Azure infrastructure, is encrypted.

+### Can I use Azure Monitor with Oracle Database@Azure?

+Yes. Metrics are published for the Oracle Exadata infrastructure, for VM clusters, and for Oracle databases. The database metrics are listed under VM metrics. You can create custom dashboards for Azure Monitor to use with your application monitoring for a unified view.

+Automated and managed backups to OCI object storage and self-managed backups by using Oracle Database Autonomous Recovery Service to Azure NetApp Files.

+### Is there a way to connect to SAN storage, and is this connection supported?

+Oracle Database@Azure provides customers with dedicated Oracle Exadata compute and storage within the Exadata infrastructure. You also can attach Azure NetApp Files volumes to the VMs on VM clusters.

+### Can we use a hardware security module (HSM) in Azure or an external HSM to encrypt databases? How do customer-managed database keys work?

+You can manage keys by using Oracle Key Vault. Integration with Microsoft offerings like Azure Dedicated HSM and Microsoft Sentinel are on the roadmap.

+Oracle Automatic Storage Management (Oracle ASM) is the default and only storage management system that's supported on Oracle Exadata systems. Only NORMAL (protection against single disk or an entire storage server failure) and HIGH redundancy (protection against two simultaneous partner disk failures from two distinct storage servers) levels are supported on Oracle Exadata systems. For more information, see [Oracle ASM considerations

+for Oracle Exadata deployments, on-premises and cloud](https://www.oracle.com/docs/tech/database/maa-exadata-asm-cloud.pdf).

+### Is tiering storage available for the database in Oracle Database@Azure?

+Tiering storage service is available for Oracle Database@Azure. The Oracle Exadata storage servers provide three levels of tiering: PMem, NVME Flash, and HDD. Compression and partitioning are recommended as part of a storage tiering design. For more information, see the [Oracle Exadata Cloud Infrastructure X9M data sheet](https://www.oracle.com/a/ocom/docs/engineered-systems/exadata/exadata-cloud-infrastructure-x9m-ds.pdf).

+### Where can I get more information about capabilities and features in Oracle Database@Azure?

+For more information about Oracle Database@Azure, see the following resources:

+- [Overview of Oracle Database@Azure](/azure/oracle/oracle-db/database-overview)

+- [Provision and manage Oracle Database@Azure](https://docs.oracle.com/iaas/Content/multicloud/oaaonboard.htm)

+- [Support for Oracle Database@Azure](https://mylearn.oracle.com/ou/course/oracle-databaseazure-deep-dive/135849)

+description: Learn how to link your Oracle Database@Azure resources to multiple Azure subscriptions.

+In this article, learn how to link your Oracle Database@Azure resources to multiple Azure subscriptions.

+You can use Oracle Database@Azure resources in multiple [Azure subscriptions](/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources) within a single Azure account. You can isolate projects, environments, and application domains for security and cost allocation while maintaining a single Azure account for simplified billing and account management. When you use two or more Azure subscriptions with Oracle Database@Azure, all Azure subscriptions are linked to the Oracle Cloud Infrastructure (OCI) tenancy that you use to onboard the service instance.

+- Oracle Database@Azure is onboarded before you link Azure subscriptions to the service instance.

+ For more information, see [Onboard Oracle Database@Azure](onboard-oracle-database.md).

+- The following resource providers are added to the subscription that you add to the service instance:

+ - Oracle.Database

+ - Microsoft.BareMetal

+ - Microsoft.Network

+ - Microsoft.Compute

+ You can't provision Oracle Database@Azure resources until these Azure resource providers are registered for the subscription you add.

+ To add a resource provider to a subscription:

+

+ 1. In the Azure portal, go to the Azure subscription that you want to add.

+ 1. In the service menu under **Settings**, select **Resource providers**.

+ 1. In the list of providers, select the resource provider, and then select **Register**.

+## Use multiple Azure subscriptions with Oracle Database@Azure

+When you onboard Oracle Database@Azure, you select an Azure subscription to initially use with the service instance. In Azure documentation, the subscription you select when you onboard Oracle Database@Azure is called the *primary subscription*.

+When onboarding is complete and your Azure account is linked to your OCI tenancy, a new [compartment](https://docs.oracle.com/iaas/Content/Identity/compartments/managingcompartments.htm) is automatically created for the service instance. When you add an Azure subscription to your Oracle Database@Azure service instance, the service automatically creates a child compartment in the main Oracle Database@Azure compartment that was created in the onboarding process. No manual configuration of your OCI tenancy is required to add more Azure subscriptions.

+> [!IMPORTANT]

+> When you add another Azure subscription to your Oracle Database@Azure service instance, the new subscription must use the same billing account as the Azure primary subscription.

+After you add a new Azure subscription to the Oracle Database@Azure service instance, you can begin provisioning database resources in that subscription. For database systems that have more than one component (for example, an Oracle Exadata system with an infrastructure resource and a virtual machine cluster resource), all components must be provisioned in the same subscription. When a user works in an Azure subscription, they can view only the Oracle Database@Azure resources that are provisioned in that subscription. Database resources that are provisioned in other subscriptions aren't visible to the user.

+## Add an Azure subscription to your Oracle Database@Azure instance

+1. In the Azure portal, go to the details pane of your primary subscription for Oracle Database@Azure (the subscription you selected during onboarding).

+ For more information, see [Filter and view subscriptions](/azure/cost-management-billing/manage/filter-view-subscriptions). If you don't know the name of the subscription, contact your Azure account administrator.

+1. Select **Add subscriptions**.

+1. On the **Add Azure subscriptions** pane, select one or more Azure subscriptions to add to your service instance, and then select **Add**.

+1. On the details pane for the Oracle Database@Azure primary subscription, under **Account management**, the number of active subscriptions for the service instance appears. When the subscription that you added is ready to use with the Oracle Database@Azure instance resources, a status of **Validated** for the subscription is shown.

+ Title: "Onboard Oracle Database@Azure"

+description: Learn about purchase and configuration steps to onboard Oracle Database@Azure.

+# Onboard Oracle Database@Azure

+In this article, learn about purchase and configuration (*onboarding*) steps for Oracle Database@Azure.

+You complete most onboarding tasks only once, when you create your Oracle Database@Azure deployment. After you complete the onboarding tasks, you can begin provisioning and using Oracle database resources in your Azure environment.

+## Purchase options for Oracle Database@Azure

+The set of onboarding tasks you complete depends on the type of offer you purchase (pay-as-you-go or a private offer) and the database products you plan to use (Oracle Autonomous Database or Oracle Exadata). For more information about the differences between a pay-as-you-go offer and a private offer, see [Purchase Oracle Database@Azure](https://docs.oracle.com/iaas/Content/database-at-azure/getting-started.htm#oaa_purchasing).

+Most Oracle Database@Azure onboarding tasks apply to all deployments. If a task is based on an offer type or on the Oracle database product you choose, specific requirements for that scenario are identified in the Azure documentation.

+When you set up an instance of Oracle Database@Azure, you use both the Azure portal and the Oracle Cloud Infrastructure (OCI) console.

+## Steps to onboard Oracle Database@Azure

+1. [Prerequisites](https://docs.oracle.com/iaas/Content/database-at-azure/getting-started.htm#oaa_prerequisites)

+1. [Accept a private offer](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-2.htm#oaaonboard_task_2) (private offer purchases only)

+1. [Purchase an offer](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-3.htm#oaaonboard_task_3)

+1. [Link an OCI account](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-4.htm#oaaonboard_task_4)

+1. [Register with My Oracle Support](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-5.htm)

+1. [Find Azure availability zone mapping](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-6.htm#oaaonboard_task_6) (optional)

+1. [Set up role-based access control](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-7.htm#oaaonboard_task_7)

+1. [Set up an identity federation](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard-task-8.htm#oaaonboard_task_8) (optional)

+description: Learn about Oracle Cloud Infrastructure (OCI) multicloud Oracle Autonomous Database landing zones for Azure.

+Oracle partnered with Microsoft to develop and distribute HashiCorp Terraform/OpenTofu modules to streamline the process of provisioning Oracle Cloud Infrastructure (OCI) in Azure.

+The OCI multicloud landing zone for Azure and Azure Verified Modules for Terraform give you a set of templates that help you provision Oracle Database@Azure. The Terraform/OpenTofu modules use four Terraform providers: AzureRM, AzureAD, AzAPI, and OCI. Together, they cover identity and access management (IAM), networking, and database layer resources. Apply these reference implementations for a quickstart deployment, or customize them for a more complex topology fit to your needs.

+The following figure illustrates where Terraform or OpenTofu can be introduced to streamline the processes of identity, access, networking, and provisioning in Oracle Database@Azure.

+- Steps 1 and 2 completed in [Onboard Oracle Database@Azure](https://docs.oracle.com/iaas/Content/multicloud/oaaonboard.htm), minimum

+- Terraform/OpenTofu, the OCI CLI, the Azure CLI, and Python (version 3.4 or later) installed in your environment

+For more information, see [Oracle multicloud landing zone for Azure](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure?tab=readme-ov-file#prerequisites) on GitHub.

+The [multicloud landing zone for Azure](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure) modules and templates use multiple Terraform providers. The following table lists dependencies:

+| Terraform/OpenTofu providers | Terraform/OpenTofu modules |

+| [AzAPI](/azure/developer/terraform/overview-azapi-provider) | [OCI landing zone modules](https://github.com/oci-landing-zones/) |

+The following table describes Oracle multicloud landing zone for Azure templates.

+For more information about modules, see [Oracle multicloud landing zone for Azure](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure).

+| Template | Use case and configurations | Terraform/OpenTofu providers |

+| [az-oci-adbs](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-adbs) | **Quickstart Oracle Autonomous Database** | [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | - Configure an Azure virtual network with [delegated subnet limits](https://docs.oracle.com/iaas/Content/database-at-azure/oaa-delegated-subnets-limits.htm) | [azure/api](https://registry.terraform.io/providers/Azure/azapi) |

+| | - [Provision Autonomous Database](oracle-database-provision-autonomous-database.md) | |

+| [az-oci-rbac-n-sso-fed](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-rbac-n-sso-fed) | Set up identity federation and role-based access control (RBAC) roles and groups | All the following scenarios: |

+| [az-oci-sso-federation](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-sso-federation) | Set up [SSO between OCI and Microsoft Entra ID](https://docs.oracle.com/iaas/Content/Identity/tutorials/azure_ad/sso_azure/azure_sso.htm) | [hashicorp/azuread](https://registry.terraform.io/providers/hashicorp/azuread/) |

+| | - Get service provider metadata from OCI IAM | [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | - Create a Microsoft Entra ID application | [hashicorp/oci](https://registry.terraform.io/providers/hashicorp/oci) |

+| | - Set up Security Assertion Markup Language (SAML) single sign-on (SSO) for a Microsoft Entra ID application | |

+| | - Set up attributes and claims in a Microsoft Entra ID application | |

+| | - Assign a test user to a Microsoft Entra ID application | |

+| | - Enable a Microsoft Entra ID application as the identity provider (IdP) for OCI IAM | |

+| | - Set up [identity lifecycle management between OCI IAM and Microsoft Entra ID](https://docs.oracle.com/iaas/Content/Identity/tutorials/azure_ad/lifecycle_azure/azure_lifecycle.htm#azure-lifecycle) | |

+| [az-odb-rbac](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-odb-rbac) | Create [roles and groups in Azure](https://docs.oracle.com/iaas/Content/multicloud/oaagroupsroles.htm) for Oracle Exadata and Oracle Autonomous Database | [hashicorp/azuread](https://registry.terraform.io/providers/hashicorp/azuread/) |

+| | - Create an Azure role definition for the ADBS Administrator role | [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | - Create an Azure resource group | |

+| | - Create an Azure role assignment | |

+## Related content

+- [Quickstart: Oracle Database@Azure with Terraform or OpenTofu modules](https://docs.oracle.com/learn/dbazure-terraform/https://docsupdatetracker.net/index.html)

+- [Set up OCI Terraform](https://docs.oracle.com/iaas/developer-tutorials/tutorials/tf-provider/01-summary.htm)

+- [Import OCI resources into a Terraform state file](https://docs.oracle.com/learn/terraform-statefile-oci-resources/https://docsupdatetracker.net/index.html)

+- [Azure Verified Modules for a virtual network](https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork)

+- [Quickstart: Install and configure Terraform for Azure](/azure/developer/terraform/quickstart-configure)

+- [Authenticate Terraform to Azure](/azure/developer/terraform/authenticate-to-azure)

+ Title: Oracle Autonomous Database in Oracle Database@Azure

+description: Learn about Oracle Autonomous Database in Oracle Database@Azure.

+# Oracle Autonomous Database in Oracle Database@Azure

+Oracle Database@Azure provides you with a seamless integration of Oracle Autonomous Database resources within your Azure cloud environment.

+You access your instance of Oracle Database@Azure through the Azure portal. Then, you create and manage Oracle Autonomous Database resources in the Azure portal. For more Oracle Autonomous Database functionality, you have direct access to the Oracle Cloud Infrastructure (OCI) portal.

+Oracle Database@Azure has different IP address requirements than Oracle Cloud Infrastructure (OCI). Oracle Database@Azure reserves 13 IP addresses for the client subnet versus 3 for OCI requirements.

+For more information about Oracle Autonomous Database beyond implementation and use within Oracle Database@Azure, see [Using Oracle Autonomous Database Serverless](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/https://docsupdatetracker.net/index.html).

+The following articles describe how to create and manage tasks associated with Oracle Autonomous Database in Oracle Database@Azure:

+* [What's new in Oracle Autonomous Database](oracle-database-whats-new-autonomous-database-services.md)

+* [Provision an instance of Autonomous Database](oracle-database-provision-autonomous-database.md)

+* [Manage Autonomous Database resources](provision-manage-oracle-resources.md)

+* [Terraform/OpenTofu examples for Autonomous Database](oracle-database-examples-autonomous-database-services.md)

+* [Troubleshoot Autonomous Database](oracle-database-troubleshoot-autonomous-database-services.md)

+ Title: Compliance information for Oracle Database@Azure

+description: Learn about compliance and service management in Oracle Database@Azure.

+# Compliance information for Oracle Database@Azure

+In this article, learn about compliance certifications and service management responsibilities in Oracle Database@Azure.

+Oracle Database@Azure is a database service that runs Oracle database workloads in a customer's Azure environment. Oracle Cloud Infrastructure (OCI) offers several Oracle Cloud Database services through a customer's Azure environment. You can monitor database metrics, audit logs, events, logging data, and telemetry natively in Azure. The service runs on infrastructure that's managed by the Cloud Infrastructure operations team at Oracle. The Oracle operations team manages software patching, infrastructure updates, and other operations through a connection to OCI. Although the service requires that customers have an OCI tenancy, most service activities take place in the Azure environment.

+All infrastructure for Oracle Database@Azure is colocated in Azure physical datacenters, uses Azure Virtual Network for networking, and is managed in the Azure environment. Federated identity and access management are provided by Microsoft Entra ID.

+## Related content

+- [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

+- [Oracle Cloud compliance](https://www.oracle.com/corporate/cloud-compliance/)

+- [Oracle and Microsoft support for Oracle Database@Azure](oracle-database-support.md)

+description: Learn about Terraform/OpenTofu examples for Oracle Database@Azure.

+# Terraform/OpenTofu examples for Oracle Database@Azure

+You can use Terraform by HashiCorp to provision and manage resources for Oracle Database@Azure. Terraform offers the AzAPI provider as a tool to provision and manage infrastructure in Oracle Cloud Infrastructure (OCI).

+For more information on reference implementations for Terraform or OpenTofu modules, see the following resources:

+* [Quickstart Oracle Database@Azure by using Terraform or OpenTofu modules](https://docs.oracle.com/en/learn/dbazure-terraform/https://docsupdatetracker.net/index.html)

+* [OCI landing zones](https://github.com/oci-landing-zones/)

+> [!NOTE]

+> This article provides example code to demonstrate provisioning and managing Oracle Database@Azure resources by using the Terraform provider AzAPI. For detailed AzAPI provider resources and data sources documentation, see [AzAPI provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs) in the Terraform registry.

+The samples use example values for illustration. Replace the placeholder example values with values from your scenario.

+The samples use [AzAPI dynamic properties](https://techcommunity.microsoft.com/t5/azure-tools-blog/announcing-azapi-dynamic-properties/ba-p/4121855) instead of JSONEncode for more native Terraform behavior.

+## Create a delegated subnet for Oracle Database@Azure

+```terraform

+resource "azurerm_resource_group" "resource_group" {

+## Create an instance of Oracle Exadata Database@Azure

+```terraform

+{

+```

+description: Learn how to get started with using Oracle Database@Azure.

+In this article, learn how to purchase and start using Oracle Database@Azure.

+Oracle Database@Azure is an Oracle database service that runs on Oracle Cloud Infrastructure (OCI) and is colocated in Azure datacenters at Microsoft. Colocation ensures that the Oracle Database@Azure service has the fastest possible access to Azure resources and applications.

+Oracle Database@Azure runs on infrastructure that's managed by the expert Cloud Infrastructure operations team at Oracle. The operations team manages software patching, infrastructure updates, and other operations through a connection to OCI. Although the service requires that customers have an OCI tenancy, most service activities take place in the Azure environment.

+To purchase Oracle Database@Azure, contact the Oracle sales team or your Oracle sales representative for a sale offer. Oracle Sales creates an Azure private offer in Azure Marketplace for your instance of the service. After an offer is created for your organization, you can accept the offer and complete the purchase in the marketplace in the Azure portal. For more information about Azure private offers, see [Overview of the commercial marketplace and enterprise procurement](/marketplace/what-is-commercial-marketplace).

+Billing and payment for the service is processed through Azure. Payment for Oracle Database@Azure counts toward Microsoft Azure Consumption Commitment (MACC). Existing Oracle Database software customers can use a bring your own license (BYOL) option or an unlimited license agreement (ULA). On your regular invoice for Azure, charges for Oracle Database@Azure appear with charges for your other Azure Marketplace services.

+## Oracle Database@Azure interfaces

+You can provision Oracle Database@Azure by using the Azure portal and Azure APIs, SDKs, and Terraform. You manage the Oracle database system infrastructure and virtual machine cluster resources in the Azure portal.

+For an Oracle container database (CDB) or an Oracle pluggable database (PDB), some management tasks are completed by using the OCI console.

+Database and application developers work in the Azure portal or use Azure tools (Azure APIs, SDKs, or Terraform) to manage their databases in Oracle Database@Azure.

+ Title: Groups and roles in Oracle Database@Azure

+description: Learn about groups and roles in Oracle Database@Azure.

+# Groups and roles in Oracle Database@Azure

+This article lists groups and roles you use to manage access to Oracle Database@Azure. Using these groups and roles ensures that assigned users have the appropriate permissions to operate the service.

+Use the following groups in your Azure account:

+|odbaa-exa-infra-administrators| odbaa-exa-infra-administrator |This group is for administrators who need to manage all Oracle Exadata Database@Azure resources in Azure. |

+|odbaa-vm-cluster-administrators |odbaa-vm-cluster-administrator |Users in this group can administer virtual machine (VM) cluster resources in Azure. |

+|odbaa-db-family-administrators |*Not applicable* | This group is replicated in Oracle Cloud Infrastructure (OCI) during the optional identity federation process. OCI policies are defined for this group in the Oracle Cloud environment. |

+|odbaa-db-family-readers |*Not applicable* |This group is replicated in OCI during the optional identity federation process. OCI policies are defined for this group in the Oracle Cloud environment. |

+|odbaa-exa-cdb-administrators |*Not applicable* |This group is replicated in OCI during the optional identity federation process. OCI policies are defined for this group in the Oracle Cloud environment. |

+|odbaa-exa-pdb-administrators |*Not applicable* |This group is replicated in OCI during the optional identity federation process. OCI policies are defined for this group in the Oracle Cloud environment. |

+## Groups in Oracle Cloud Infrastructure

+Use the following groups in your OCI tenancy:

+|odbaa-db-family-administrators | Users in this group are administrators who manage database family actions. |

+|odbaa-db-family-readers |Users in this group are administrators who read database family actions. |

+|odbaa-exa-cdb-administrators |Users in this group are administrators who manage Oracle Container Database (CDB) actions. |

+|odbaa-exa-pdb-administrators | Users in this group are administrators who manage Oracle Pluggable Database (PDB) actions.|

+## Required Identity and Access Management policies

+The following Oracle Cloud Infrastructure Identity and Access Management (IAM) policies are required for each user and each group in Oracle Database@Azure:

+- `Allow any-user to use tag-namespaces in tenancy where request.principal.type = ΓÇÿmulticloudlinkΓÇÖ`

+- `Allow any-user to manage tag-defaults in tenancy where request.principal.type = ΓÇÿmulticloudlinkΓÇÖ`

+For information about working with policies, see [Get started with policies](https://docs.oracle.com/iaas/Content/Identity/policiesgs/get-started-with-policies.htm) in Oracle databases.

+## Related content

+- [Overview of Oracle Database@Azure](database-overview.md)

+- [Onboard Oracle Database@Azure](onboard-oracle-database.md)

+- [Support for Oracle Database@Azure](oracle-database-support.md)

+ Title: Known issues in Oracle Database@Azure

+description: Learn about known issues in Oracle Database@Azure.

+# Known issues in Oracle Database@Azure

+Learn about known issues in Oracle Database@Azure and how to resolve them.

+## Oracle Exadata virtual machine cluster provisioning

+### Virtual machine cluster provisioning fails because the number of available IPs doesn't match

+The wrong number of available IPs in the subnet is reported, causing virtual machine cluster provisioning to fail.

+#### Message

+```output

+#### Resolution

+Verify the correct number of available IP addresses in the subnet by using the Oracle Cloud Infrastructure (OCI) console. For more information, see [List private IP addresses](https://docs.oracle.com/iaas/Content/Network/Tasks/private-ip-address-list.htm).

+If the subnet doesn't have enough IP addresses, reconfigure the subnet according to the [prerequisites](oracle-database-plan-ip.md).

+### Virtual machine cluster provisioning fails because of an authorization error

+Provisioning an Oracle Exadata virtual machine cluster fails and shows the following message.

+#### Message

+```output

+The client <client_name> with object id <object_id> does not have authorization to perform action 'Oracle.Database/location/operationStatuses/read' over scope <scope_details> or scope is invalid. If access was recently granted, please refresh your credentials.

+The failure occurs because the user performing the action doesn't have permissions for the Microsoft.BareMetal/BareMetalConnections resource.

+#### Resolution

+1. Ensure that no policy is assigned to the user or to the subscription that prevents the user from performing the action. If the user has specific permissions directly assigned to them, add the following resources to the authorized list of resources:

+ - Microsoft.BareMetal/BareMetalConnections

+ - Microsoft.Network/privateDnsZones

+1. Delete the failed virtual machine cluster.

+1. After the virtual machine cluster is fully terminated in both Azure and OCI, wait 30 minutes. This wait period ensures that all dependent resources are also deleted.

+1. Provision a new virtual machine cluster.

+## Buy offer

+### Creating an OracleSubscription resource fails because of 'deny' policy action during offer purchase

+When you subscribe to Oracle Database@Azure, you must create a managed resource group in the background to contain the `OracleSubscription` object for billing purposes. The managed resource group must be in the EastUS region. It must have a specific name, and it must initially be created without tags.

+Any policy that blocks the creation of the managed resource group triggers the error. For example, a policy that has any of the following rules might cause the purchase to fail:

+- A rule that denies the creation of resources in the EastUS Azure region

+- A rule that denies the creation of a resource without tags

+- A rule that enforces specific naming patterns

+#### Message

+```output

+#### Resolution

+1. Identify the blocking policy by examining the activity log in the Azure portal. In the log, you might see a **'deny' Policy action** operation with a **failed** status:

+ :::image type="content" source="media/deny-known-issue-purchase-failure.png" alt-text="Screenshot that shows the Azure activity log with a 'deny' policy action that caused a failure for the OracleSubscriptions_Update operation.":::

+ The following figure shows the details of the **'deny' Policy action** in the Azure portal:

+ :::image type="content" source="media/example-known-issue-purchase-failure.png" alt-text="Screenshot that shows a JSON file with example policies, including a policy that limits the allowed locations for resource groups.":::

+1. Create a time-bound policy exemption for the blocking policies before you try to buy the offer, and then create the OracleSubscription resource again.

+ For more information, see [Azure Policy exemption structure](/azure/governance/policy/concepts/exemption-structure).

+ > [!TIP]

+ > A policy exemption can take up to 30 minutes to take effect. Ensure that the time window for the exemption is large enough to finish the buy process for the offer. We recommend a window of time of at least two hours for the policy exemption.

+ On the **Policy Assignments** pane in the Azure portal, select **Create exemption**.

+ :::image type="content" source="media/exemption-known-issue-purchase-failure.png" alt-text="Screenshot that shows the Create exemption button in the Azure portal.":::

+1. On the **Create exemption** pane in the Azure portal, create a policy exemption. For **Expiration date**, limit the time window for the policy exemption.

+ :::image type="content" source="media/workflow-known-issue-purchase-failure.png" alt-text="Screenshot that shows the Azure portal Create exemption pane.":::

+ Title: Manage resources in Oracle Database@Azure

+description: Learn how to manage resources in an instance of Oracle Database@Azure.

+# Manage resources in Oracle Database@Azure

+After you provision an instance of Oracle Database@Azure, you can use the Azure portal to complete a limited set of resource management functions.

+You must have the following prerequisites before you can provision Oracle Database@Azure:

+- An existing Azure subscription.

+- An Azure virtual network with a subnet delegated to the Oracle Database@Azure service (`Oracle.Database/networkAttachments`).

+ - No policies that prohibit the creation of resources without tags. The OracleSubscription resource is created automatically without tags during onboarding.

+ - No policies that enforce naming conventions. The OracleSubscription resource is created automatically with a default resource name.

+- Oracle Database@Azure purchased in the Azure portal.

+- An Oracle Cloud Infrastructure (OCI) account.

+For more information, including optional steps, see [Onboard Oracle Database@Azure](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard.htm).

+## Common management functions in the Azure portal

+This section describes management functions that are available for all Oracle Database@Azure resources. To access management functions, go to the Azure pane for that resource.

+### Access the resource pane

+1. In the Azure portal, go to the home pane for your Oracle Database@Azure application.

+1. On the service menu, select **Oracle Database@Azure**.

+1. If the pane lists and manages multiple resources, select the resource type at the top of the pane.

+ For example, use the **Oracle Exadata Database@Azure** pane to access both the Oracle Exadata infrastructure and the Oracle Exadata virtual machine (VM) cluster resources.

+### List a resource type status

+1. Go to the resource pane. For more information, see [Access the resource pane](#access-the-resource-pane).

+ Resources are shown as **Succeeded**, **Failed**, or **Provisioning**.

+1. To access details for the resource, under **Name**, select the link for the resource.

+1. Go to the resource pane. For more information, see [Access the resource pane](#access-the-resource-pane).

+1. In the command bar, select **Create**.

+1. Complete the steps to [provision an instance of Oracle Autonomous Database](oracle-database-provision-autonomous-database.md).

+### Refresh the pane

+1. Go to the resource pane.

+1. In the command bar, select the **Refresh** icon.

+1. Wait for the pane to reload.

+1. Go to the resource pane.

+1. On the resource pane, you can remove a single resource or multiple resources by selecting the checkbox to the left of the table. After you select the resources to remove, in the command bar, select the **Delete** icon.

+1. You also can remove a single resource. Under **Name**, select the link for the resource. On the resource's detail pane, select the **Delete** icon.

+1. Go to the resource pane.

+1. Under **Name**, select the link for the resource.

+1. On the resource overview pane, under **Tags**, select **Edit**.

+1. To create a new tag, enter a name and tag value.

+1. To edit an existing tag, change the value for the existing tag.

+1. To delete an existing tag, select the **Delete** icon to the right of the tag.

+### Manage resource allocation

+> [!NOTE]

+> You can change only the *resource allocation* settings for an instance of Oracle Database@Azure by using these steps. The steps don't apply to any other resource type.

+1. Go to the resource pane.

+1. Under **Name**, select the link for the resource.

+1. On the service menu, select **Settings**, and then select **Resource allocation**.

+1. On the **Resource allocation** pane, select **Manage**.

+1. On the **Manage resource allocation** pane, you can set the Elastic Compute Processing Unit (ECPU) count from **2** to **512**. To set your Oracle Database@Azure instance to scale its computing allocation automatically up to 512, select the **Compute auto scaling** checkbox. For **Storage**, set storage allocation from 1 TB to 383 TB. To set your Oracle Database@Azure instance to scale storage allocation automatically up to 383 TB, select the **Storage auto scaling** checkbox.

+1. After you set or review settings, select **Apply** to apply changes, or select **Cancel** to leave the current settings.

+### Test connectivity

+1. Go to the resource pane.

+1. Under **Name**, select the link for the resource.

+1. On the service menu, select **Settings**, and then select **Connections**.

+1. Select the **Download wallet** icon and save the file.

+1. Open Oracle SQL Developer. If you don't have SQL Developer installed, download SQL Developer and install it.

+1. In SQL Developer, open a new connection by using the following information:

+ 1. **Name**: Enter a name to use for the connection.

+ 1. **Username**: Enter **SYS**.

+ 1. **Password**: Enter the password you used when you created the pluggable database (PDB).

+ 1. **Role**: Select **SYSDBA**.

+ 1. **Save Password**: Select this checkbox if your security rules allow. Otherwise, you're required to enter the PDB password every time you use this connection in SQL Developer.

+ 1. **Connection Type**: Select **Cloud Wallet**.

+ 1. **Configuration File**: Select **Browse**, and then select the wallet you downloaded.

+ 1. Select the **Test** button. Check **Status** in the list of connections for a **Success** value. If the connection isn't a success, the wallet is out of date, or the instance of Oracle Autonomous Database isn't currently running.

+ 1. Select **Save**.

+ 1. Select **Connect**.

+1. Go to the resource pane.

+1. Under **Name**, select the link for the resource.

+1. On the service menu, under **OCI Database URL**, select the **Go to OCI** link.

+1. Sign in to OCI.

+### Get support for Oracle Database@Azure

+1. Follow the steps to [access the OCI console](#access-the-oci-console).

+1. In the OCI console, choose an option to access support resources:

+ - On the top-right menu bar, select the **Help** (`?`) icon.

+ - On the right side of the page, select the floating **Support** icon.

+ If you need to create a support request, select that option.

+1. The support request page autopopulates with information that's needed by Oracle Support Services, including the resource name, the resource Oracle Cloud Identifier (OCID), the service group, the service, and several other items depending on the Oracle Database@Azure resource.

+1. Select the relevant support option from the following options:

+ 1. **Critical outage** for a critical production system outage or if a critical business function is unavailable or unstable. You or an alternate contact must be available to work on this issue 24x7 if needed.

+ 1. **Significant impairment** for a critical system failure or if a business function experiencing severe loss of service. Operations can continue in a restricted manner. You or an alternate contact must be available to work on this issue during normal business hours.

+ 1. **Technical issue** for functionality, errors, or a performance issue that affects only some operations.

+ 1. **General guidance** if you have a product or service usage question, for product or service setup, or if you need documentation clarification.

+1. Select **Create Support Request**.

+The support ticket is created. You can monitor the ticket in the OCI console or via [My Oracle Support (MOS)](https://support.oracle.com/).

+description: Learn about network planning for Oracle Database@Azure.

+In this article, learn about network topologies and constraints in Oracle Database@Azure.

+After you purchase an offer through Azure Marketplace and provision the Oracle Exadata infrastructure, the next step is to create your virtual machine cluster to host your instance of Oracle Exadata Database@Azure. The Oracle database clusters are connected to your Azure virtual network via a virtual network interface card (virtual NIC) from your delegated subnet (delegated to `Oracle.Database/networkAttachment`).

+The following table describes the network topologies that are supported by each configuration of network features for Oracle Database@Azure:

+|Connectivity to an Oracle database cluster in a local virtual network| Yes |

+|Connectivity to an Oracle database cluster in a peered virtual network (in the same region)|Yes |

+|Connectivity to an Oracle database cluster in a spoke virtual network in a different region with a virtual wide area network (virtual WAN) |Yes |

+|Connectivity to an Oracle database cluster in a peered virtual network (cross-region or global peering) without a virtual WAN\* | No|

+|On-premises connectivity to an Oracle database cluster via global and local Azure ExpressRoute |Yes|

+|Azure ExpressRoute FastPath |No |

+|Connectivity from on-premises to an Oracle database cluster in a spoke virtual network over an ExpressRoute gateway and virtual network peering with a gateway transit|Yes |

+|On-premises connectivity to a delegated subnet via a virtual private network (VPN) gateway | Yes |

+|Connectivity from on-premises to an Oracle database in a spoke virtual network over a VPN gateway and virtual network peering with gateway transit| Yes |

+|Connectivity over active/passive VPN gateways| Yes |

+|Connectivity over active/active VPN gateways| No |

+|Connectivity over active/active zone-redundant gateways| No |

+|Transit connectivity via a virtual WAN for an Oracle database cluster provisioned in a spoke virtual network| Yes |

+|On-premises connectivity to an Oracle database cluster via a virtual WAN and attached software-defined wide area network (SD-WAN)|No|

+|On-premises connectivity via a secured hub (a firewall network virtual appliance) | No|

+|Connectivity from an Oracle database cluster on Oracle Database@Azure nodes to Azure resources|Yes|

+\* You can overcome this limitation by using a site-to-site VPN.

+The following table describes required configurations of supported network features:

+|[Network security groups](../../virtual-network/network-security-groups-overview.md) on Oracle Database@Azure delegated subnets|No|

+|[User-defined routes (UDRs)](../../virtual-network/virtual-networks-udr-overview.md#user-defined) on Oracle Database@Azure delegated subnets|Yes|

+|Connectivity from an Oracle database cluster to a [private endpoint](../../private-link/private-endpoint-overview.md) in the same virtual network on Azure-delegated subnets|No|

+|Connectivity from an Oracle database cluster to a [private endpoint](../../private-link/private-endpoint-overview.md) in a different spoke virtual network connected to a virtual WAN|Yes|

+|Dual stack (IPv4 and IPv6) virtual network|Only IPv4 is supported|

+## Related content

+* [Overview of Oracle Database@Azure](database-overview.md)

+* [Onboard Oracle Database@Azure](onboard-oracle-database.md)

+* [Provision and manage Oracle Database@Azure](provision-oracle-database.md)

+* [Support for Oracle Database@Azure](oracle-database-support.md)

+* [Groups and roles for Oracle Database@Azure](oracle-database-groups-roles.md)

+description: Learn how to plan your IP address space for Oracle Database@Azure.

+# Plan IP address space for Oracle Database@Azure

+A key part of designing an Oracle Database@Azure deployment is planning for IP address space. It's important to ensure that you have enough IPs for your virtual machine clusters and for networking services.

+This article provides tables you can use to find the minimum subnet Classless Inter-Domain Routing (CIDR) size for your instance of Oracle Database@Azure.

+When you set up your network, consider the following points:

+- For Oracle Autonomous Database, the minimum CIDR size is /27.

+- IP address ranges that are allocated to Oracle Autonomous Database subnets and to Oracle Exadata virtual machine clusters can't overlap with other CIDRs that are in use. Overlap might cause routing issues. Account for cross-region routing when you configure CIDRs for Oracle Database@Azure.

+- For Oracle Exadata X9M, IP addresses 100.106.0.0/16 and 100.107.0.0/16 are reserved for the interconnect and can't be allocated to client networks or backup networks.

+Other requirements that are specific to client subnets and backup subnets are described in the next sections.

+## Client subnet requirements

+The client subnet has the following IP address requirements:

+- Each virtual machine requires 4 IP addresses. Virtual machine clusters must have a minimum of two virtual machines. Therefore, a virtual machine cluster with two virtual machines requires 8 IP addresses in the client subnet. Each virtual machine that's added to a virtual machine cluster increases the number of IP addresses required in the client subnet by 4 IP addresses.

+- Each virtual machine cluster requires 3 IP addresses for [Single Client Access Names (SCANs)](https://docs.oracle.com/en/cloud/paas/exadata-cloud/csexa/connect-db-using-net-services.html), regardless of how many virtual machines are in the virtual machine cluster.

+- In the client subnet, 17 IP addresses are reserved for networking services, regardless of how many virtual machine clusters are in the client subnet. The 17 IP addresses are the first 16 IP addresses and the last IP address.

+**Example**: The number of IP addresses required for a client subnet that has one virtual machine cluster with two virtual machines is *11 IPs (one virtual machine cluster with two virtual machines, plus three SCANs) + 17 IPs (for networking services) = 28 IPs*.

+### Scenarios: CIDR size required for a client subnet

+The following table shows scenarios of provisioned virtual machine clusters of varying sizes. The number of instances of each scenario that can fit in a client subnet depends on the CIDR size of the subnet. This table doesn't show all possible scenarios.

+|One virtual machine cluster with two virtual machines *(11 IPs + 17 IPs for networking services = 28 IPs)*|1|4|10|21|45|91|

+|One virtual machine cluster with three virtual machines *(15 IPs + 17 IPs for networking services = 32* IPs)|1|3|7|15|33|67|

+|One virtual machine cluster with four virtual machines *(19 IPs + 17 IPs for networking services = 36 IPs)*| |2|5|12|26|53|

+|Two virtual machine clusters with two virtual machines each *(22 IPs + 17 IPs for networking services = 39 IPs)*| |2|5|10|22|45|

+|Two virtual machine clusters with three virtual machines each *(30 IPs + 17 IPs for networking services = 47 IPs)*| |1|3|7|16|33|

+|Two virtual machine clusters with four virtual machines each *(38 IPs + 17 IPs for networking services = 55 IPs)*| |1|2|6|13|26|

+## Backup subnet requirements

+A backup subnet has the following IP address requirements:

+- Each virtual machine requires 3 IP addresses. Virtual machine clusters have a minimum of two virtual machines. Therefore, a virtual machine cluster that has two virtual machines requires 6 IP addresses in the backup subnet. Each virtual machine that's added to a virtual machine cluster increases the number of IP addresses required in the backup subnet by 3 IPs.

+- Networking services require 3 IP addresses for the backup subnet, regardless of how many virtual machine clusters are in the backup subnet.

+**Example**: The number of IP addresses required for a backup subnet that has one virtual machine cluster with two virtual machines is *6 IPs (one virtual machine cluster with two virtual machines) + 3 IPs (for networking services) = 9 IPs*.

+### Scenarios: CIDR size required for a backup subnet

+The following table shows scenarios of provisioned virtual machine clusters of different sizes. The number of instances of each scenario that can fit in a backup subnet depends on the CIDR size of the subnet. The table doesn't display all possible scenarios.

+|One virtual machine cluster with two virtual machines *(6 IPs + 3 for networking services = 9 IPs)*|1|3|7|14|28|56|

+|One virtual machine cluster with three virtual machines *(9 IPs + 3 for networking services = 12 IPs)*|1|2|5|10|21|42|

+|One virtual machine cluster with four virtual machines *(12 IPs + 3 for networking services = 15 IPs)*|1|2|4|8|17|34|

+|Two virtual machine clusters with two virtual machines each *(12 IPs + 3 for networking services = 15 IPs)*|1|2|4|8|17|34|

+|Two virtual machine clusters with three virtual machines each *(18 IPs + 3 for networking services = 21 IPs)*| |1|3|6|12|24|

+|Two virtual machine clusters with four virtual machines each *(24 IPs + 3 for networking services = 27 IPs)*| |1|2|4|9|18|

+## Usable IPs for client and backup subnets by CIDR size

+The following table shows the number of IP addresses that are available for virtual machine clusters and SCANs for various CIDR sizes after you subtract the IP addresses that the networking services require.

+> [!TIP]

+> Allocating more than the required space for a subnet (for example, at least /25 instead of /27) can help reduce the relative effect that reserved IP addresses have on the subnet's available space.

+|Subnet CIDR|Reserved networking IPs for a client subnet|Usable IPs for a client subnet (virtual machines and SCANs)|Reserved networking IPs for a backup subnet|Usable IPs for a backup subnet (virtual machines and SCANs)|

+|/28|17|0 (2<4 - 17)|3|13 (2^4 - 3)|

+|/22|17|1,007 (2^10 - 17)|3|1,021 (2^10 - 3)|

+## Related content

+- [Support for Oracle Database@Azure](oracle-database-support.md)

+ Title: Database ops processes for Oracle Database@Azure

+description: Learn about database operations processes for Oracle Database@Azure.

+# Database operations processes for Oracle Database@Azure

+Some Oracle processes are accessible from Azure, but you use the Oracle Cloud Infrastructure (OCI) console to set them up and maintain them.

+## Oracle Database Autonomous Recovery Service@Azure

+Oracle Database Autonomous Recovery Service@Azure is the preferred backup solution to use for Oracle Database@Azure resources. Here are some of the key benefits of using Oracle Database Autonomous Recovery Service@Azure:

+* You can use Microsoft Azure Consumption Commitment (MACC) to pay for your backup storage.

+* You can choose your backup storage locations to meet requirements for corporate data residency and compliance.

+* It gives you zero data loss with real-time database protection and recovery in less than a second after an outage or ransomware attack.

+* It provides backup immutability by using a policy-based backup retention lock. The lock prevents any user in the tenancy from deleting or altering backup data.

+* Data theft is prevented through mandatory, automatic encryption for backup data throughout the entire lifecycle.

+* It contributes to higher operational efficiency by eliminating weekly full backups to reduce CPU, memory, and I/O overhead and lower overall cloud costs.

+* It shortens the backup window via an incremental-forever paradigm that moves smaller amounts of backup data between the database and Oracle Database Autonomous Recovery Service@Azure.

+* Recoverability is improved through automated zero-impact recovery validation for database backups.

+* It uses optimized backups to eliminate the need to recover multiple incremental backups and speed recovery to regions.

+* Database protection insights are centralized in a granular recovery health dashboard.

+### High-level steps to enable Oracle Database Autonomous Recovery Service@Azure

+1. Go to the OCI console for the database you want to enable for Oracle Database Autonomous Recovery Service@Azure. Learn how to [access the OCI console](oracle-database-manage-autonomous-database-resources.md).

+1. Configure or create an Oracle Database Autonomous Recovery Service@Azure protection policy with storage backups in the same cloud provider as the database.

+1. Use the protection policy to configure automated backups.

+1. When the backup completes, check for subscription and backup location details in the database in OCI.

+## Related content

+* [Support for multicloud Oracle database backup](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/azure-multicloud-recoveryservice.html)

+* [Backup automation and storage in Oracle Cloud](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/backup-automation.html)

+* [Enable automatic backups to the recovery service](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/enable-automatic-backup.html#GUID-B8A2D342-3331-42C9-8FDD-D0DB0E25F4CE)

+* [Create a protection policy](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/create-protection-policy.html#GUID-C73E254E-2019-4EDA-88E0-F0BA68082A65)

+* [Configure protection policies](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/overview-protection-policy.html#GUID-8C097EAF-E2B0-4231-8027-0067A2E81A00)

+* [View protection policy details](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/view-protection-policy.html#GUID-5101A7ED-8891-4A6B-B1C4-F13F55A68FF0)

+ Title: Provision Oracle Autonomous Database

+description: Learn how to provision an instance of Oracle Autonomous Database in Azure.

+# Provision an instance of Oracle Database@Azure

+You provision and manage basic functions for an Oracle Autonomous Database instance on the Oracle Autonomous Database@Azure pane in the Azure portal. More management functions are available in the Oracle Cloud Infrastructure (OCI) console via the link to that database on the Oracle Autonomous Database@Azure pane.

+You must have the following prerequisites before you can provision Oracle Database@Azure:

+- An existing Azure subscription.

+- An Azure virtual network with a subnet delegated to the Oracle Database@Azure service (`Oracle.Database/networkAttachments`).

+ - No policies that prohibit the creation of resources without tags. The OracleSubscription resource is created automatically without tags during onboarding.

+ - No policies that enforce naming conventions. The OracleSubscription resource is created automatically with a default resource name.

+- Oracle Database@Azure purchased in the Azure portal.

+- An OCI account.

+For more information, including optional steps, see [Onboard Oracle Database@Azure](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard.htm).

+## Provision Oracle Database@Azure

+To provision an Oracle Autonomous Database instance:

+1. Go to the Azure portal.

+1. Choose one of the following options to begin provisioning your instance of Oracle Database@Azure:

+ - On the home pane for the Oracle Autonomous Database@Azure application, select **Create an Oracle Autonomous Database**.

+ - On the **Oracle Autonomous Database@Azure** pane, select **Create**. The Oracle Autonomous Database@Azure pane shows all your existing instances of Oracle Autonomous Database@Azure and the current status. To see detailed information about an instance of Oracle Autonomous Database@Azure, select the instance in the list.

+1. On the **Basics** tab, enter or select the following information:

+ 1. For **Subscription**, select the relevant subscription.

+ 1. For **Resource group**, select an existing resource group, or select the **Create new** link to create a new resource group.

+ 1. For **Name**, enter a name for your instance of Oracle Database@Azure. The name must be unique within your subscription.

+ 1. For **Region**, select the Azure region to use. The current region is automatically selected. If your subscription has access to other regions, the regions appear in the list.

+ 1. Select **Next**.

+1. On the **Configuration** tab, enter or select the following information:

+ 1. For **Workload type**, select the relevant option for your Oracle Database@Azure instance.

+ 1. For **Database version**, select from the options that are provided based on your subscription and the currently supported versions of Oracle Database@Azure.

+ 1. For **ECPU count**, select an Elastic Compute Processing Unit (ECPU) count from **2** to **512**.

+ 1. Select or clear the **Compute auto scaling** checkbox for the option to scale the computing allocation automatically up to 512. By default, the checkbox is selected.

+ 1. For **Storage**, set the storage allocation from 1 TB to 383 TB or from 20 GB to 393,216 GB.

+ 1. For **Storage unit size**, select the option to allocate your storage in GB or TB.

+ 1. You select or clear the **Storage auto scaling** checkbox for the option to scale the storage allocation automatically up to 383 TB or 393,216 GB. By default, the checkbox is cleared.

+ 1. For **Backup retention period in days**, set the backup retention days from **1** to **60**.

+ 1. The value for **Username** is set automatically to **ADMIN**.

+ 1. Enter a required password for your **ADMIN** account. The password must be from 12 to 60 characters, and it must contain at least one uppercase letter, one lowercase letter, and one number. The password can't contain the double quote (`"`) character or the word `ADMIN`.

+ 1. For **Confirmed password**, enter a password that matches your previously entered password.

+ 1. For **License type**, select the license type that's required for your subscription.

+ 1. If you select the **Advanced options** checkbox, select values for **Character set** and **National character set** as relevant for your database.

+ 1. Select **Next**.

+1. On the **Networking** tab, enter or select the following information:

+ 1. Currently, the value for **Access type** is set automatically to **Managed private virtual network IP only**.

+ 1. For **Managed private virtual network IP only**, you can optionally select the **Require mutual TLS (mTLS) authentication** checkbox.

+ 1. For **Virtual network** and **Subnet**, select existing resources.

+ > The selected virtual network must have one subnet delegated to the Oracle.Database/networkAttachments service.

+ 1. Select **Next**.

+1. On the **Maintenance** tab, enter or select the following information:

+ 1. The value for **Maintenance patch level** is set automatically. Your Oracle Autonomous Database is patched on a regular and as-needed basis. Patching is done in a manner that should be unnoticeable to you. *Regular* means that the typical patch schedule is applied. For more information, see [View patch and maintenance window information](https://docs.oracle.com/iaas/autonomous-database-serverless/doc/maintenance-windows-patching.html).

+ 1. Enter up to 10 contact email addresses for notification of unplanned maintenance events.

+ 1. Select **Next**.

+1. On the **Consent** tab, review the Oracle terms of use and the Oracle privacy policy. Select the **I agree to the terms of service** checkbox, and then select **Next**.

+1. On the **Tags** tab, optionally set one or more tags for easier management and to track multiple instances of Oracle Database@Azure. For more information, see [Use tags to organize your Azure resources and management hierarchy](https://go.microsoft.com/fwlink/?linkid=873112). Then select **Next**.

+1. On the **Review + Create** tab, check the values you entered. Validation automatically occurs on this pane. All validations must pass for the provisioning to start. Even if the validation passes, verify the settings.

+1. After your validation is successful and you review your settings, select **Create** to start the provisioning process.

+1. On the **Oracle Autonomous Database@Azure** pane, view the status of your provisioning process. When the provisioning process succeeds, select the entry in the list.

+1. The basic information for your Oracle Database@Azure instance is shown. You can complete functions that are shared with Azure. For most administrative functions for the database, under **OCI Database URL**, select the **Go to OCI** link.

+For the complete Oracle documentation, see [Using Oracle Autonomous Database Serverless](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/autonomous-intro-adb.html#GUID-8EAA5AE6-397D-4E9A-9BD0-3E37A0345E24).

+ Title: Region availability for Oracle Database@Azure

+description: Learn about region availability for Oracle Database@Azure.

+# Region availability for Oracle Database@Azure

+Learn what Azure regions and corresponding Oracle Cloud Infrastructure (OCI) regions support Oracle Database@Azure in standard business regions across the globe.

+## Asia-Pacific (APAC)

+The following table lists Azure regions and corresponding OCI regions that support Oracle Database@Azure in the APAC business region:

+## Europe, Middle East, Africa (EMEA)

+The following table lists Azure regions and corresponding OCI regions that support Oracle Database@Azure in the EMEA business region:

+## North America (NA)

+The following table lists Azure regions and corresponding OCI regions that support Oracle Database@Azure in the NA business region:

+## Disaster recovery regions available for Oracle Database@Azure

+The following table lists Azure regions and corresponding OCI regions that offer a single-zone disaster recovery solution for Oracle Database@Azure:

+| West US | US West (Phoenix) | Γ£ô | Γ£ô |

+> [!NOTE]

+> To provision Oracle Database@Azure resources in a supported region, your tenancy must be subscribed to the target region. Learn how to [manage regions](https://docs.oracle.com/iaas/Content/Identity/regions/managingregions.htm#Managing_Regions) and [subscribe to an infrastructure region](https://docs.oracle.com/iaas/Content/Identity/regions/To_subscribe_to_an_infrastructure_region.htm#subscribe).

+ Title: Troubleshoot Oracle Autonomous Database@Azure

+description: Learn how to troubleshoot problems in Oracle Autonomous Database@Azure.

+# Troubleshoot Oracle Autonomous Database@Azure

+In this article, learn how to resolve common problems and provisioning issues in your Oracle Autonomous Database@Azure environment.

+This article doesn't describe general issues related to Oracle Database@Azure configuration, settings, and account setup. For more information about these topics, see [Overview of Oracle Database@Azure](https://docs.oracle.com/iaas/Content/multicloud/oaaoverview.htm).

+## Terminations and Microsoft locks

+Oracle recommends that you remove all Microsoft locks that are applied to Oracle Database@Azure resources before you terminate a resource. If you have a policy to prevent the deletion of locked resources, the Oracle Database@Azure process to delete the resource fails because Oracle Database@Azure can't delete locked resources. For example, if you created an Azure private endpoint, you should remove the lock before you delete the resource.

+## IP address requirement differences between Oracle Database@Azure and OCI

+Oracle Database@Azure has different IP address requirements than Oracle Cloud Infrastructure (OCI). As described in [Requirements for IP address space](https://docs.oracle.com/iaas/exadatacloud/doc/ecs-network-setup.html#ECSCM-GUID-D5C577A1-BC11-470F-8A91-77609BBEF1EA), the following differences in IP address requirements for Oracle Database@Azure must be considered:

+- Oracle Database@Azure supports only Oracle Exadata X9M. All other shapes are unsupported.

+- Oracle Database@Azure reserves 13 IP addresses for the client subnet versus 3 IP addresses for OCI requirements.

+## Private DNS zone limitation

+When you provision Oracle Exadata Database@Azure in a private DNS zone, you can select only zones that have four labels or less. For example, `a.b.c.d` is allowed, but `a.b.c.d.e` isn't allowed.

+description: Learn how to troubleshoot problems in Oracle Database@Azure.

+# Troubleshoot problems in Oracle Database@Azure

+Get troubleshooting tips for problems you might have when you use Oracle Database@Azure.

+## A private DNS FQDN name can't contain more than four labels

+When you create an Oracle Exadata Database@Azure virtual machine (VM) cluster, if you select a private DNS zone that has a fully qualified domain name (FQDN) that has more than four labels, you might see the following message.

+### Message

+```output

+### Resolution

+Labels are delimited by a period (`.`). For example, `a.b.c.d` is allowed, but `a.b.c.d.e` isn't allowed.

+Rename the private DNS zone that caused the problem or select a private DNS zone that has an FQDN that has a maximum of four labels.

+## Not Authorized error when a private DNS with no tags is used

+When you create an Oracle Exadata Database@Azure VM cluster, if you select a private DNS zone that you created without any tags, the default tag `oracle-tags` is automatically generated for the VM cluster. The tags might cause the following error if the tag namespace isn't authorized in the tenancy.

+### Message

+```output

+### Resolution

+To resolve the problem, add the following policies to the tenancy:

+```output

+## Microsoft locks

+This section includes information about Microsoft locks and how they might affect Oracle Database@Azure deployments.

+### Terminations and Microsoft locks

+We recommend that you remove all Microsoft locks from an Oracle Database@Azure resource before you terminate the resource. If you have a policy to prevent the deletion of locked resources, the Oracle Database@Azure process to delete system resources fails because Oracle Database@Azure can't delete a locked resource. For example, if you're using a locked private endpoint with Oracle Database@Azure, confirm that the endpoint can be deleted, and then remove the lock before you delete the Oracle Database@Azure resource.

+## Networking

+This section includes information about networking and how it might affect Oracle Database@Azure.

+### IP address requirement differences between Oracle Database@Azure and Oracle Exadata in OCI

+Oracle Database@Azure has different IP address requirements than Oracle Exadata in Oracle Cloud Infrastructure (OCI). As described in [Requirements for IP address space](https://docs.oracle.com/iaas/exadatacloud/doc/ecs-network-setup.html#ECSCM-GUID-D5C577A1-BC11-470F-8A91-77609BBEF1EA), the following differences in IP address requirements for Oracle Database@Azure must be considered:

+- Oracle Database@Azure supports only Oracle Exadata X9M. All other shapes are unsupported.

+- Oracle Database@Azure reserves 13 IP addresses for the client subnet.

+### Automatic network ingress configuration

+You can connect an Azure VM to an Oracle Exadata Database@Azure VM cluster if both VMs are in the same virtual network (VNet). This functionality is automatic and requires no extra changes to network security group rules. If you need to connect a VM from a different VNet than the one used by the Oracle Exadata Database@Azure VM cluster, you must also configure network security group traffic rules to let the other VNet's traffic to flow to the Oracle Exadata Database@Azure VM cluster. For example, you have two VNets ("A" and "B"). VNet A serves the Azure VM and VNet B serves the Oracle Exadata Database@Azure VM cluster. For network ingress, you must add VNet A's Classless Inter-Domain Routing (CIDR) address to the network security group route table in OCI.

+#### Default client network security group rules

+| Direction | Source or destination | Protocol | Details | Description |

+|--|--|-||-|

+| **Direction**: Egress<br />**Stateless**: No | **Destination type**: CIDR<br />**Destination**: 0.0.0.0/0 | All protocols | **Allow**: All traffic for all ports | Default network security group egress rule |

+| **Direction**: Ingress<br />**Stateless**: No | **Source type**: CIDR<br />**Source**: Azure virtual network CIDR | TCP | **Source port range**: All<br />**Destination port range**: All<br />**Allow**: TCP traffic for all ports | Ingress for all TCP from an Azure virtual network |

+| **Direction**: Ingress<br />**Stateless**: No | **Source type**: CIDR<br />**Source**: Azure virtual network CIDR | ICMP | **Type**: All<br />**Code**: All<br />**Allow**: ICMP traffic for all | Ingress for all ICMP from an Azure virtual network |

+#### Default backup network security group rules

+| Direction | Source or destination | Protocol | Details | Description |

+| **Direction**: Egress<br />**Stateless**: No | **Destination type**: Service<br />**Destination**: Object storage | TCP |**Source port range**: All<br />**Destination port range**: 443<br />**Allow**: TCP traffic for port 443 HTTPS | Allows access to object storage |

+| **Direction**: Ingress<br />**Stateless**: No | **Source type**: CIDR<br />**Source**: 0.0.0.0/0 | ICMP | **Type**: 3<br />**Code**: 4<br />**Allow**: ICMP traffic for 3, 4 Destination Unreachable: Fragmentation needed and "Don't Fragment" was set | Allows path maximum transmission unit (MTU) discovery fragmentation messages |

+ Title: What's new in Oracle Database@Azure

+description: Learn about what's new in Oracle Database@Azure.

+Learn about new features in Oracle Database@Azure.

+| Support for multiple Azure subscriptions | Oracle Database@Azure now supports using multiple Azure subscriptions in the same Azure account. For more information, see [Link Oracle Database@Azure to multiple Azure subscriptions](link-oracle-database-multiple-subscription.md). |

+## Related content

+- [Support for Oracle Database@Azure](oracle-database-support.md)

+ Title: What's new in Oracle Autonomous Database@Azure

+description: Learn about what's new in Oracle Autonomous Database@Azure.

+# What's new in Oracle Autonomous Database@Azure

+Learn about product enhancements and fixes for Oracle Autonomous Database@Azure.

+The following table lists only changes made in Oracle Autonomous Database@Azure:

+| Month and year | Feature | Description |

+| July 2024 | Added a section for Terraform quickstart templates and modules. | This section will expand as templates and modules are revised and new content is added. |

+For information about changes to the Oracle Autonomous Database service, see the following Oracle links:

+* For new features that are added in the current year, see [What's new for Oracle Autonomous Database](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/whats-new-adwc.html).

+* For previous features that were added to Oracle Autonomous Database, see [the Oracle previous feature announcements](https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/previous-feature-announcements.html).

+## Related content

+* [Provision and manage Oracle Database@Azure](provision-oracle-database.md)

+* [Support for Oracle Database@Azure](oracle-database-support.md)

+* [Network planning for Oracle Database@Azure](oracle-database-network-plan.md)

+* [Groups and roles for Oracle Database@Azure](oracle-database-groups-roles.md)

+| [MainOne](https://mainone.net/products-and-services/) | Africa |

+| Brazil South | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| Canada Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| West US 2 | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| West US 3 | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+|**Europe** | | | | | | |

+| France Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| Germany West Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| West Europe | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| Norway East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| South Africa North | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| Australia East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| Japan East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+- [Reliability in Azure](./overview.md)

+> [!Note]

+> We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to [Microsoft Fabric](https://www.microsoft.com/microsoft-fabric) or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.

+>

+> Only basic support will be available until the retirement date.

+> [!IMPORTANT]

+> This feature is currently in preview. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see [Azure HDInsight on AKS preview information](/azure/hdinsight-aks/preview). For questions or feature suggestions, please submit a request on [AskHDInsight](https://aka.ms/askhdinsight) with the details and follow us for more updates on [Azure HDInsight Community](https://www.linkedin.com/groups/14313521/).

+In Azure Database for MySQL, a gateway redirects the connections to server instances. After the connection is established, the MySQL client displays the version of MySQL set in the gateway, not the actual version running on your MySQL server instance. To determine the version of your MySQL server instance, use the `SELECT VERSION();` command at the MySQL prompt. For more details, see [Supported Azure Database for MySQL server versions](/azure/mysql/flexible-server/concepts-supported-versions).

+We have over 30 years of partnership between SAP and Microsoft, which is a foundation to support common goals long-term, including a joint commitment by SAP and Microsoft to simplify and streamline customersΓÇÖ journeys to the cloud. For more information, see:

+| [Azure Integration Services](#azure-integration-services) | Connect your SAP workloads with your end users, business partners, and their systems with world-class integration services. Learn about codevelopment efforts that enable SAP Event Mesh to exchange cloud events with Azure Event Grid, understand how you can achieve high-availability for services like SAP Cloud Integration, automate your SAP invoice processing with Logic Apps and Azure AI services and more. |

+- [Consume OpenAI services (GPT) through CAP & SAP BTP, AI Core | GitHub repos](https://github.com/SAP-samples/azure-openai-aicore-cap-api)

+- [Simplify Supplier forecasting with SAP Integrated Business Planning, Ariba, and Microsoft Teams](https://blogs.sap.com/2022/10/03/using-microsoft-adaptive-cards-in-supply-chain-scenarios/)

+Unify all your security solutions for Microsoft 365, cloud-infrastructure, and SAP in one portal experience with [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender). Profit from the correlation of signals across the Microsoft ecosystem and connected third parties to detect and respond to threats in real-time.

+Learn more about identity focused integration capabilities that power the analysis on Defender and Microsoft Sentinel via the [Microsoft Entra ID section](#microsoft-entra-id-formerly-azure-ad).

+Use the [immutable vault for Azure Backup](/azure/backup/backup-azure-immutable-vault-concept) to protect your SAP data from ransomware attacks.

+Discover partner offerings for SAP security on the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/consulting-services?search=Sentinel%20for%20SAP&page=1).

+Microsoft Sentinel integrates natively with Microsoft Defender XDR. See the integration in action with [Automatic attack disruption for SAP](../../sentinel/sap/deployment-attack-disrupt.md).

+- [Microsoft Sentinel solution for SAP applications](/azure/sentinel/sap/solution-overview)

+- [Microsoft Sentinel solution for SAP BTP](/azure/sentinel/sap/sap-btp-solution-overview)

+- [Automatically trigger reactivation of the SAP audit log on malicious deactivation](https://blogs.sap.com/2023/05/23/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-part-3/)

+- [Automatically remediate Microsoft Sentinel SAP Collector Agent attack](https://blogs.sap.com/2023/07/06/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-part-4/)

+See below video to experience the SAP security orchestration, automation, and response workflow with Microsoft Sentinel in action:

+- Defender XDR (integration with Microsoft Sentinel for SAP)

+See SAP's recommendation to use AntiVirus software for SAP hosts and systems on both Linux and Windows based platforms [here](https://wiki.scn.sap.com/wiki/display/Basis/Protecting+SAP+systems+using+antivirus+softwares). The threat landscape has evolved from file-based attacks to file-less attacks, and the protection approach has to evolve beyond pure AntiVirus capabilities too.

+ * [Active/Active (read-enabled): RHEL HA solution for SAP HANA scale out and system replication](https://access.redhat.com/articles/3004101).

+[sles-for-sap-bp]:https://documentation.suse.com/en-us/?tab=sbp

+The next step is to install the 42Crunch protection and log forwarder to protect your API. Both components are availabe as containers from the [42Crunch repository](https://hub.docker.com/u/42crunch). The exact installation depends on your environment, consult the [42Crunch protection documentation](https://docs.42crunch.com/latest/content/concepts/api_firewall_deployment_architecture.htm) for full details. Two common installation scenarios are described below:

+The sample application can be installed locally using a [Docker compose file](https://github.com/42Crunch/azure-sentinel-integration/blob/main/sample-deployment/docker-compose.yml) which installs the httpbin API server, the 42Crunch API protection, and the Microsoft Sentinel log forwarder. Set the environment variables as required using the values copied from step 2.

+Verfify the API protection is connected to the 42Crunch platform, and then exercise the API locally on the *localhost* at port 8080 using curl, or similar. You should see a mixture of passing and failing API calls.

+1. Open any API request tool.

+- **Exclude users**. Use the [**SAPUsersGetVIP**](sap/sap-solution-function-reference.md#sapusersgetvip) function to:

+## Related content

+ Title: Monitor the health of the connection between Microsoft Sentinel and your SAP system

+After you [deploy the SAP solution](sap/deployment-overview.md), you want to ensure proper functioning and performance of your SAP systems, and keep track of your system health, connectivity, and performance. This article describes how you can check the connectivity health manually on the data connector page and use a dedicated alert rule template to monitor the health of your SAP systems.

+For a video demonstration of the procedures in this article, watch the following video:

+<br><br>

+> [!VIDEO https://www.youtube.com/embed/FasuyBSIaQM?si=apdesRR29Lvq6aQM]

+## Prerequisites

+- Before you can perform the procedures in this article, you need to have a SAP data connector agent deployed and connected to your SAP system. SAP logs aren't displayed in the Microsoft Sentinel **Logs** page until your SAP system is connected and data starts streaming into Microsoft Sentinel.

+## Check your data connector's health and connectivity

+This procedure describes how to check your data connector's connection status from the **Microsoft Sentinel for SAP** data connector page.

+1. In Microsoft Sentinel, select **Data connectors** and search for *Microsoft Sentinel for SAP*.

+1. Select the **Microsoft Sentinel for SAP** connector and select **Open connector page**.

+1. In the **Configuration > 2. Configure an SAP system and assign it to a collector agent** area, view details about the health of your SAP systems.

+ For example:

+ :::image type="content" source="media/monitor-sap-system-health/health-status.png" alt-text="Screenshot of the Microsoft Sentinel for SAP applications health status table." lightbox="media/monitor-sap-system-health/health-status.png":::

+ The fields in the **Configure an SAP system and assign it to a collector agent** area are described as follows:

+ - **System display name**. The SAP system ID (SID) and its client number. Together, this value qualifies the connection to the SAP system and defines for SAP BASIS which system you're connecting to.

+ - **System role**. Indicates whether the system is production state or not, which also affects billing. For more information, see [Solution pricing](sap/solution-overview.md#solution-pricing). Values include:

+ |Value |Description |

+ |||

+ |**Production** | The system is defined by the SAP admin as a production system. |

+ |**Unknown (Production)** | Microsoft Sentinel couldn't retrieve the system status. Microsoft Sentinel regards this type of system as a production system for both security and billing purposes. <br><br>In such cases, we recommend that you check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version. |

+ |**Non production** | Indicates roles like developing, testing, and customizing. |

+ - **Agent name**. Unique ID of the installed data connector agent.

+ - **Health**. Indicates whether the SID is healthy. To troubleshoot health issues, [review the container execution logs](sap/sap-deploy-troubleshoot.md#view-all-container-execution-logs) and review other [troubleshooting steps](sap/sap-deploy-troubleshoot.md). Values include:

+ |Value |Description |

+ |||

+ | **System healthy** (green icon)| Indicates that Microsoft Sentinel identified both logs and a heartbeat from the system.|

+ | **System Connected ΓÇô unauthorized to collect role, production assumed** (yellow icon) | Microsoft Sentinel doesn't have sufficient permissions to define whether the system is a production system. In this case, Microsoft Sentinel defines the system as a production system. <br><br>In such cases, check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version. |

+ | **Connected with errors** (yellow icon) | Connection was successful but Microsoft Sentinel detected errors when fetching the system role and doesn't have the details of whether the system is or isn't a production system. |

+ | **System not connected** | Microsoft Sentinel was unable to connect to the SAP system, and cannot fetch the system role. In this case, Microsoft Sentinel doesn't have the details of whether the system is or isn't a production system. |

+ | Other statuses that reflect more details about connectivity issues | For example, **System unreachable for over 1 day**. |

+## View SAP logs streaming into Microsoft Sentinel

+In Microsoft Sentinel, select **General** > **Logs > Custom logs** to view the logs streaming in from the SAP system. For example:

+For more information, see [Microsoft Sentinel solution for SAP applications solution logs reference](sap-solution-log-reference.md).

+## Use an alert rule template to monitor the health of your SAP systems

+The Microsoft Sentinel for SAP solution includes an alert rule template designed to give you insight into the health of your SAP agent's data collection.

+The rule needs at least seven days of loading history to detect the different seasonality patterns. We recommend a value of 14 days for the alert rule **Look back** parameter to allow detection of weekly activity profiles.

+Once activated, the rule judges the recent telemetry and log volume observed on the workspace according to the history learned. The rule then alerts on potential issues, dynamically assigning severities according to the scope of the problem.

+To turn on the analytics rule in Microsoft Sentinel, select **Analytics > Rule templates**, and locate the *SAP - Data collection health check* alert rule.

+The analytics rule does the following:

+- Evaluates signals sent from the agent.

+- Evaluates telemetry data.

+- Evaluates alerts on log continuation and other system connectivity issues, if any are found.

+- Learns the log ingestion history, and therefore works better with time.

+The following screenshot shows an example of an alert generated by the *SAP - Data collection health check* alert rule:

+- Learn about [auditing and health monitoring](health-audit.md) in other areas of Microsoft Sentinel.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+Content in this article is intended for your **security**, **infrastructure**, and **SAP BASIS** teams.

+SAP HANA logs are sent over Syslog. Make sure that your Azure Monitor Agent is configured to collect Syslog files. For more information, see [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](../connect-cef-syslog-ama.md).

+ - [SAP HANA Audit Trail - Best Practice](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3ee5778bc2e4a089d3299b82ec762a7/35eb4e567d53456088755b8131b7ed1d.html)

+ - [Recommendations for Auditing](https://help.sap.com/docs/SAP_HANA_PLATFORM/742945a940f240f4a2a0e39f93d3e2d4/5c34ecd355e44aa9af3b3e6de4bbf5c1.html)

+ - [Actions Audited by Default Audit Policy](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3ee5778bc2e4a089d3299b82ec762a7/4f7cde1125084ea3b8206038530e96ce.html)

+For more information, see [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+Learn more about the Microsoft Sentinel solution for SAP applications:

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Deploy the Microsoft Sentinel solution for SAP BTP](deploy-sap-btp-solution.md)

+ Title: Integrate SAP across multiple workspaces

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security manager, I want to use Microsoft Sentinel for SAP applications across multiple workspaces so that I can ensure compliance with data residency requirements and facilitate collaboration between SOC and SAP teams.

+# Integrate SAP across multiple workspaces

+When working with SAP, your SAP and SOC teams might need to work in separate workspaces to maintain security boundaries. You might not want the SAP team to have visibility into all other security logs across your organization. However, the SAP BASIS team plays a critical role in successfully implementing and maintaining the Microsoft Sentinel solution for SAP applications. Their technical knowledge is essential for effectively monitoring SAP systems, configuring security settings, and ensuring that proper incident response procedures are in place. For this reason, the SAP BASIS team must have access to the Log Analytics workspace enabled for Microsoft Sentinel, allowing them to collaborate with the SOC team while focusing specifically on SAP-related security monitoring.

+This article discusses how to work with the Microsoft Sentinel solution for SAP applications in multiple workspaces, with improved flexibility for:

+## SAP and SOC data maintained in separate workspaces

+If your SAP and SOC teams have separate Log Analytics workspaces enabled for Microsoft Sentinel where team data is kept, we recommend that you provide some or all SOC team members with the **Sentinel Reader** role for the SAP BASIS team's workspace. This enables both teams to see SAP data by using cross-workspace queries.

+Maintaining separate workspaces for the SAP and SOC data has the following benefits:

+|Benefit |Description |

+|||

+|**Alerts** | Microsoft Sentinel can trigger alerts that include both SOC and SAP data, and it can run those alerts on the SOC workspace. |

+|**Data isolation** | The SAP BASIS team has its own workspace that includes all features except detections that include both SOC and SAP data. <br><br>The SOC can see and investigate SAP incidents. If the SAP BASIS team faces an event that it can't explain by using existing data, the team can assign the incident to the SOC. |

+|**Flexibility** | The SAP BASIS team can focus on the control of internal threats in its landscape, and the SOC can focus on external threats. |

+|**Pricing** | There's no extra charge for ingestion fees, because data is ingested only once into Microsoft Sentinel. However, each workspace has its own [pricing tier](../design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). |

+The following table maps data and feature access for SAP and SOC teams when they each maintain their own workspace:

+|Function |SOC team |SAP BASIS team |

+||||

+|SOC workspace access | &#x2705; | &#10060; |

+|SAP workspace data, analytics rules, functions, watchlists, and workbooks access | &#x2705; | &#x2705;^* |

+|SAP incident access and collaboration | &#x2705; | &#x2705;^* |

+^* The SOC team can see these functions in both workspaces. The SAP BASIS team can see these functions only in the SAP workspace.

+> [!NOTE]

+> Running cross-workspace queries across larger SAP landscapes can affect performance. For improved performance and cost optimizations, consider having both the SOC and SAP workspaces on the same dedicated cluster. For more information, see [Create and manage a dedicated cluster in Azure Monitor Logs](/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli#cluster-pricing-model).

+## SAP and SOC data maintained in the same workspace

+You might want to keep all data in a single workspace and apply access controls to determine who on your team is able to access the data.

+To do this, use the following steps:

+- **Use Log Analytics in Azure Monitor to manage access to data by resource**. For more information, see [Manage access to Microsoft Sentinel data by resource](../resource-context-rbac.md).

+- **Associate SAP resources with an Azure resource ID**. Specify the required `azure_resource_id` field in the connector configuration section on the data collector that you use to ingest data from the SAP system into Microsoft Sentinel. For more information, see [Connector configuration](reference-systemconfig-json.md#connector-configuration).

+After the data collector agent is configured with the correct resource ID, the SAP BASIS team can access the specific SAP data in the SOC workspace by using a resource-scoped query. The SAP BASIS team can't read any of the other, non-SAP data types.

+There are no costs associated with this approach because the data is ingested only once into Microsoft Sentinel.

+When you manage access by resource, the SAP BASIS team sees only raw and unformatted data, accessible via Log Analytics or Power BI. The SAP BASIS team can't use any Microsoft Sentinel features.

+## Related content

+For more information, see [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+ Title: Connect your SAP system by deploying your data connector agent container from the command line | Microsoft Sentinel

+description: This article describes how to connect your SAP system to Microsoft Sentinel by deploying the container that that hosts the SAP data connector agent using the command line.

+#Customer intent: As a security, infrastructure, or SAP BASIS team member, I want to deploy and configure a containerized SAP data connector agent from the command line so that I can ingest SAP data into Microsoft Sentinel for enhanced monitoring and threat detection.

+# Deploy an SAP data connector agent from the command line

+This article provides command line options for deploying an SAP data connector agent. For typical deployments we recommend that you use the [portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview) instead of the command line, as data connector agents installed via the command line can be managed only via the command line.

+However, if you're using a configuration file to store your credentials instead of Azure Key Vault, or if you're an advanced user who wants to deploy the data connector manually, such as in a Kubernetes cluster, use the procedures in this article instead.

+While you can run multiple data connector agents on a single machine, we recommend that you start with one only, monitor the performance, and then increase the number of connectors slowly. We also recommend that your **security** team perform this procedure with help from the **SAP BASIS** team.

+## Prerequisites

+- Before deploying your data connector, make sure to [create a virtual machine and configure access to your credentials](deploy-data-connector-agent-container.md#create-a-virtual-machine-and-configure-access-to-your-credentials).

+- If you're using SNC for secure connections, make sure that your SAP system is configured properly, and then [prepare the kickstart script for secure communication with SNC](#prepare-the-kickstart-script-for-secure-communication-with-snc) before deploying the data connector agent.

+ For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/e73bba71770e4c0ca5fb2a3c17e8e229/e656f466e99a11d1a5b00000e835363f.html).

+## Deploy the data connector agent using a managed identity or registered application

+This procedure describes how to create a new agent and connect it to your SAP system via the command line, authenticating with a managed identity or a Microsoft Entra ID registered application.

+- If you're using SNC, make sure that you've completed [Prepare the kickstart script for secure communication with SNC](#prepare-the-kickstart-script-for-secure-communication-with-snc) first.

+- If you're using a configuration file to store your credentials, see [Deploy the data connector using a configuration file](#deploy-the-data-connector-using-a-configuration-file) instead.

+**To deploy your data connector agent**:

+1. Download and run the deployment kickstart script:

+ - **For a managed identity**, use one of the following command options:

+ - For the Azure public commercial cloud:

+ ```bash

+ wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh

+ ```

+ - For Microsoft Azure operated by 21Vianet, add `--cloud mooncake` to the end of the copied command.

+ - For Azure Government - US, add `--cloud fairfax` to the end of the copied command.

+ - **For a registered application**, use the following command to download the deployment kickstart script from the Microsoft Sentinel GitHub repository and mark it executable:

+ ```bash

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh

+ chmod +x ./sapcon-sentinel-kickstart.sh

+ ```

+ Run the script, specifying the application ID, secret (the "password"), tenant ID, and key vault name that you copied in the previous steps. For example:

+ ```bash

+ ./sapcon-sentinel-kickstart.sh --keymode kvsi --appid aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --appsecret ssssssssssssssssssssssssssssssssss -tenantid bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb -kvaultname <key vault name>

+ ```

+ - **To configure secure SNC configuration**, specify the following base parameters:

+ - `--use-snc`

+ - `--cryptolib <path to sapcryptolib.so>`

+ - `--sapgenpse <path to sapgenpse>`

+ - `--server-cert <path to server certificate public key>`

+ If the client certificate is in *.crt* or *.key* format, use the following switches:

+ - `--client-cert <path to client certificate public key>`

+ - `--client-key <path to client certificate private key>`

+ If the client certificate is in *.pfx* or *.p12* format, use the following switches:

+ - `--client-pfx <pfx filename>`

+ - `--client-pfx-passwd <password>`

+ If the client certificate was issued by an enterprise CA, add the following switch for each CA in the trust chain:

+ - `--cacert <path to ca certificate>`

+ For example:

+ ```bash

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh

+ chmod +x ./sapcon-sentinel-kickstart.sh --use-snc --cryptolib /home/azureuser/libsapcrypto.so --sapgenpse /home/azureuser/sapgenpse --client-cert /home/azureuser/client.crt --client-key /home/azureuser/client.key --cacert /home/azureuser/issuingca.crt --cacert /home/azureuser/rootca.crt --server-cert /home/azureuser/server.crt

+ ```

+ The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. Supply extra parameters to the script to minimize the number of prompts or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).

+1. **Follow the on-screen instructions** to enter your SAP and key vault details and complete the deployment. When the deployment is complete, a confirmation message is displayed:

+ ```bash

+ The process has been successfully completed, thank you!

+ ```

+ Make a note of the Docker container name in the script output. To see the list of docker containers on your VM, run:

+ ```bash

+ docker ps -a

+ ```

+ You'll use the name of the docker container in the next step.

+1. Deploying the SAP data connector agent requires that you grant your agent's VM identity with specific permissions to the Log Analytics workspace enabled for Microsoft Sentinel, using the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles.

+ To run the command in this step, you must be a resource group owner on the Log Analytics workspace enabled for Microsoft Sentinel. If you aren't a resource group owner on your workspace, this procedure can also be performed later on.

+ Assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles to the VM's identity:

+ 1. <a name=agent-id-managed></a>Get the agent ID by running the following command, replacing the `<container_name>` placeholder with the name of the docker container that you'd created with the kickstart script:

+ ```bash

+ docker inspect <container_name> | grep -oP '"SENTINEL_AGENT_GUID=\K[^"]+

+ ```

+ For example, an agent ID returned might be `234fba02-3b34-4c55-8c0e-e6423ceb405b`.

+ 1. Assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles by running the following commands:

+ ```bash

+ az role assignment create --assignee-object-id <Object_ID> --role --assignee-principal-type ServicePrincipal "Microsoft Sentinel Business Applications Agent Operator" --scope /subscriptions/<SUB_ID>/resourcegroups/<RESOURCE_GROUP_NAME>/providers/microsoft.operationalinsights/workspaces/<WS_NAME>/providers/Microsoft.SecurityInsights/BusinessApplicationAgents/<AGENT_IDENTIFIER>

+ az role assignment create --assignee-object-id <Object_ID> --role --assignee-principal-type ServicePrincipal "Reader" --scope /subscriptions/<SUB_ID>/resourcegroups/<RESOURCE_GROUP_NAME>/providers/microsoft.operationalinsights/workspaces/<WS_NAME>/providers/Microsoft.SecurityInsights/BusinessApplicationAgents/<AGENT_IDENTIFIER>

+ ```

+ Replace placeholder values as follows:

+ |Placeholder |Value |

+ |||

+ |`<OBJ_ID>` | Your VM identity object ID. <br><br> To find your VM identity object ID in Azure: <br>- **For a managed identity**, the object ID is listed on the VM's **Identity** page. <br>- **For a service principal**, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page. |

+ |`<SUB_ID>` | The subscription ID for you Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<RESOURCE_GROUP_NAME>` | The resource group name for your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<WS_NAME>` | The name of your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<AGENT_IDENTIFIER>` | The agent ID displayed after running the command in the [previous step](#agent-id-managed). |

+1. To configure the Docker container to start automatically, run the following command, replacing the `<container-name>` placeholder with the name of your container:

+ ```bash

+ docker update --restart unless-stopped <container-name>

+ ```

+The deployment procedure generates a **systemconfig.json** file that contains the configuration details for the SAP data connector agent. For more information, see [SAP data connector agent configuration file](deployment-overview.md#sap-data-connector-agent-configuration-file).

+## Deploy the data connector using a configuration file

+Azure Key Vault is the recommended method to store your authentication credentials and configuration data. If you're prevented from using Azure Key Vault, this procedure describes how you can deploy the data connector agent container using a configuration file instead.

+- If you're using SNC, make sure that you've completed [Prepare the kickstart script for secure communication with SNC](#prepare-the-kickstart-script-for-secure-communication-with-snc) first.

+- If you're using a managed identity or registered application, see [Deploy the data connector agent using a managed identity or registered application](#deploy-the-data-connector-agent-using-a-managed-identity-or-registered-application) instead.

+**To deploy your data connector agent**:

+1. Create a virtual machine on which to deploy the agent.

+1. Transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine on which you want to install the agent.

+1. Run the following commands to **download the deployment Kickstart script** from the Microsoft Sentinel GitHub repository and **mark it executable**:

+ ```bash

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh

+ chmod +x ./sapcon-sentinel-kickstart.sh

+ ```

+1. **Run the script**:

+ ```bash

+ ./sapcon-sentinel-kickstart.sh --keymode cfgf

+ ```

+ The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. Supply extra parameters to the script as needed to minimize the number of prompts or to customize the container deployment. For more information, see the [Kickstart script reference](reference-kickstart.md).

+1. **Follow the on-screen instructions** to enter the requested details and complete the deployment. When the deployment is complete, a confirmation message is displayed:

+ ```bash

+ The process has been successfully completed, thank you!

+ ```

+ Make a note of the Docker container name in the script output. To see the list of docker containers on your VM, run:

+ ```bash

+ docker ps -a

+ ```

+ You'll use the name of the docker container in the next step.

+1. Deploying the SAP data connector agent requires that you grant your agent's VM identity with specific permissions to the Log Analytics workspace enabled for Microsoft Sentinel, using the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles.

+ To run the commands in this step, you must be a resource group owner on your workspace. If you aren't a resource group owner on your workspace, this step can also be performed later on.

+ Assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles to the VM's identity:

+ 1. <a name=agent-id-file></a>Get the agent ID by running the following command, replacing the `<container_name>` placeholder with the name of the docker container that you created with the Kickstart script:

+ ```bash

+ docker inspect <container_name> | grep -oP '"SENTINEL_AGENT_GUID=\K[^"]+'

+ ```

+ For example, an agent ID returned might be `234fba02-3b34-4c55-8c0e-e6423ceb405b`.

+ 1. Assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles by running the following commands:

+ ```bash

+ az role assignment create --assignee-object-id <Object_ID> --role --assignee-principal-type ServicePrincipal "Microsoft Sentinel Business Applications Agent Operator" --scope /subscriptions/<SUB_ID>/resourcegroups/<RESOURCE_GROUP_NAME>/providers/microsoft.operationalinsights/workspaces/<WS_NAME>/providers/Microsoft.SecurityInsights/BusinessApplicationAgents/<AGENT_IDENTIFIER>

+ az role assignment create --assignee-object-id <Object_ID> --role --assignee-principal-type ServicePrincipal "Reader" --scope /subscriptions/<SUB_ID>/resourcegroups/<RESOURCE_GROUP_NAME>/providers/microsoft.operationalinsights/workspaces/<WS_NAME>/providers/Microsoft.SecurityInsights/BusinessApplicationAgents/<AGENT_IDENTIFIER>

+ ```

+ Replace placeholder values as follows:

+ |Placeholder |Value |

+ |||

+ |`<OBJ_ID>` | Your VM identity object ID. <br><br> To find your VM identity object ID in Azure: For a managed identity, the object ID is listed on the VM's **Identity** page. For a service principal, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page. |

+ |`<SUB_ID>` | The subscription ID for your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<RESOURCE_GROUP_NAME>` | The resource group name for your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<WS_NAME>` | The name of your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<AGENT_IDENTIFIER>` | The agent ID displayed after running the command in the [previous step](#agent-id-file). |

+1. Run the following command to configure the Docker container to start automatically.

+ ```bash

+ docker update --restart unless-stopped <container-name>

+ ```

+The deployment procedure generates a **systemconfig.json** file that contains the configuration details for the SAP data connector agent. For more information, see [SAP data connector agent configuration file](deployment-overview.md#sap-data-connector-agent-configuration-file).

+## Prepare the kickstart script for secure communication with SNC

+This procedure describes how to prepare the deployment script to configure settings for secure communications with your SAP system using SNC. If you're using SNC, you must perform this procedure before deploying the data connector agent.

+**To configure the container for secure communication with SNC**:

+1. Transfer the *libsapcrypto.so* and *sapgenpse* files to the system where you're creating the container.

+1. Transfer the client certificate, including both private and public keys to the system where you're creating the container.

+ The client certificate and key can be in *.p12*, *.pfx*, or Base64 *.crt* and *.key* format.

+1. Transfer the server certificate (public key only) to the system where you're creating the container.

+ The server certificate must be in Base64 *.crt* format.

+1. If the client certificate was issued by an enterprise certification authority, transfer the issuing CA and root CA certificates to the system where you're creating the container.

+1. Get the kickstart script from the Microsoft Sentinel GitHub repository:

+ ```bash

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh

+ ```

+1. Change the script's permissions to make it executable:

+ ```bash

+ chmod +x ./sapcon-sentinel-kickstart.sh

+ ```

+For more information, see [Kickstart deployment script reference for the Microsoft Sentinel for SAP applications data connector agent](reference-kickstart.md).

+## Check connectivity and health

+After you deploy the SAP data connector agent, check your agent's health and connectivity. For more information, see [Monitor the health and role of your SAP systems](../monitor-sap-system-health.md).

+## Next step

+Once the connector is deployed, proceed to deploy Microsoft Sentinel solution for SAP applications content:

+> [!div class="nextstepaction"]

+> [Enable SAP detections and threat protection](deployment-solution-configuration.md)

+ Title: Connect your SAP system by deploying your data connector agent container | Microsoft Sentinel

+description: This article describes how to connect your SAP system to Microsoft Sentinel by deploying the container that that hosts the SAP data connector agent.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security, infrastructure, or SAP BASIS team member, I want to deploy and configure a containerized SAP data connector agent so that I can ingest SAP data into Microsoft Sentinel for enhanced monitoring and threat detection.

+# Connect your SAP system by deploying your data connector agent container

+This article describes how to deploy the container that hosts the SAP data connector agent and connect to your SAP system, and is the third step in deploying the Microsoft Sentinel solution for SAP applications. Make sure to perform the steps in this article in the order that they're presented.

+Content in this article is relevant for your **security**, **infrastructure**, and **SAP BASIS** teams.

+## Prerequisites

+Before you deploy the data connector agent:

+- Make sure that all of the deployment prerequisites are in place. For more information, see [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md).

+- Make sure that you have the [Microsoft Sentinel solution for SAP applications](deploy-sap-security-content.md) installed in your Microsoft Sentinel workspace.

+- Make sure that your SAP system is fully [prepared for the deployment](preparing-sap.md). If you're deploying the data connector agent to communicate with Microsoft Sentinel over SNC, make sure that you completed [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).

+## Watch a demo video

+Watch one of the following video demonstrations of the deployment process described in this article.

+A deep dive on the portal options:

+<br><br>

+> [!VIDEO https://www.youtube.com/embed/bg0vmUvcQ5Q?si=hugWYn1wjlq4seCR]

+Includes more details about using Azure KeyVault. No audio, demonstration only with captions:

+<br><br>

+> [!VIDEO https://www.youtube.com/embed/TXANRi88mqI?si=D_5TlOlswKW9OSee]

+We recommend creating a dedicated virtual machine for your data connector agent container to ensure optimal performance and avoid potential conflicts. For more information, see [System prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#system-prerequisites).

+We recommend that you store your SAP and authentication secrets in an [Azure key vault](/azure/key-vault/general/authentication). How you access your key vault depends on where your virtual machine (VM) is deployed:

+|Deployment method |Access method |

+|||

+|**Container on an Azure VM** | We recommend using an Azure system-assigned managed identity to access Azure Key Vault. <br><br>If a system-assigned managed identity can't be used, the container can also authenticate to Azure Key Vault using a Microsoft Entra ID registered-application service principal, or, as a last resort, a configuration file. |

+|**A container on an on-premises VM**, or **a VM in a third-party cloud environment** | Authenticate to Azure Key Vault using a Microsoft Entra ID registered-application service principal. |

+If you can't use a registered application or a service principal, use a configuration file to manage your credentials, though this method isn't preferred. For more information, see [Deploy the data connector using a configuration file](deploy-command-line.md#deploy-the-data-connector-using-a-configuration-file).

+For more information, see:

+- [Authentication in Azure Key Vault](/azure/key-vault/general/authentication)

+- [What are manged identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+- [Application and service principal objects in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals?tabs=browser)

+Your virtual machine is typically created by your **infrastructure** team. Configuring access to credentials and managing key vaults is typically done by your **security** team.

+## [Managed identity](#tab/managed-identity)

+1. Run the following command to **Create a VM** in Azure, substituting actual names from your environment for the `<placeholders>`:

+ This command creates the VM resource, producing output that looks like this:

+## [Registered application](#tab/registered-application)

+ This command creates the application, producing output that looks like this:

+ For more information, see the [Azure CLI reference documentation](/cli/azure/ad/sp#az-ad-sp-create-for-rbac).

+1. Copy the **appId**, **tenant**, and **password** from the output. You need these for assigning the key vault access policy and running the deployment script in the coming steps.

+1. Before proceeding any further, create a virtual machine on which to deploy the agent. You can create this machine in Azure, in another cloud, or on-premises.

+This procedure describes how to create a key vault to store your agent configuration information, including your SAP authentication secrets. If you're using an existing key vault, skip directly to [step 2](#step2).

+ Use the options in the portal to assign the permissions, or run one of the following commands to assign key vault secrets permissions to your identity, substituting actual names for the `<placeholder>` values. Select the tab for the type of identity you created.

+ The policy specified in the commands allows the VM to list and read secrets from the key vault.

+ #### [Managed identity](#tab/managed-identity)

+ az role assignment create --assignee-object-id <ManagedIdentityId> --role "Key Vault Secrets User" --scope /subscriptions/<KeyVaultSubscriptionId>/resourceGroups/<KeyVaultResourceGroupName> /providers/Microsoft.KeyVault/vaults/<KeyVaultName>

+ #### [Registered application](#tab/registered-application)

+

+ #### [Managed identity](#tab/managed-identity)

+ ```Azure CLI

+ az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --object-id <ManagedIdentityId> --secret-permissions get list

+ ```

+ #### [Registered application](#tab/registered-application)

+ To find the object ID of the app registration, go to the Microsoft Entra ID portal's **App registrations** page. Search for name of the app registration and copy the **Application (client) ID** value.

+

+## Deploy the data connector agent from the portal (Preview)

+Now that you created a VM and a Key Vault, your next step is to create a new agent and connect to one of your SAP systems. While you can run multiple data connector agents on a single machine, we recommend that you start with one only, monitor the performance, and then increase the number of connectors slowly.

+This procedure describes how to create a new agent and connect it to your SAP system using the Azure or Defender portals. We recommend that your **security** team perform this procedure with help from the **SAP BASIS** team.

+Deploying the data connector agent from the portal is supported from both the Azure portal, and the Defender portal if you onboarded your workspace to the unified security operations platform.

+While deployment is also supported from the command line, we recommend that you use the portal for typical deployments. Data connector agents deployed using the command line can be managed only via the command line, and not via the portal. For more information, see [Deploy a SAP data connector agent from the command line](deploy-command-line.md).

+> [!IMPORTANT]

+> Deploying the container and creating connections to SAP systems from the portal is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+**Prerequisites**:

+- To deploy your data connector agent via the portal, you need:

+ - Authentication via a managed identity or a registered application

+ - Credentials stored in an Azure Key Vault

+ If you don't have these prerequisites, [deploy the SAP data connector agent from the command line](deploy-command-line.md) instead.

+- To deploy the data connector agent, you also need sudo or root privileges on the data connector agent machine.

+- If you want to ingest Netweaver/ABAP logs over a secure connection using Secure Network Communications (SNC), you need:

+ - The path to the `sapgenpse` binary and `libsapcrypto.so` library

+ - The details of your client certificate

+ For more information, see [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).

+**To deploy the data connector agent**:

+1. Sign in to the newly created VM on which you're installing the agent, as a user with sudo privileges.

+1. Download and/or transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine.

+1. In Microsoft Sentinel, select **Configuration > Data connectors**.

+1. In the search bar, enter *SAP*. Select **Microsoft Sentinel for SAP** from the search results and then **Open connector page**.

+1. In the **Create a collector agent** pane, enter the following agent details:

+ |**Agent name** | Enter a meaningful agent name for your organization. We don't recommend any specific naming convention, except that the name can include only the following types of characters: <ul><li> a-z<li> A-Z<li>0-9<li>_ (underscore)<li>. (period)<li>- (dash)</ul> |

+ |**Enable SNC connection support** |Select to ingest NetWeaver/ABAP logs over a [secure connection using SNC](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections). <br><br>If you select this option, enter the path that contains the `sapgenpse` binary and `libsapcrypto.so` library, under **SAP Cryptographic Library path on the agent VM**. <br><br>If you want to use an SNC connection, make sure to select **Enable SNC connection support** at this stage as you can't go back and enable an SNC connection after you finish deploying the agent. If you want to change this setting afterwards, we recommend that you create a new agent instead. |

+ |**Authentication to Azure Key Vault** | To authenticate to your key vault using a managed identity, leave the default **Managed Identity** option selected. To authenticate to your key vault using a registered application, select **Application Identity**. <br><br>You must have the managed identity or registered application set up ahead of time. For more information, see [Create a virtual machine and configure access to your credentials](#create-a-virtual-machine-and-configure-access-to-your-credentials). |

+ Under **Just a few more steps before we finish**, copy the *Role assignment commands* from step 1 and run them on your agent VM, replacing the `[Object_ID]` placeholder with your VM identity object ID. For example:

+ To find your VM identity object ID in Azure:

+ - For a managed identity, the object ID is listed on the VM's **Identity** page.

+ - For a service principal, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page.

+ These commands assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** Azure roles to your VM's managed or application identity, including only the scope of the specified agent's data in the workspace.

+1. Select **Copy** :::image type="content" source="media/deploy-data-connector-agent-container/copy-icon.png" alt-text="Screenshot of the Copy icon next to the Agent deployment command." border="false"::: next to the **Agent deployment command** in step 2. For example:

+1. Copy the command line to a separate location and then select **Close**.

+ > The table displays the agent name and health status for only those agents you deploy via the Azure portal. Agents deployed using the command line aren't displayed here. For more information, see the [**Command line** tab](deploy-data-connector-agent-container.md?tabs=command-line) instead.

+1. On the VM where you plan to install the agent, open a terminal and run the **Agent deployment command** that you copied in the previous step. This step requires sudo or root privileges on the data connector agent machine.

+ Supply extra parameters to the script as needed to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).

+ If you need to copy your command again, select **View** :::image type="content" source="media/deploy-data-connector-agent-container/view-icon.png" border="false" alt-text="Screenshot of the View icon next to the Health column."::: to the right of the **Health** column and copy the command next to **Agent deployment command** on the bottom right.

+1. In the Microsoft Sentinel solution for SAP application's data connector page, in the **Configuration** area, select **Add new system (Preview)** and enter the following details:

+ - Under **Select an agent**, select the agent you created earlier.

+ - Under **System identifier**, select the server type:

+ - **ABAP Server**

+ - **Message Server** to use a message server as part of an ABAP SAP Central Services (ASCS).

+ - Continue by defining related details for your server type:

+ - **For an ABAP server**, enter the ABAP Application server IP address/FQDN, the system ID and number, and the client ID.

+ - **For a message server**, enter the message server IP address/FQDN, the port number or service name, and the logon group

+ When you're done, select **Next: Authentication**.

+ :::image type="content" source="media/deploy-data-connector-agent-container/create-system.png" alt-text="Screenshot of the Add new system area's System settings tab.":::

+1. On the **Authentication** tab, enter the following details:

+ - For basic authentication, enter the user and password.

+ - If you selected an SNC connection [when you set up the agent](#deploy-the-data-connector-agent-from-the-portal-preview), select **SNC** and enter the certificate details.

+ When you're done, select **Next: Logs**.

+1. On the **Logs** tab, select the logs you want to ingest from SAP, and then select **Next: Review and create**. For example:

+ :::image type="content" source="media/deploy-data-connector-agent-container/logs-page.png" alt-text="Screenshot of the Logs tab in the Add new system side pane.":::

+The system configuration you defined is deployed into Azure Key Vault. You can now see the system details in the table under **Configure an SAP system and assign it to a collector agent**. This table displays the associated agent name, SAP System ID (SID), and health status for systems that you added via the portal or otherwise.

+At this stage, the system's **Health** status is **Pending**. If the agent is updated successfully, it pulls the configuration from Azure Key vault, and the status changes to **System healthy**. This update can take up to 10 minutes.

+The deployment procedure generates a **systemconfig.json** file that contains the configuration details for the SAP data connector agent. For more information, see [SAP data connector agent configuration file](deployment-overview.md#sap-data-connector-agent-configuration-file).

+## Check connectivity and health

+After you deploy the SAP data connector agent, check your agent's health and connectivity. For more information, see [Monitor the health and role of your SAP systems](../monitor-sap-system-health.md).

+## Next step

+Once the connector is deployed, proceed to configure the Microsoft Sentinel solution for SAP applications content. Specifically, configuring details in the watchlists is an essential step in enabling detections and threat protection.

+> [Enable SAP detections and threat protection](deployment-solution-configuration.md)

+ Title: Install the Microsoft Sentinel solution for SAP applications

+description: Learn how to install the Microsoft Sentinel solution for SAP applications from the content hub to your Log Analytics workspace enabled for Microsoft Sentinel.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security administrator, I want to deploy and configure security monitoring for SAP applications using Microsoft Sentinel so that I can enhance the security posture and threat detection capabilities of my SAP environment.

+# Install the Microsoft Sentinel solution for SAP applications

+The Microsoft Sentinel solution for SAP applications includes the SAP data connector, which collects logs from your SAP systems and sends them to your Log Analytics workspace enabled for Microsoft Sentinel, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats. Installing your solution is a required step before you can configure your data connector agent container.

+Content in this article is relevant for your **security** team.

+- A Log Analytics workspace enabled for Microsoft Sentinel.

+- Read and write permissions to the workspace. For more information, see [Roles and permissions in Microsoft Sentinel](../roles.md).

+Make sure that you also review the [prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md), especially [Azure prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#azure-prerequisites).

+## Install the solution from the content hub

+Installing the Microsoft Sentinel solution for SAP applications makes the Microsoft Sentinel for SAP data connector available for you in as a Microsoft Sentinel data connector. The solution also deploys security content, such as the **SAP - System Applications and Products** workbook and SAP-related analytics rules.

+1. In the Microsoft Sentinel **Content hub**, search for the **SAP applications** solution and install it on your Log Analytics workspace enabled for Microsoft Sentinel.

+1. On the **Microsoft Sentinel solution for SAP applications** page, select **Create** to define deployment settings. For example:

+1. On the **Basics** tab, under **Project details**, select the **Subscription** and **Resource group** where you want to install the solution.

+1. Under **Instance details**, select the Log Analytics workspace enabled for Microsoft Sentinel where you want to install the solution.

+ If you're working with [the Microsoft Sentinel solution for SAP applications in multiple workspaces](cross-workspace.md), select **Some of the data is on a different workspace**, and then define your target workspace, your SOC workspace, and SAP workspace. For example:

+ For example:

+ :::image type="content" source="./media/deploy-sap-security-content/sap-multi-workspace.png" alt-text="Screenshot that shows how to configure the Microsoft Sentinel solution for SAP applications to work across multiple workspaces.":::

+1. Select **Review + create** or **Next** to browse through the solution components. When you're ready, select **Create**

+ The deployment process can take a few minutes. After the deployment is finished, you can view the deployed content in Microsoft Sentinel.

+> [!TIP]

+> If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select **Some of the data is on a different workspace**. In such cases, for more information, see [SAP and SOC data maintained in the same workspace](cross-workspace.md#sap-and-soc-data-maintained-in-the-same-workspace).

+For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md).

+## View deployed content

+When the deployment is finished, display your new content by browsing again to the Microsoft Sentinel for SAP applications solution from the **Content hub**. Alternatively:

+- For the [built-in SAP workbooks](sap-solution-security-content.md#built-in-workbooks), in Microsoft Sentinel, go to **Threat Management** > **Workbooks** > **Templates**.

+- For a series of [SAP-related analytics rules](sap-solution-security-content.md#built-in-analytics-rules), go to **Configuration** > **Analytics** **Rule templates**.

+Your data connector doesn't appear as connected until you [configure your data connector agent container](deploy-data-connector-agent-container.md) to complete the connection.

+## Next step

+> [!div class="nextstepaction"]

+> [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md)

+For more information, see [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+# Automatic attack disruption for SAP (Preview)

+For a video demonstration of attack disruption for SAP, watch the following video:

+<br><br>

+> [!VIDEO https://www.youtube.com/embed/-ijnGxRnwks?si=MPC2uNuLD8biqMVj]

+Content in this article is intended for your **security**, **infrastructure**, and **SAP BASIS** teams.

+For more information, see [Microsoft Sentinel in the Microsoft Defender portal (preview)](../microsoft-sentinel-defender-portal.md).

+ Title: Deploy the Microsoft Sentinel solution for SAP applications

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Microsoft Sentinel solution for SAP applications: Deployment overview

+Use the Microsoft Sentinel solution for SAP applications to monitor your SAP systems with Microsoft Sentinel, detecting sophisticated threats throughout the business logic and application layers of your SAP applications.

+This article introduces you to the Microsoft Sentinel solution for SAP applications deployment.

+## Solution components

+The Microsoft Sentinel solution for SAP applications includes a data connector, which collects logs from your SAP systems and sends them to your Microsoft Sentinel workspace, and out-of-the-box security content, which helps you gain insight into your organization's SAP environment and detect and respond to security threats.

+### Data connector

+The Microsoft Sentinel for SAP data connector is an agent installed as a container on a Linux virtual machine, physical server, or Kubernetes cluster. The agent collects application logs for all of your onboarded SAP SIDs from across the entire SAP system landscape, and then sends those logs to your Log Analytics workspace in Microsoft Sentinel.

+For example, the following image shows a multi-SID SAP landscape with a split between production and nonproduction systems, including the SAP Business Technology Platform. All the systems in this image are onboarded to Microsoft Sentinel for the SAP solution.

+The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system, using a user and role created specifically for this purpose.

+Microsoft Sentinel supports a few options for storing your agent configuration information, including the configuration for your SAP authentication secrets. The decision of which option might depend on where you deploy your VM and which SAP authentication mechanism you use. Supported options are as follows, listed in order of preference:

+- An **Azure Key Vault** accessed through an Azure **system-assigned managed identity**

+- An **Azure Key Vault** accessed through a Microsoft Entra ID **registered-application service principal**

+- A plaintext **configuration file**

+You can also authenticate using SAP's Secure Network Communication (SNC) and X.509 certificates. While using SNC provides a higher level of authentication security, it might not be practical for all scenarios.

+### Security content

+The Microsoft Sentinel solution for SAP applications includes the following types of security content to help you gain insight into your organization's SAP environment and detect and respond to security threats:

+- **Analytics rules** and **watchlists** for threat detection.

+- **Functions** for easy data access.

+- **Workbooks** to create interactive data visualization.

+- **Watchlists** for customization of the built-in solution parameters.

+- **Playbooks** that you can use to automate responses to threats.

+For more information, see [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+## Deployment flow and personas

+Deploying the Microsoft Sentinel solution for SAP applications involves several steps and requires collaboration across multiple teams, including the **security**, **infrastructure**, and **SAP BASIS** teams. The following image shows the steps in deploying the Microsoft Sentinel solution for SAP applications, with relevant teams indicated:

+We recommend that you involve all relevant teams when planning your deployment to ensure that effort is allocated and the deployment can move smoothly.

+**Deployment steps include**:

+1. [Review the prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md). Some prerequisites require coordination with your infrastructure or SAP BASIS teams.

+1. The following steps can happen in parallel as they involve separate teams, and aren't dependent on each other:

+ 1. [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md). This step is handled by the security team on the Azure portal.

+ 1. [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md), including configuring SAP authorizations, configuring SAP auditing, and more. We recommend that these steps be done by your SAP BASIS team, and our documentation includes references to SAP documentation.

+1. [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md). This step requires coordination between your security, infrastructure, and SAP BASIS teams.

+1. [Enable SAP detections and threat protection](deployment-solution-configuration.md). This step is handled by the security team on the Azure portal.

+**Extra options include:**

+- [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+- [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+## SAP data connector agent configuration file

+The deployment procedure generates a **systemconfig.json** file that contains the configuration details for the SAP data connector agent. The file is located in the `/sapcon-app/sapcon/config/system` directory on your VM. You can use this file to update the configuration of your SAP data connector agent.

+Earlier versions of the deployment script, released before June 2023, generated a **systemconfig.ini** file instead. For more information, see:

+- [Systemconfig.json file reference](reference-systemconfig-json.md)

+- [Systemconfig.ini file reference](reference-systemconfig.md) (legacy)

+## Stop SAP data collection

+If you need to stop Microsoft Sentinel from collecting your SAP data, stop log ingestion and disable the connector. Then remove the extra user role and any optional CRs installed on your SAP system.

+For more information, see [Stop SAP data collection](stop-collection.md).

+## Related content

+For more information, see:

+- [About Microsoft Sentinel content and solutions](../sentinel-solutions.md).

+- [Monitor the health and role of your SAP systems](../monitor-sap-system-health.md)

+- [Update Microsoft Sentinel's SAP data connector agent](update-sap-data-connector.md)

+ Title: Enable SAP detections and threat protection with Microsoft Sentinel

+description: This article shows you how to configure initial security content for the Microsoft Sentinel solution for SAP applications in order to start enabling SAP detections and threat protection.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security analyst, I want to configure and monitor SAP systems using Microsoft Sentinel so that I can detect and respond to suspicious activities and threats effectively.

+# Enable SAP detections and threat protection

+While deploying the Microsoft Sentinel data collector agent and solution for SAP applications provides you with the ability to monitor SAP systems for suspicious activities and identify threats, extra configuration steps are required to ensure the solution is optimized for your SAP deployment. This article provides best practices for getting started with the security content delivered with the Microsoft Sentinel solution for SAP applications, and is the last step in deploying the SAP integration.

+Content in this article is relevant for your **security** team.

+> Some components of the Microsoft Sentinel solution for SAP applications are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Prerequisites

+Before configuring the settings described in this article, you must have your data connector agent and solution content installed.

+For more information, see [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md) and [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+## Start enabling analytics rules

+By default, all analytics rules in the Microsoft Sentinel solution for SAP applications are provided as [alert rule templates](../manage-analytics-rule-templates.md#manage-template-versions-for-your-scheduled-analytics-rules-in-microsoft-sentinel). We recommend a staged approach, where you use the templates to create a few rules at a time, allowing time for fine-tuning each scenario.

+We recommend starting with the following analytics rules, which are considered to be simpler to test:

+- [Change in Sensitive privileged user](sap-solution-security-content.md#suspicious-privileges-operations)

+- [Sensitive privileged user logged in](sap-solution-security-content.md#suspicious-privileges-operations)

+- [Sensitive privileged user makes a change in other user](sap-solution-security-content.md#suspicious-privileges-operations)

+- [Sensitive Users Password Change and Login](sap-solution-security-content.md#suspicious-privileges-operations)

+- [Client Configuration Change](sap-solution-security-content.md#attempts-to-bypass-sap-security-mechanisms)

+- [Function Module tested](sap-solution-security-content.md#persistency)

+For more information, see [Built-in analytics rules](sap-solution-security-content.md#built-in-analytics-rules) and [Threat detection in Microsoft Sentinel](../threat-detection.md).

+Configure your Microsoft Sentinel solution for SAP applications by providing customer-specific information in the following watchlists:

+|Watchlist name |Configuration details |

+|||

+|**SAP - Systems** | The **SAP - Systems** watchlist defines the SAP systems that are present in the monitored environment. <br><br>For every system, specify: <br>- The SID<br>- Whether it's a production system or a dev/test environment. Defining this in your watchlist doesn't affect billing, and only influences your analytics rule. For example, you might want to use a test system as a production system while testing.<br>- A meaningful description <br><br>Configured data is used by some analytics rules, which might react differently if relevant events appear in a development or a production system. |

+|**SAP - Networks** | The **SAP - Networks** watchlist outlines all networks used by the organization. It's primarily used to identify whether or not user sign-ins originate from within known segments of the network, or if a user's sign-in origin changes unexpectedly. <br><br>There are many approaches for documenting network topology. You could define a broad range of addresses, like *172.16.0.0/16*, and name it *Corporate Network*, which is good enough for tracking sign-ins from outside that range. However, a more segmented approach, allows you better visibility into potentially atypical activity. <br><br>For example, you might define the following segments and geographical locations: <br>- 192.168.10.0/23: Western Europe <br>- 10.15.0.0/16: Australia <br><br>In such cases, Microsoft Sentinel can differentiate a sign-in from *192.168.10.15* in the first segment from a sign-in from *10.15.2.1* in the second segment. Microsoft Sentinel alerts you if such behavior is identified as atypical. |

+|**SAP - Sensitive Function Modules** <br><br>**SAP - Sensitive Tables** <br><br>**SAP - Sensitive ABAP Programs**<br><br>**SAP - Sensitive Transactions** | **Sensitive content watchlists** identify sensitive actions or data that can be carried out or accessed by users. <br><br>While several well-known operations, tables, and authorizations are preconfigured in the watchlists, we recommend that you consult with your SAP BASIS team to identify the operations, transactions, authorizations and tables are considered to be sensitive in your SAP environment, and update the lists as needed. |

+|**SAP - Sensitive Profiles** <br><br>**SAP - Sensitive Roles**<br><br>**SAP - Privileged Users** <br><br>**SAP - Critical Authorizations** | The Microsoft Sentinel solution for SAP applications uses user data gathered in **user data watchlists** from SAP systems to identify which users, profiles, and roles should be considered sensitive. While sample data is included in the watchlists by default, we recommend that you consult with your SAP BASIS team to identify the sensitive users, roles, and profiles in your organization and update the lists as needed.|

+After the initial solution deployment, it might take some time until the watchlists are populated with data. If you open a watchlist for editing and find that it's empty, wait a few minutes and try again.

+For more information, see [Available watchlists](sap-solution-security-content.md#available-watchlists).

+## Use a workbook to check compliance for your SAP security controls

+The Microsoft Sentinel solution for SAP applications includes the **SAP - Security Audit Controls** workbook, which helps you check compliance for your SAP security controls. The workbook provides a comprehensive view of the security controls that are in place and the compliance status of each control.

+For more information, see [Check compliance for your SAP security controls with the SAP - Security Audit Controls workbook(Preview)](sap-audit-controls-workbook.md).

+## Next step

+There's a lot more content to discover for SAP with Microsoft Sentinel, including functions, playbooks, workbooks, and more. This article highlights some useful starting points, and you should continue to implement other content to get the most out of your SAP security monitoring.

+For more information, see:

+- [Microsoft Sentinel solution for SAP applications - functions reference](sap-solution-function-reference.md)

+- [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+## Related content

+For more information, see:

+- [Automatic attack disruption for SAP (Preview)](deployment-attack-disrupt.md)

+- [Update Microsoft Sentinel's SAP data connector agent](update-sap-data-connector.md)

+ Title: Configure your SAP system for the Microsoft Sentinel solution

+description: Learn about extra preparations required in your SAP system to install the SAP data connector agent and connect Microsoft Sentinel to your SAP system.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Configure your SAP system for the Microsoft Sentinel solution

+This article describes how to prepare your SAP environment for connecting to the SAP data connector agent. Preparation includes configuring required SAP authorizations and, optionally, deploying extra SAP change requests (CRs).

+This article is part of the second step in deploying the Microsoft Sentinel solution for SAP applications.

+The procedures in this article are typically performed by your **SAP BASIS** team.

+## Prerequisites

+- Before you start, make sure to review the [prerequisites for deploying the Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md).

+To allow the SAP data connector to connect to your SAP system, you must create an SAP system role specifically for this purpose.

+- **To include both log retrieval and [attack disruption response actions](https://aka.ms/attack-disrupt-defender)**, we recommend creating this role by loading role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.

+- **To include log retrieval only**, we recommend creating this role by deploying the *NPLK900271* SAP change request (CR): [K900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL) | [R900271.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL)

+ Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).

+ Alternately, load the role authorizations from the [**MSFTSEN_SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file, which includes all the basic permissions for the data connector to operate.

+ Experienced SAP administrators might choose to create the role manually and assign it the appropriate permissions. In such cases, create a role manually with the relevant authorizations required for the logs you want to ingest. For more information, see [Required ABAP authorizations](required-abap-authorizations.md). Examples in our documentation use the **/MSFTSEN/SENTINEL_RESPONDER** name.

+When configuring the role, we recommend that you:

+- Generate an active role profile for Microsoft Sentinel by running the **PFCG** transaction.

+- Use `/MSFTSEN/SENTINEL_RESPONDER` as the role name.

+ For more information, see the [SAP documentation](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/48/e8eb38f94cb138e10000000a114084/frameset.htm) on creating roles.

+The Microsoft Sentinel solution for SAP applications requires a user account to connect to your SAP system. When creating your user:

+- Make sure to create a system user.

+- Assign the **/MSFTSEN/SENTINEL_RESPONDER** role to the user, which you'd created in the [previous step](#configure-the-microsoft-sentinel-role).

+For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/ad77b44570314f6d8c3a8a807273084c/4cb5f7ac9cb33c94e10000000a42189c.html?version=LATEST).

+## Configure SAP auditing

+Some installations of SAP systems might not have audit logging enabled by default. For best results in evaluating the performance and efficacy of the Microsoft Sentinel solution for SAP applications, enable auditing of your SAP system and configure the audit parameters. If you want to ingest SAP HANA DB logs, make sure to also enable auditing for SAP HANA DB.

+We recommend that you configure auditing for all messages from the audit log, as this data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting.

+For more information, see the [SAP community](https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094) and [Collect SAP HANA audit logs in Microsoft Sentinel](collect-sap-hana-audit-logs.md).

+## Configure support for extra data retrieval (recommended)

+While this step is optional, we recommend that you deploy extra CRs from the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/CR) to enable the SAP data connector to retrieve the following content information from your SAP system:

+- **DB Table** and **Spool Output** logs

+- **Client IP address information** from the security audit logs (SAP BASIS version 7.5 SP12 and higher only)

+Deploy the relevant CRs according to your SAP version:

+| SAP BASIS versions | Recommended CR |

+| | | |

+| **750 and higher** | *NPLK900202*: [K900202.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900202.NPL), [R900202.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900202.NPL) <br><br>When deploying this CR any of the following SAP versions, also deploy [2641084 - Standardized read access to data of Security Audit Log](https://launchpad.support.sap.com/#/notes/2641084): <br>- 750 SP04 to SP12<br>- 751 SP00 to SP06<br>- 752 SP00 to SP02 |

+| **740** | *NPLK900201*: [K900201.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900201.NPL), [R900201.NPL](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900201.NPL) |

+Deploy the CRs on your SAP system as needed just as you'd deploy other CRs. We strongly recommend that deploying SAP CRs is done by an experienced SAP system administrator. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).

+For more information, see the [SAP Community](https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094) and the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).

+## Verify that the PAHI table is updated at regular intervals

+The SAP PAHI table includes data on the history of the SAP system, the database, and SAP parameters. In some cases, the Microsoft Sentinel solution for SAP applications can't monitor the SAP PAHI table at regular intervals, due to missing or faulty configuration. It's important to update the PAHI table and to monitor it frequently, so that the Microsoft Sentinel solution for SAP applications can alert on suspicious actions that might happen at any time throughout the day. For more information, see:

+- [SAP note 12103](https://launchpad.support.sap.com/#/notes/12103)

+- [Monitoring the configuration of static SAP security parameters (Preview)](sap-solution-security-content.md#monitor-the-configuration-of-static-sap-security-parameters-preview)

+> [!TIP]

+> For optimal results, in the *systemconfig.json* file on your data connector agent machine, under the `[ABAP Table Selector](reference-systemconfig-json.md#abap-table-selector)` section, enable both the `PAHI_FULL` and the `PAHI_INCREMENTAL` parameters. For more information, see [Systemconfig.json file reference](reference-systemconfig-json.md#abap-table-selector).

+If the PAHI table is updated regularly, the `SAP_COLLECTOR_FOR_PERFMONITOR` job is scheduled and runs hourly. If the `SAP_COLLECTOR_FOR_PERFMONITOR` job doesn't exist, make sure to configure it as needed. For more information, see the SAP documentation: [Database Collector in Background Processing](https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/c4/3a735b505211d189550000e829fbbd/frameset.htm) and [Configuring the Data Collector](https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/3364beced9d145a5ad185c89a1e04658/c43a818c505211d189550000e829fbbd.html)

+## Configure your system to use SNC for secure connections

+By default, the SAP data connector agent connects to an SAP server using a remote function call (RFC) connection and a username and password for authentication.

+However, you might need to make the connection on an encrypted channel or use client certificates for authentication. In these cases, use Smart Network Communications (SNC) from SAP to secure your data connections, as described in this section.

+In a production environment, we strongly recommend that your consult with SAP administrators to create a deployment plan for configuring SNC. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/e73bba71770e4c0ca5fb2a3c17e8e229/e656f466e99a11d1a5b00000e835363f.html).

+When configuring SNC:

+- If the client certificate was issued by an enterprise certification authority, transfer the issuing CA and root CA certificates to the system where you plan to create the data connector agent.

+- Make sure to also enter the relevant values and use the relevant procedures when [configuring the SAP data connector agent container](deploy-data-connector-agent-container.md).

+## Next step

+> [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md)

+ Title: Prerequisites for deploying Microsoft Sentinel solution for SAP applications

+description: This article lists the prerequisites required for deployment of the Microsoft Sentinel solution for SAP applications.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Deployment prerequisites for the Microsoft Sentinel solution for SAP applications

+This article lists the prerequisites required for deployment of the Microsoft Sentinel solution for SAP applications. Reviewing and ensuring that you have or understand all the prerequisites is the first step in deploying the Microsoft Sentinel solution for SAP applications.

+Content in this article is relevant for your **security**, **infrastructure**, and **SAP BASIS** teams.

+## Azure prerequisites

+Typically, Azure prerequisites are managed by your **security** teams.

+| **Access to Microsoft Sentinel** | Make a note of your *workspace ID and *primary key* for your Log Analytics workspace enabled for Microsoft Sentinel.<br>You can find these details in Microsoft Sentinel: from the navigation menu, select **Settings** > **Workspace settings** > **Agents management**. Copy the *Workspace ID* and *Primary key* and paste them aside for use during the deployment process. |Required |

+| **Permissions to create Azure resources** | At a minimum, you must have the necessary permissions to deploy solutions from the Microsoft Sentinel content hub. For more information, see [Prerequisites for deploying Microsoft Sentinel solutions](../sentinel-solutions-deploy.md#prerequisites). |Required |

+| **Permissions to create an Azure key vault or access an existing one** | Use Azure Key Vault to store secrets required to connect to your SAP system. For more information, see [Assign key vault access permissions](deploy-data-connector-agent-container.md#assign-key-vault-access-permissions). |Required if you plan to store the SAP system credentials in Azure Key Vault. <br><br>Optional if you plan to store them in a configuration file. For more information, see [Create a virtual machine and configure access to your credentials](deploy-data-connector-agent-container.md#create-a-virtual-machine-and-configure-access-to-your-credentials).|

+| **Permissions to assign a privileged role to the SAP data connector agent** | Deploying the SAP data connector agent requires that you grant your agent's VM identity with specific permissions to the Microsoft Sentinel workspace, using the **Microsoft Sentinel Business Applications Agent Operator** role. To grant this role, you need **Owner** permissions on the resource group where your Microsoft Sentinel workspace resides. <br><br>For more information, see [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md). | Required. <br> If you don't have **Owner** permissions on the resource group, the relevant step can also be performed by another user who does have the relevant permissions, separately after the agent is fully deployed.|

+## System prerequisites

+Typically, system prerequisites are managed by your **infrastructure** teams. The following system prerequisites are required for deploying the SAP data connector agent container:

+| **System architecture** | The data connector component of the SAP solution is deployed as a Docker container.<br>The container host can be either a physical machine or a virtual machine, can be located either on-premises or in any cloud. <br>The VM hosting the container ***does not*** have to be located in the same Azure subscription as your Microsoft Sentinel workspace, or even in the same Microsoft Entra tenant. |

+| **Supported Linux versions** | The SAP data connector agent is tested with the following Linux distributions:<br>- Ubuntu 18.04 or higher<br>- SLES version 15 or higher<br>- RHEL version 7.7 or higher<br><br>If you have a different operating system, you might need to deploy and configure the container manually. <br><br>For more information, see [Deploy the Microsoft Sentinel for SAP data connector agent container with expert options](sap-solution-deploy-alternate.md) or open a support ticket. |

+| **Managed identity or service principal** | The latest version of the SAP data connector agent requires a [managed identity](/entra/identity/managed-identities-azure-resources/) or [service principal](/entra/identity-platform/app-objects-and-service-principals?tabs=browser) to authenticate to Microsoft Sentinel. <br><br>Legacy agents are supported for updates to the latest version, and then must use a managed identity or service principal to continue updating to subsequent versions. |

+## SAP prerequisites

+We recommend that your **SAP BASIS** team verify and ensure SAP system prerequisites. We strongly recommend that any management of your SAP system is carried out by an experienced SAP system administrator.

+| **SAP system details** | Make a note of the following SAP system details: <br>- SAP system IP address and FQDN hostname<br>- SAP system number, such as `00`<br>- SAP System ID, from the SAP NetWeaver system (for example, `NPL`) <br>- SAP client ID, such as `001` |

+| **SAP NetWeaver instance access** | The SAP data connector agent uses one of the following mechanisms to authenticate to the SAP system: <br>- SAP ABAP user/password<br>- A user with an X.509 certificate. This option requires extra configuration steps. For more information, see [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).|

+| **SAP role requirements** | To allow the SAP data connector to connect to your SAP system, you must create an SAP system role. We recommend creating the required system role by deploying the SAP *NPLK900271* change request (CR). For more information, see [Configure the Microsoft Sentinel role](preparing-sap.md#configure-the-microsoft-sentinel-role).|

+| **Recommended CRs for extra support** | Deploy recommended CRs on your SAP system to retrieve extra details, such as client IP address and extra logs. For more information, see [Configure support for extra data retrieval (recommended)](preparing-sap.md#configure-support-for-extra-data-retrieval-recommended). |

+## Plan your ingestion

+We recommend that you test your systems to determine the number of logs that each of your SAP systems sends to Microsoft Sentinel. Microsoft Sentinel billing depends on log ingestion size, which in turn depends on factors such as system usage, modules deployed, number of users, running use cases, network traffic, and log types.

+For more information, see:

+- [Solution pricing](solution-overview.md#solution-pricing)

+- [Plan costs and understand Microsoft Sentinel pricing and billing](../billing.md)

+- [Reduce costs for Microsoft Sentinel](../billing-reduce-costs.md)

+- [Manage and monitor costs for Microsoft Sentinel](../billing-monitor-costs.md)

+## Next step

+> [Install the Microsoft Sentinel solution for SAP applications](deploy-sap-security-content.md)

+ Title: Kickstart deployment script reference for the Microsoft Sentinel for SAP applications data connector agent

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Kickstart deployment script reference for the Microsoft Sentinel for SAP applications data connector agent

+This article provides a reference of the configurable parameters available in the kickstart script used to the deploy the Microsoft Sentinel for SAP applications data connector agent.

+For more information, see [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md).

+Content in this article is intended for your **SAP BASIS** teams.

+## Secret storage location

+**Description:** Specifies whether secrets (username, password, log analytics ID, and shared key) should be stored in local configuration file, or in Azure Key Vault. Also controls whether authentication to Azure Key Vault is done using the VM's Azure system-assigned managed identity or a Microsoft Entra registered-application identity.

+## ABAP server connection mode

+**Description:** Defines whether the data collector agent should connect to the ABAP server directly, or through a message server. Use `abap` to have the agent connect directly to the ABAP server, whose name you can define using the `--abapserver` parameter. If you don't define the name ahead of time, the script prompts you for it. Use `mserv` to connect through a message server, in which case you **must** specify the `--messageserverhost`, `--messageserverport`, and `--logongroup` parameters.

+## Configuration folder location

+**Description:** By default kickstart initializes configuration file, metadata location to `/opt/sapcon/<SID>`. To set alternate location of configuration and metadata, use the `--configpath` parameter.

+## ABAP server address

+**Required:** No. If the parameter isn't specified and if the [ABAP server connection mode](#abap-server-connection-mode) parameter is set to `abap`, the script prompts you for the server hostname/IP address.

+**Description:** Used only if the connection mode is set to `abap`, this parameter contains the Fully Qualified Domain Name (FQDN), short name, or IP address of the ABAP server to connect to.

+## System instance number

+**Description:** Specifies the SAP system instance number to connect to.

+## System ID

+**Description:** Specifies the SAP system ID to connect to.

+## Client number

+**Description:** Specifies the client number to connect to.

+## Message Server Host

+**Description:** Specifies the hostname/ip address of the message server to connect to. Can **only** be used if [ABAP server connection mode](#abap-server-connection-mode) is set to `mserv`.

+## Message Server Port

+**Description:** Specifies the service name (port) of the message server to connect to. Can **only** be used if [ABAP server connection mode](#abap-server-connection-mode) is set to `mserv`.

+## Logon group

+**Description:** Specifies the sign-in group to use when connecting to a message server. Can be used **only** if [ABAP server connection mode](#abap-server-connection-mode) is set to `mserv`. If the logon group name contains spaces, they should be passed in double quotes, as in the example `--logongroup "my logon group"`.

+## Logon username

+**Description:** Username used to authenticate to ABAP server.

+## Logon password

+**Description:** Password used to authenticate to ABAP server.

+## NetWeaver SDK file location

+**Description:** NetWeaver SDK file path. A valid SDK is required for the data collector to operate. For more information, see [SAP prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-prerequisites).

+## Enterprise Application ID

+**Description:** When Azure Key Vault authentication mode is set to `kvsi`, authentication to key vault is done using an [enterprise application (service principal) identity](deploy-data-connector-agent-container.md?tabs=registered-application#create-a-virtual-machine-and-configure-access-to-your-credentials). This parameter specifies the application ID.

+## Enterprise Application secret

+**Description:** When Azure Key Vault authentication mode is set to `kvsi`, authentication to key vault is done using an [enterprise application (service principal) identity](deploy-data-connector-agent-container.md?tabs=registered-application#create-a-virtual-machine-and-configure-access-to-your-credentials). This parameter specifies the application secret.

+## Tenant ID

+**Description:** When Azure Key Vault authentication mode is set to `kvsi`, authentication to key vault is done using an [enterprise application (service principal) identity](deploy-data-connector-agent-container.md?tabs=registered-application#create-a-virtual-machine-and-configure-access-to-your-credentials). This parameter specifies the Microsoft Entra tenant ID.

+## Key Vault Name

+**Description:** If [Secret storage location](#secret-storage-location) is set to `kvsi` or `kvmi`, the key vault name (in FQDN format) should be entered here.

+## Log Analytics workspace ID

+**Description:** Log Analytics workspace ID where the data collector sends the data to. To locate the workspace ID, locate the Log Analytics workspace in the Azure portal: open Microsoft Sentinel, select **Settings** in the **Configuration** section, select **Workspace settings**, then select **Agents Management**.

+## Log Analytics key

+**Description:** Primary or secondary key of the Log Analytics workspace where the data collector sends the data to. To locate the workspace Primary or Secondary Key, locate the Log Analytics workspace in Azure portal: open Microsoft Sentinel, select **Settings** in the **Configuration** section, select **Workspace settings**, then select **Agents Management**.

+## Use X.509 (SNC) for authentication

+**Description:** Specifies that X.509 authentication is used to connect to ABAP server, rather than username/password authentication. For more information, see [Configure your system to use SNC for secure connections](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).

+## SAP Cryptographic library path

+**Description:** Location and filename of SAP Cryptographic library (libsapcrypto.so).

+## SAPGENPSE tool path

+**Description:** Location and filename of the **sapgenpse** tool for creation and management of PSE-files and SSO-credentials.

+## Client certificate public key path

+**Description:** Location and filename of the base-64 client public certificate. If the client certificate is in .pfx format, use `--client-pfx` switch instead.

+## Client certificate private key path

+**Description:** Location and filename of the base-64 client private key. If the client certificate is in .pfx format, use `--client-pfx` switch instead.

+## Issuing/root Certification Authority certificates

+**Description:** If the certificate is self-signed, it has no issuing CA, so there's no trust chain that needs to be validated.

+If the certificate is issued by an enterprise CA, the issuing CA certificate and any higher-level CA certificates need to be validated. Use separate instances of the `--cacert` switch for each CA in the trust chain, and supply the full filenames of the public certificates of the enterprise certificate authorities.

+## Client PFX certificate path

+**Description:** Location and filename of the pfx client certificate.

+## Client PFX certificate password

+**Description:** PFX/P12 file password.

+## Server certificate

+**Description:** ABAP server certificate full path and name.

+## HTTP proxy server URL

+**Description:** Containers that can't establish a connection to Microsoft Azure services directly and require a connection via a proxy server, also require an `--http-proxy` switch to define the proxy URL for the container. The format for the proxy URL is `http://hostname:port`.

+## Host-based networking

+**Description:** If the `hostnetwork` switch is specified, the agent uses a host-based networking configuration. This can solve internal DNS resolution issues in some cases.

+## Confirm all prompts

+**Description:** If the `--confirm-all-prompts` switch is specified, the script doesn't pause for any user confirmations, and only prompts if user input is required. Use the `--confirm-all-prompts` switch for a zero-touch deployment.

+## Use preview build of the container

+**Description:** By default, the container deployment kickstart script deploys the container with the `:latest` tag. Public preview features are published to the `:latest-preview` tag. To have the container deployment script uses the public preview version of the container, specify the `--preview` switch.

+## Related content

+For more information, see:

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications solution deployment](sap-deploy-troubleshoot.md)

+- [Systemconfig.json file reference](reference-systemconfig-json.md)

+ Title: Microsoft Sentinel solution for SAP applications systemconfig.json file reference

+description: Learn about the settings available in Microsoft Sentinel for SAP applications systemconfig.json file.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Microsoft Sentinel solution for SAP applications `systemconfig.json` file reference

+The *systemconfig.json* file is used to configure the behavior of the Microsoft Sentinel for SAP applications data connector agent. This article describes the options available in each section of the configuration file.

+Content in this article is intended for your **SAP BASIS** teams.

+> Microsoft Sentinel solution for SAP applications uses the *systemconfig.json* file for agent versions released on or after June 22, 2023. For previous agent versions, you must still use the *[systemconfig.ini file](reference-systemconfig.md)*.

+## Overall file structure

+The following code shows the overall structure of the `systemconfig.json` file:

+The following table describes each overall section in the `systemconfig.json` file:

+| [Secrets source](#secrets-source) | Defines where credentials are stored. |

+| [ABAP central instance](#abap-central-instance) | Defines general options of the SAP instance to connect to. |

+| [Azure credentials](#azure-credentials) | Defines credentials to connect to Azure Log Analytics. |

+| [File extraction ABAP](#file-extraction-abap) | Defines logs and credentials that are extracted from ABAP servers using the SAPControl interface. |

+| [File extraction JAVA](#file-extraction-java) | Defines logs and credentials that are extracted from JAVA servers using the SAPControl interface. |

+| [Logs activation status](#logs-activation-status) | Defines which logs are extracted from ABAP. |

+| [Connector configuration](#connector-configuration) | Defines miscellaneous connector options. |

+| [ABAP table selector](#abap-table-selector) | Defines which user master data logs get extracted from the ABAP system. |

+## Secrets source

+ # DOCKER_FIXED - store in systemconfig.json file. Requires user, passwd, loganalyticswsid and publickey options

+## ABAP central instance

+## Azure credentials

+## File extraction ABAP

+## File extraction JAVA

+## Logs activation status

+## Connector configuration

+## ABAP table selector

+ "PAHI_INCREMENTAL": "<True/False>",

+## Related content

+For more information, see:

+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications solution deployment](sap-deploy-troubleshoot.md)

+ Title: Microsoft Sentinel solution for SAP applications systemconfig.ini file reference

+description: Learn about the settings available in Microsoft Sentinel for SAP applications systemconfig.ini file.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Microsoft Sentinel solution for SAP applications `systemconfig.ini` file reference

+The *systemconfig.ini* file is used to configure the behavior of the Microsoft Sentinel for SAP applications data connector agent. This article describes the options available in each section of the configuration file.

+Content in this article is intended for your **SAP BASIS** teams.

+> Microsoft Sentinel solution for SAP applications uses the *[systemconfig.json file](reference-systemconfig-json.md)* for agent versions released on or after June 22, 2023. For previous agent versions, you must still use the *systemconfig.ini* file.

+> If you update the agent version, the configuration file is automatically migrated.

+The following table describes each overall section in the `systemconfig.ini` file:

+| [ABAP central instance](#abap-central-instance) | This section defines general options of the SAP instance to connect to. |

+| [ABAP table selector](#abap-table-selector) | This section defines which user master data logs get extracted from the ABAP system. |

+| [Azure credentials](#azure-credentials) | This section defines credentials to connect to Azure Log Analytics. |

+| [Connector configuration](#connector-configuration) | This section defines miscellaneous connector options. |

+| [File extraction ABAP](#file-extraction-abap) | This section defines logs and credentials that are extracted from ABAP server using SAPControl interface. |

+| [File extraction JAVA](#file-extraction-java) | This section defines logs and credentials that are extracted from JAVA server using SAPControl interface. |

+| [Logs activation status](#logs-activation-status) | This section defines which logs are extracted from ABAP. |

+| [Secrets source](#secrets-source) | This section defines where credentials are stored. |

+## ABAP central instance

+```ini

+## ABAP table selector

+```ini

+[ABAP Table Selector]

+# Specify True or False to configure whether table should be collected from the SAP system

+AGR_TCODES_FULL = <True/False>

+USR01_FULL = <True/False>

+USR02_FULL = <True/False>

+USR02_INCREMENTAL = <True/False>

+AGR_1251_FULL = <True/False>

+AGR_USERS_FULL = <True/False>

+AGR_USERS_INCREMENTAL = <True/False>

+AGR_PROF_FULL = <True/False>

+UST04_FULL = <True/False>

+USR21_FULL = <True/False>

+ADR6_FULL = <True/False>

+ADCP_FULL = <True/False>

+USR05_FULL = <True/False>

+USGRP_USER_FULL = <True/False>

+USER_ADDR_FULL = <True/False>

+DEVACCESS_FULL = <True/False>

+AGR_DEFINE_FULL = <True/False>

+AGR_DEFINE_INCREMENTAL = <True/False>

+PAHI_FULL = <True/False>

+AGR_AGRS_FULL = <True/False>

+USRSTAMP_FULL = <True/False>

+USRSTAMP_INCREMENTAL = <True/False>

+SNCSYSACL_FULL = <True/False> (Preview)

+USRACL_FULL = <True/False> (Preview)

+```

+## Azure credentials

+```ini

+## Connector configuration

+```ini

+extractuseremail = <True/False>

+apiretry = <True/False>

+auditlogforcexal = <True/False>

+auditlogforcelegacyfiles = <True/False>

+azure_resource_id = <Azure _ResourceId>

+# Used to force a specific resource group for the SAP tables in Log Analytics, useful for applying RBAC on SAP data

+# example - /subscriptions/1234568-qwer-qwer-qwer-123456789/resourcegroups/RESOURCE_GROUP_NAME/providers/microsoft.compute/virtualmachines/VIRTUAL_MACHINE_NAME

+# for more information - https://learn.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_resourceid.

+timechunk = <value>

+# Default timechunk value is 60 (minutes). For certain tables, the data connector retrieves data from the ABAP server using timechunks (collecting all events that occurred within a certain timestamp). On busy systems this may result in large datasets, so to reduce memory and CPU utilization footprint, consider configuring to a smaller value.

+```

+## File extraction ABAP

+```ini

+## File extraction JAVA

+```ini

+## Logs activation status

+```ini

+## Secrets source

+```ini

+secrets=AZURE_KEY_VAULT|DOCKER_FIXED

+# Storage location of SAP credentials and Log Analytics workspace ID and key

+# AZURE_KEY_VAULT - store in an Azure Key Vault. Requires keyvault option and intprefix option

+# DOCKER_FIXED - store in systemconfig.ini file. Requires user, passwd, loganalyticswsid and publickey options

+keyvault=<vaultname>

+# Azure Keyvault name, in case secrets = AZURE_KEY_VAULT

+intprefix=<prefix>

+# intprefix - Prefix for variables created in Azure Key Vault

+```

+## Related content

+For more information, see:

+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications solution deployment](sap-deploy-troubleshoot.md)

+- [Systemconfig.json file reference](reference-systemconfig-json.md)

+ Title: Microsoft Sentinel solution for SAP applications data connector agent update file reference

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Microsoft Sentinel solution for SAP applications data connector agent update file reference

+The Microsoft Sentinel SAP data connector agent container users an [update script](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP) to simplify the update process.

+This article describes the configurable parameters available in the update script. For more information, see [Update the Microsoft Sentinel for SAP applications data connector agent](update-sap-data-connector.md).

+Content in this article is intended for your **SAP BASIS** teams.

+## Script process overview

+During a Microsoft Sentinel solution for SAP applications data connector agent update process, the update script takes the following actions:

+1. Identifies any containers running the SAP data collector agent.

+1. Downloads an updated container image from the Azure Container registry.

+1. Copies mounted directory settings and environment variables.

+1. Renames the existing container with an `-OLD` suffix.

+1. Creates a container using the updated image.

+1. Starts the container with an extra `--sapconinstanceupdate` switch that verifies that the updated container can start and connect to the SAP system properly.

+When the container reports a successful start, the script removes the old container. It then recreates the new container to run without the `--sapconinstanceupdate` switch in order to start in normal operation mode and continue to collect data from the SAP system.

+## Confirm all prompts

+**Parameter name:** `--confirm-all-prompts`

+**Explanation:** If the `--confirm-all-prompts` switch is specified, the script doesn't pause for any user confirmations. Use the `--confirm-all-prompts` switch for a zero-touch deployment.

+## Don't perform a container connectivity test

+**Explanation:** By default, the container update script performs a test run of the updated container to verify that it can successfully connect to the SAP system. To skip this test, specify a `--no-testrun` parameter. In such cases, the script recreates the containers using a new image, without validating that the containers can successfully start and connect to SAP.

+Use this switch with caution.

+## Force container update, even if version is the same

+**Explanation:** Update the container, even if the image version used for the existing container is the same as the image available from Microsoft.

+## Perform a selective update

+**Explanation:** By default, the update script updates all containers running Microsoft Sentinel solution for SAP applications.

+To update a single, or multiple containers, specify `--containername <containername>` switch. The switch can be specified multiple times, such as: `--containername sapcon-A4H --containername sapcon-QQ1 --containername sapcon-QAT`. In such cases, only the specified containers are updated. If the specified container name doesn't exist, it's skipped by the script.

+## Specify a custom SDK location

+**Parameter name:** `--sdk`

+**Parameter values:** `<SDK file full path>`

+**Required:** No

+**Explanation:** By default, the update script extracts SDK zip file from an existing container and copies it to the newly created container. If there's a need to update the version of the NetWeaver SDK used together with container update, specify the `--sdk` switch, specifying full path of the SDK.

+## Use the container's preview build

+**Parameter name:** `--preview`

+**Parameter values:** None

+**Required:** No

+**Explanation:** By default, the container update script deploys the container with `:latest` tag. Public preview features are published to `:latest-preview` tag. To have the container update script use the public preview version of the container, specify the `--preview` switch instead.

+## Related content

+For more information, see:

+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications solution deployment](sap-deploy-troubleshoot.md)

+- [Systemconfig.json file reference](reference-systemconfig-json.md)

+ Title: Required ABAP authorizations for the Microsoft Sentinel solution for SAP applications

+description: Understand the ABAP authorizations required if you want to manually define roles based on the SAP logs you want to ingest to Microsoft Sentinel and the activities you want to run.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As an SAP BASIS team member, I want to manually configure SAP authorizations based on the specific log files that I want to ingest to Microsoft Sentinel.

+# Required ABAP authorizations

+This article lists the ABAP authorizations required to ensure that the SAP user account used by Microsoft Sentinel's SAP data connector can correctly retrieve logs from the SAP systems and [run attack disruption response actions](/defender-xdr/automatic-attack-disruption).

+The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel and the attack disruption response actions you want to apply.

+> [!TIP]

+> To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.

+>

+> Alternately, to enable only log retrieval, without attack disruption response actions, deploy the SAP *NPLK900271* CR on the SAP system to create the **/MSFTSEN/SENTINEL_CONNECTOR** role, or load the role authorizations from the [**/MSFTSEN/SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file.

+If needed, you can [remove the user role and any optional CR installed on your ABAP system](stop-collection.md#remove-the-user-role-and-any-optional-cr-installed-on-your-abap-system).

+## ABAP application log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_NAME | BAPI_XBP_APPL_LOG_CONTENT_GET |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGOFF |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGON |

+| S_RFC | RFC_NAME | BAPI_XMI_SET_AUDITLEVEL |

+| S_TABU_NAM | TABLE | BALHDR |

+| S_XMI_PROD | EXTCOMPANY | Microsoft |

+| S_XMI_PROD | EXTPRODUCT | Azure Sentinel |

+| S_XMI_PROD | INTERFACE | XBP |

+| S_APPL_LOG | ALG_OBJECT | * |

+| S_APPL_LOG | ALG_SUBOBJ | * |

+| S_APPL_LOG | ACTVT | Display |

+## ABAP change documents log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | CDHDR |

+| S_TABU_NAM | TABLE | CDPOS |

+## ABAP CR log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_NAME | CTS_API_READ_CHANGE_REQUEST |

+| S_TABU_NAM | TABLE | E070 |

+| S_TRANSPRT | TTYPE | * |

+| S_TRANSPRT | ACTVT | Display |

+## ABAP DB table data log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | DBTABLOG |

+| S_TABU_NAM | TABLE | SACF_ALERT |

+| S_TABU_NAM | TABLE | SOUD |

+| S_TABU_NAM | TABLE | USR41 |

+| S_TABU_NAM | TABLE | TMSQAFILTER |

+## ABAP job log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_NAME | BAPI_XBP_JOB_JOBLOG_READ |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGOFF |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGON |

+| S_RFC | RFC_NAME | BAPI_XMI_SET_AUDITLEVEL |

+| S_TABU_NAM | TABLE | TBTCO |

+| S_XMI_PROD | EXTCOMPANY | Microsoft |

+| S_XMI_PROD | EXTPRODUCT | Azure Sentinel |

+| S_XMI_PROD | INTERFACE | XBP |

+## ABAP security audit log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_NAME | BAPI_USER_GET_DETAIL |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGOFF |

+| S_RFC | RFC_NAME | BAPI_XMI_LOGON |

+| S_RFC | RFC_NAME | BAPI_XMI_SET_AUDITLEVEL |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETMLHIS |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETTREE |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETTIDBYNAME |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MS_GETLIST |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MON_GETLIST |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MON_GETTREE |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETPERFCURVAL |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_MT_GETALERTDATA |

+| S_RFC | RFC_NAME | BAPI_SYSTEM_ALERT_ACKNOWLEDGE |

+| S_ADMI_FCD | S_ADMI_FCD | AUDD (Basis audit display auth.) |

+| S_SAL | SAL_ACTVT | SHOW_LOG (Evaluate the file-based log) |

+| S_USER_GRP | CLASS | SUPER |

+| S_USER_GRP | ACTVT | Display |

+| S_USER_GRP | CLASS | SUPER |

+| S_USER_GRP | ACTVT | Lock |

+| S_XMI_PROD | EXTCOMPANY | Microsoft |

+| S_XMI_PROD | EXTPRODUCT | Azure Sentinel |

+| S_XMI_PROD | INTERFACE | XAL |

+## ABAP spool logs

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | TSP01 |

+| S_ADMI_FCD | S_ADMI_FCD | SPOS (Use of Transaction SP01 (all systems)) |

+## ABAP workflow log

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | SWWLOGHIST |

+| S_TABU_NAM | TABLE | SWWWIHEAD |

+## All logs

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_TYPE | Function Module |

+| S_RFC | RFC_NAME | /OSP/SYSTEM_TIMEZONE |

+| S_RFC | RFC_NAME | DDIF_FIELDINFO_GET |

+| S_RFC | RFC_NAME | RFCPING |

+| S_RFC | RFC_NAME | RFC_GET_FUNCTION_INTERFACE |

+| S_RFC | RFC_NAME | RFC_READ_TABLE |

+| S_RFC | RFC_NAME | RFC_SYSTEM_INFO |

+| S_RFC | RFC_NAME | SUSR_USER_AUTH_FOR_OBJ_GET |

+| S_RFC | RFC_NAME | TH_SERVER_LIST |

+| S_RFC | ACTVT | Execute |

+| S_TCODE | TCD | SM51 |

+| S_TABU_NAM | ACTVT | Display |

+| S_TABU_NAM | TABLE | T000 |

+## Attack disruption response actions

+<a name=attack-disrupt></a>

+| Authorization object | Field | Value |

+| -- | -- | -- |

+|S_RFC |RFC_TYPE |Function Module |

+|S_RFC |RFC_NAME |BAPI_USER_LOCK |

+|S_RFC |RFC_NAME |BAPI_USER_UNLOCK |

+|S_RFC |RFC_NAME |TH_DELETE_USER <br>In contrast to its name, this function doesn't delete users, but ends the active user session. |

+|S_USER_GRP |CLASS |* <br>We recommend replacing S_USER_GRP CLASS with the relevant classes in your organization that represent dialog users. |

+|S_USER_GRP |ACTVT |03 |

+|S_USER_GRP |ACTVT |05 |

+## Configuration history

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | PAHI |

+## Optional logs, if the Microsoft Sentinel solution CR is implemented

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_RFC | RFC_NAME | /MSFTSEN/* |

+## SNC data

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | SNCSYSACL |

+| S_TABU_NAM | TABLE | USRACL |

+## User data

+| Authorization object | Field | Value |

+| -- | -- | -- |

+| S_TABU_NAM | TABLE | ADCP |

+| S_TABU_NAM | TABLE | ADR6 |

+| S_TABU_NAM | TABLE | AGR_1251 |

+| S_TABU_NAM | TABLE | AGR_AGRS |

+| S_TABU_NAM | TABLE | AGR_DEFINE |

+| S_TABU_NAM | TABLE | AGR_FLAGS |

+| S_TABU_NAM | TABLE | AGR_PROF |

+| S_TABU_NAM | TABLE | AGR_TCODES |

+| S_TABU_NAM | TABLE | AGR_USERS |

+| S_TABU_NAM | TABLE | DEVACCESS |

+| S_TABU_NAM | TABLE | USER_ADDR |

+| S_TABU_NAM | TABLE | USGRP_USER |

+| S_TABU_NAM | TABLE | USR01 |

+| S_TABU_NAM | TABLE | USR02 |

+| S_TABU_NAM | TABLE | USR05 |

+| S_TABU_NAM | TABLE | USR21 |

+| S_TABU_NAM | TABLE | USRSTAMP |

+| S_TABU_NAM | TABLE | UST04 |

+## Related content

+For more information, see [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md).

+ Title: Check compliance for your SAP security controls with Microsoft Sentinel

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Check compliance for your SAP security controls with the SAP - Security Audit Controls workbook

+This article describes how you can use the *SAP - Security Audit Controls* workbook to monitor and track security control framework compliance across your SAP systems, including the following functionality:

+- See recommendations on which analytics rules to enable, and enable them in-place with proper preset configuration.

+- Associate your analytics rules to the SOX or NIST control framework, or apply your own custom control framework.

+- Review incidents and alerts summarized by control, according to the selected control framework.

+- Export relevant incidents for further analysis, for auditing and reporting purposes.

+For example:

+Content in this article is intended for your **security** team.

+## Prerequisites

+Before you can start using the **SAP - Security Audit log and Initial Access** workbook, you must have:

+- The Microsoft Sentinel solution for SAP applications solution installed and a data connector agent deployed. For more information, see [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+- The **SAP Audit Controls** workbook installed in your Log Analytics workspace enabled for Microsoft Sentinel. For more information, see and [Visualize and monitor your data by using workbooks in Microsoft Sentinel](../monitor-your-data.md).

+- At least one incident in your workspace, with at least one entry available in the `SecurityIncident` table. This doesn't need to be an SAP incident, and you can generate a demo incident using a basic analytics rule if you don't have another one.

+## View a demo

+View a demonstration of this workbook:

+<br>

+> [!VIDEO https://www.youtube.com/embed/8_2ji5afBqc?si=BfXfeYaJFEuJHZPC]

+For more information, see the [Microsoft Security Community YouTube channel](https://www.youtube.com/@MicrosoftSecurityCommunity):

+## Supported filters

+The **SAP Audit Controls** workbook supports the following filters to help you focus on the data you need:

+|Filter option |Description |

+|||

+|**Subscription** and **Workspace** | Select the workspace whose SAP systems' compliance you wish to audit. This can be a different workspace than where Microsoft Sentinel is deployed. |

+|**Incident creation time** | Select a range from the last four hours to the last 30 days, or a custom range that you determine. |

+|Other incident attributes, including **Status**, **Severity**, **Tactics**, **Owner** | For each of these, select from the available choices, which correspond to the values represented in the incidents in the selected time range. |

+|**System roles** | The SAP system roles, such as *Production*. |

+|**System usage** | The SAP system usage, such as *SAP ERP*. |

+|**Systems** |Select all SAP system IDs, a specific system ID, or multiple system IDs. |

+|**Control framework**, **Control families**, **Control IDs** | Select the control framework by which you want to evaluate your coverage, and the specific controls by which you want to filter the workbook data. |

+## Data retention recommendations

+The **SAP Audit Controls** dashboards provide an aggregated view of incidents and alerts based on the *SecurityAlert* and *SecurityIncident* tables, which, by default, retain 30 days of data.

+Consider extending the retention period for these tables to match your organization's compliance requirements. Regardless of the choice you make for the retention policy of these tables, the incident data is never deleted, though it might not show here. Alert data is kept according to the table's retention policy.

+The actual retention policy of the *SecurityAlert* and *SecurityIncident* tables might well be defined as something other than the default 30 days. See the notice on the blue-shaded background in the workbook, showing the actual time range of data in the tables according to their current retention policy.

+For more information, see [Configure a data retention policy for a table in a Log Analytics workspace](../configure-data-retention.md).

+## Configure tab - create analytics rules from yet-unused templates

+The **Templates ready to be used** table on the **Configure** tab shows the [analytics rule templates](../detect-threats-built-in.md) from the Microsoft Sentinel solution for SAP applications that haven't yet been implemented as active rules. You might need to create these rules to achieve compliance. For example:

+By default, this table is filtered for **SAP**, with **SAP** selected in the **Solution templates to configure** dropdown. Select any or all other solutions from this dropdown to populate the **Templates ready to be used** table further.

+For each row in the table, select **View** for more read-only details about rule configuration.

+The **Recommended configuration** column shows the purpose of the rule: is it meant to create [incidents](../incident-investigation.md) for investigation? Or only to create alerts to be held aside and added to other incidents to be used as evidence in their investigations?

+Select **Activate rule** in the side pane to create an analytics rule from the template, with the recommended configuration already built in. This functionality saves you the trouble of having to guess at the right configuration and [define it manually](../detect-threats-custom.md).

+## Configure tab - View or change security control assignments of your analytics rules

+The **Select a rule to configure** table on the **Configure** tab shows a list of activated analytics rules relevant to SAP. For example:

+In the table, check:

+- The count and graph lines generated by each rule in the **Incidents** and **Alerts** columns. Identical counts suggest that [alert grouping is disabled](../detect-threats-custom.md#alert-grouping).

+- The **Incidents** and **Source** column values to understand whether the rule is [set to create incidents](../detect-threats-custom.md#configure-the-incident-creation-settings) .

+- Whether the **Recommended configuration** for a rule is *As alert only*. If so, consider [turning off the incident creation setting](../detect-threats-custom.md#configure-the-incident-creation-settings) in the rule.

+Select a rule to view a details pane with more information. For example:

+- The upper part of this side panel has recommendations regarding enabling or disabling incident creation in the analytics rule configuration.

+- The next section of the side pane shows which security controls and control families the rule is identified with, for each of the available frameworks.

+ - For the SOX and NIST frameworks, customize the control assignment by choosing a different control or control family from the relevant drop-downs.

+ - For custom frameworks, enter in controls and control families of your choosing in the **MyOrg** text boxes. If you make any changes, select **Save changes**.

+ If a particular analytics rule hasn't been assigned a security control or control family for a given framework, you're prompted to set the controls manually. After you select the controls, select **Save changes**.

+ To see the rest of the details of the selected rule as currently defined, select **Rule overview**.

+The **Monitor** tab contains several graphical representations of various groupings of the incidents in your environment that match the filters at the top of the workbook:

+- A trend line graph, labeled **Incidents trend**, shows the numbers of incidents over time. These incidents are grouped, and represented by different colored lines and shadings, by default according to the control family represented by the rule that generated them. Select alternate groupings for these incidents from the **Detail incidents by** drop-down. For example:

+- The **Incidents hive** graph shows numbers of incidents grouped in two ways. The defaults for the SOX framework are first by **SOX Control family**, which is the *honeycomb* array of cells, and then by **System ID**, which is each cell in the honeycomb. Select different criteria by which to display the groupings, using the **Drill by** and **And then by** selectors.

+Zoom in to the hive graph to make the text large enough to read clearly, and zoom out to see all the groupings together. Drag the whole graph to see different parts of it. For example:

+The **Report** tab contains a list of all the incidents in your environment that match the filters at the top of the workbook.

+## Related content

+For more information, see [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md) and [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+ Title: Microsoft Sentinel solution for SAP applications - SAP -Security Audit log and Initial Access workbook

+description: Learn about the SAP - Security Audit log and Initial Access workbook, used to monitor and track data across your SAP systems.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Monitor and track user audit activity across SAP systems

+This article describes the **SAP - Security Audit log and Initial Access** workbook, used for monitoring and tracking user audit activity across your SAP systems. Use the workbook to get a bird's eye view of user audit activity, better secure your SAP systems, and gain quick visibility into suspicious actions. Drill down into suspicious events as needed.

+Use the workbook either for ongoing monitoring of your SAP systems, or to review the systems following a security incident or other suspicious activity.

+For example:

+Content in this article is intended for your **security** team.

+## Prerequisites

+Before you can start using the **SAP - Security Audit log and Initial Access** workbook, you must have:

+- The Microsoft Sentinel solution for SAP applications solution installed and a data connector agent deployed. For more information, see [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+- The **SAP - Security Audit log and Initial Access** workbook installed in your Log Analytics workspace enabled for Microsoft Sentinel. For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](../monitor-your-data.md).

+ > [!IMPORTANT]

+ > The **SAP - Security Audit log and Initial Access** workbook is hosted by the workspace where the Microsoft Sentinel solution for SAP applications were installed. By default, both the SAP and the SOC data is assumed to be on the workspace that hosts the workbook.

+ >

+ > If the SOC data is on a different workspace than the workspace hosting the workbook, make sure to include the subscription for that workspace, and select the SOC workspace from **Azure audit and activity workspace**.

+- At least one incident in your Microsoft Sentinel workspace, with at least one entry available in the `SecurityIncident` table. This doesn't need to be an SAP incident, and you can generate a demo incident using a basic analytics rule if you don't have another one.

+- If your Microsoft Entra data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**.

+## Supported filters

+The **SAP - Security Audit log and Initial Access** workbook supports the following filters to help you focus on the data you need:

+- **Time Range**. From four hours to 90 days.

+- **System Roles**. The SAP system roles, for example: Development.

+- **System Usage**. For example: SAP GTS.

+- **SAP systems**. You can select all systems, a specific system, or select multiple systems.

+If you select systems that aren't configured in the [*SAP systems* watchlist](sap-solution-security-content.md#available-watchlists), the workbook shows an error, specifying the systems with issues. In this case, [configure the watchlist](deployment-solution-configuration.md#configure-watchlists) to correctly include these systems.

+## Logon analysis report data

+The **Logon analysis report** tab on the **SAP - Security Audit log and Initial Access** workbook shows data about sign-in failures, such as anomalous data, Microsoft Entra data, and more.

+The data is based on the [*SAP systems* watchlist](sap-solution-security-content.md#available-watchlists).

+The **Logon analysis report** tab includes the following areas:

+- [Logon analysis](#logon-analysis)

+- [Logon failures - anomaly detection](#logon-failuresanomaly-detection)

+- [Logon failures - trends](#logon-failurestrends)

+### Logon analysis

+The **Logon analysis** area shows regarding user sign-ins. For example:

+The following table describes each metric in the **Logon analysis** area:

+|Area |Description |

+|**Unique user logons per system** |Shows the number of unique signins for each SAP system, and a graph with the sign-in trends over the selected time for each system. <br><br>For example: the 012 system has 1.4-K unique logon attempts in the last 14 days, and in these 14 days the graph shows a relatively rising sign-in trend. |

+|**Logon types trend** |Shows a trend of the number of sign ins according to type, for example, login via dialog. <br><br>Hover over the graph to show the number of logons for different dates.|

+|**Logon failures Vs. success by unique users - trend** |Shows a trend of successful and failed sign ins in the selected period. <br><br>Hover over the graph to show the amount of successful and failed sign ins for different dates.|

+The areas under **Anomaly detection - filtering out noisy failed login attempts** show login failure data for SAP systems and users. To see only data flagged by, select **Anomalous only** next to **Failed logons** on the right.

+For more information, see [Monitor the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log).

+For example:

+The following table describes each metric in the **Anomaly detection** area:

+|Area |Description |

+|||

+| **Logon failure rate** > **Logon failure anomalies** > **Unique User failed logons per SAP system** | Shows the number of unique failed sign ins for each SAP system. |

+|**SAP and Active Directory are better together** | The **Anomalous login failures** table shows a combination of Microsoft Sentinel and Microsoft Entra data, listing users according to risk, with the most risky users at the top. <br><br>For each user, the table shows: <br>- A timeline of failed sign-in attempts<br>- A timeline showing at which point an anomalous failed attempt occurred<br>- The type of anomaly<br>- The user's email address<br>- The Microsoft Entra risk indicator<br>- The number of incidents and alerts in Microsoft Sentinel <br><br> Select a user's row to see a list of related alerts and incidents. Microsoft Entra risk events are listed under **Azure audit and signin risks for user**. |

+|**Logon failure rate per system** | Shows the selected SAP systems, grouped by type, with the number of failures in the selected period. <br><br>The system's color indicates the number of failed attempts: Green for a few suspicious sign-in attempts, and red for more.<br><br>Select a system to see a list of failed sign-ins, with details about the failures. |

+In the following screenshot, note the data shown when the first line is selected in the **Anomalous login failures** table. The specific alerts and incident URLs are shown in the **Incidents/alerts overview for user** table.

+In the following screenshot, the **Azure audit and signin risks for user** table shows data for the sign-in risk related to this user.

+In the following screenshot, note the **Login failure rate per system** area, where the **84e** system under the **Test** group is selected. The **Failed logons for system** area on the right shows failure events for this system.

+The **Logon failures trends** area shows the trends and number of failed sign-ins, grouped by different types of data. For example:

+The following table describes each metric in the **Logon failures trends** area:

+|**Login failure by cause** | Shows the trend of the number of sign-in failures according to failure cause, such as incorrect sign-in data. |

+|**Login failure by type** | Shows the trend of the number of sign-in failures according to type, such as *the sign-in triggered a background job*, or the *sign-in was via HTTP*. |

+|**Login failure by method** | Shows the trend of the number of sign-in failures according to method, such as *SNC* or a *sign-in ticket*. |

+The **Audit log alerts** tab shows data about the SAP Audit log events that the Microsoft Sentinel solution for SAP applications watches. The data is based on the [*SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist](sap-solution-security-content.md#available-watchlists).

+The **Audit log alerts** tab shows the severity and audit trends for each SAP system and user. All areas in this tab show data flagged by anomaly detection only. For all events, select **All** next to **Failed logons** on the right.

+For more information, see [Monitor the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log).

+For example:

+The following table describes each metric on the **Audit log alerts** tab:

+|Area |Description |

+|||

+|**Alert severity trends per system ID** |Shows a list of systems, with a graph of *Medium* and *High* severity event trends per system. <br><br>For example, the *012* system had many *High* severity events over the entire period, and a few *Medium* severity events, with a spike that shows more *Medium* severity events in the middle of the period. |

+|**Audit trend per user** |Shows a combination of Microsoft Sentinel and Microsoft Entra data, listing users according to risk, with the most risky users at the top. <br><br>For each user the workbook shows the following data: <br>- A timeline of *High* and *Medium* severity events<br>- The user's email address<br>- The Microsoft Entra risk indicator<br>- The number of incidents and alerts in Microsoft Sentinel <br><br> Select a row to see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. <br><br>View Microsoft Entra risk events under **Azure audit and signin risks for user**. |

+|**Risk score per system** | Visually represents each system in a cell shape, showing the risk score for each system and grouping systems by type. <br><br>The system's color indicates the system's risk score: Green for a lower risk score and red for a higher risk score. <br><br>Select a system to see a list of SAP events per system.|

+|**Events by MITRE ATT&CK tactics** |Shows a list of SAP events grouped by MITRE ATT&CK tactics, like *Initial Access* or *Defense Evasion*. <br><br>Hover over the graph to show the number of sign-ins for different dates. |

+|**Events by category** |Shows a list of SAP event trends grouped by category, like *RFC Start* or *Logon*. <br><br>Hover over the graph to show the sign-in number for different dates. |

+|**Events by authorization group** |Shows a list of SAP event trends grouped by the SAP authorization group, like *USER* or *SUPER*.<br><br>Hover over the graph to show the number of sign-ins for different dates. |

+|**Events by user type** |Shows a list of SAP event trends grouped by the SAP user type, like *Dialog* or *System*. <br><br>Hover over the graph to show the number of sign-ins for different dates. |

+In the following screenshot, note the data shown when the first line is selected in the **Audit trends per user** table. The specific alerts and incident URLs are shown in the **Incidents/alerts overview for user** table.

+In the following screenshot, note the **Risk score per system** area, where the **cb7** system under the **UAT** group is selected. The **SAP events for system** area below the system visualization shows the SAP event for this system.

+In the following screenshot, note areas with events and event trends grouped by different types of data: MITRE ATT&CK tactics, SAP authorization group, and user type.

+## Related content

+For more information, see [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md) and [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+ Title: Microsoft Sentinel solution for SAP applications deployment troubleshooting

+description: Learn how to troubleshoot specific issues that might occur in your Microsoft Sentinel solution for SAP applications deployment.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Troubleshooting your Microsoft Sentinel solution for SAP applications deployment

+This article includes troubleshooting steps to help you ensure accurate and timely data ingestion and monitoring for your SAP environment with Microsoft Sentinel.

+In this article, we refer to the [**systemconfig.json**](reference-systemconfig-json.md) file, which is used for agent versions released on or after June 22, 2023. If you're using an earlier version of the agent, refer to the [**systemconfig.ini**](reference-systemconfig.md) file instead.

+When troubleshooting your Microsoft Sentinel for SAP data connector, you might find the following commands useful:

+1. On your data collector agent container virtual machine, edit the [**/opt/sapcon/[SID]/systemconfig.json**](reference-systemconfig-json.md) file.

+1. Define the **General** section if it wasn't previously defined. In this section, define `logging_debug = True` to enable debug mode printing, or `logging_debug = False` to disable it.

+ ```json

+The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.

+Connector execution logs for your Microsoft Sentinel solution for SAP applications data connector deployment are stored on your VM in **/opt/sapcon/[SID]/log/**. Log filename is **OmniLog.log**. A history of logfiles is kept, suffixed with *.[number]* such as **OmniLog.log.1**, **OmniLog.log.2**, and so on.

+## Review and update the Microsoft Sentinel for SAP agent connector configuration file

+If you [deployed your agent via the portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview), you can continue to maintain and change configuration settings via the portal.

+If you deployed via the command line, or want to make manual updates directly to the configuration file, perform the following steps:

+1. On your VM, open the configuration file: **sapcon/[SID]/systemconfig.json**

+1. Update the configuration if needed, and save the file. For more information, see the [Microsoft Sentinel solution for SAP applications `systemconfig.json` file reference](reference-systemconfig-json.md).

+The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.

+After having deployed both the Microsoft Sentinel for SAP data connector and security content, you might experience the following errors or issues:

+This error might occur when the connector fails to boot with PyRfc, or zip-related error messages are shown.

+1. Verify that you're the correct Linux 64-bit version, such as **nwrfc750P_8-70002752.zip**.

+docker cp nwrfc750P_8-70002752.zip /sapcon-app/inst/

+1. Edit the [**/opt/sapcon/[SID]/systemconfig.json**](reference-systemconfig-json.md) file and in the **Connector Configuration** section define `timechunk = 5`.

+ ```json

+1. Save the file.

+The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.

+### Incorrect workspace ID or key in key vault

+If you realize that you entered an incorrect workspace ID or key in your deployment script, update the credentials stored in Azure key vault.

+### Incorrect SAP ABAP user credentials in a fixed configuration

+A fixed configuration is when the password is stored directly in the [**systemconfig.json**](reference-systemconfig-json.md) configuration file.

+If your credentials there are incorrect, verify your credentials.

+Use base64 encryption to encrypt the user and password. You can use online encryption tools to do encrypt your credentials, such as https://www.base64encode.org/.

+If you find that you're missing data in your Microsoft Sentinel workbooks or alerts, ensure that the **Auditlog** policy is properly enabled on the SAP side, with no errors in the container log file.

+For more information, see the [SAP documentation](https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094) and [Collect SAP HANA audit logs in Microsoft Sentinel](collect-sap-hana-audit-logs.md).

+### Missing IP address or transaction code fields in the SAP audit log

+In SAP systems with versions for SAP BASIS 7.5 SP12 and above, Microsoft Sentinel can reflect extra fields in the `ABAPAuditLog_CL` and `SAPAuditLog` tables.

+If you're using SAP BASIS versions higher than 7.5 SP12 and are missing IP address or transaction code fields in the SAP audit log, verify that the SAP system from which you're extracting the data contains the relevant change requests (transports). For more information, see [Configure support for extra data retrieval (recommended)](preparing-sap.md#configure-support-for-extra-data-retrieval-recommended).

+If you see errors that you're missing a required SAP change request, make sure you've imported the correct SAP change request for your system. For more information, see [SAP prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-prerequisites) and [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md).

+### No data is showing in the SAP table data log

+In SAP systems with versions for SAP BASIS 7.5 SP12 and above, Microsoft Sentinel can reflect table data log changes in the `ABAPTableDataLog_CL` table.

+If no data is showing in the `ABAPTableDataLog_CL` table, verify that the SAP system from which you're extracting the data contains the relevant change requests (transports). For more information, see [Configure support for extra data retrieval (recommended)](preparing-sap.md#configure-support-for-extra-data-retrieval-recommended).

+The data collector agent relies on time zone information to be correct. If you see that there are no records in the SAP audit and change logs, or if records are constantly a few hours behind, check whether the SAP *TZCUSTHELP* report presents any errors. For more information, see [SAP note 481835](<https://me.sap.com/notes/481835/E>).

+There might also be issues with the clock on the virtual machine where the data collector agent container is hosted, and any deviation from the clock on the VM from UTC impacts data collection. Even more importantly, the clocks on both the SAP system machines and the data collector agent machines must match.

+- Firewalls between the docker container and the SAP hosts might be blocking traffic. The SAP host receives communication via the following TCP ports, which must be open: **32xx**, **5xx13**, and **33xx**, where **xx** is the SAP instance number.

+- Outbound communication from your SAP agent host to Microsoft Container Registry or Azure requires proxy configuration. This typically impacts the installation and requires you to configure the `HTTP_PROXY` and `HTTPS_PROXY` environmental variables. You can also ingest environment variables into the docker container when you create the container, by adding the `-e` flag to the docker `create` / `run` command.

+If you attempt to retrieve an audit log without the [required configurations](preparing-sap.md#configure-sap-auditing) and the process fails with warnings, verify that the SAP Auditlog can be retrieved using one of the following methods:

+- Without any changes made for connecting to the Microsoft Sentinel data connector agent. For more information, see [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md).

+While your system should automatically switch to compatibility mode if needed, you might need to switch it manually. To switch to compatibility mode manually:

+1. Edit the [**/opt/sapcon/[SID]/systemconfig.json**](reference-systemconfig-json.md) file.

+ ```json

+1. Save the file.

+The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.

+If the SAP audit log data, visible in either the **RSAU_READ_LOAD** or **SM200** transactions, isn't ingested into Microsoft Sentinel past the initial load, you might have a misconfiguration of the SAP system and the SAP host operating system.

+1. Update the SAP system and the SAP host operating system so that they have matching settings, such as the same time zone. For more information, see the [SAP Community Wiki](https://wiki.scn.sap.com/wiki/display/Basis/Time+zone+settings%2C+SAP+vs.+OS+level).

+## Other unexpected issues

+If you have unexpected issues not listed in this article, try the following steps:

+- [Reset the connector and reload your logs](#reset-the-microsoft-sentinel-for-sap-data-connector)

+- [Upgrade the connector](update-sap-data-connector.md) to the latest version.

+> [!TIP]

+> Resetting your connector and ensuring that you have the latest upgrades are also recommended after any major configuration changes.

+## Related content

+Learn more about the Microsoft Sentinel solution for SAP applications:

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)

+- [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md)

+- [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md)

+- [Microsoft Sentinel solution for SAP applications solution data reference](sap-solution-log-reference.md)

+- [Microsoft Sentinel solution for SAP applications solution: security content reference](sap-solution-security-content.md)

+- [Microsoft Sentinel solution for SAP applications `systemconfig.json` file reference](reference-systemconfig-json.md)

+ Title: Deploy the Microsoft Sentinel for SAP data connector agent container using expert configuration options | Microsoft Docs

+description: Learn how to deploy the Microsoft Sentinel for SAP data connector environments using expert configuration options, such as and on-premises machine and custom, manual configurations.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Deploy the Microsoft Sentinel for SAP data connector agent container with expert options

+This article provides procedures for deploying and configuring the Microsoft Sentinel for SAP data connector agent container using expert, custom, or manual configuration options. For typical deployments we recommend that you use the [portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview) instead.

+Content in this article is intended for your **SAP BASIS** teams. For more information, see [Deploy a SAP data connector agent from the command line](deploy-command-line.md).

+- Make sure that your system complies with the prerequisites documented in the main [SAP data connector prerequisites document](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) before you start.

+## Manually add SAP data connector agent Azure Key Vault secrets

+Use the following script to manually add SAP system secrets to your key vault. Make sure to replace the placeholders with your own system ID and the credentials you want to add:

+For more information, see the [Quickstart: Create a key vault using the Azure CLI](/azure/key-vault/general/quick-create-cli) and the [az keyvault secret](/cli/azure/keyvault/secret) CLI documentation.

+**Prerequisites:** Azure Key Vault is the recommended method to store your authentication credentials and configuration data. We recommend that you perform this procedure only after you have a key vault ready with your SAP credentials.

+1. Download the latest SAP NW RFC SDK from the [SAP Launchpad site](https://support.sap.com) > **SAP NW RFC SDK** > **SAP NW RFC SDK 7.50** > **nwrfc750X_X-xxxxxxx.zip**, and save it to your data connector agent machine.

+1. On your same machine, create a new folder with a meaningful name, and copy the SDK zip file into your new folder.

+1. Clone the Microsoft Sentinel solution GitHub repository onto your on-premises machine, and copy Microsoft Sentinel solution for SAP applications solution **systemconfig.json** file into your new folder.

+ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/template/systemconfig.json

+1. Edit the **systemconfig.json** file as needed, using the embedded comments as a guide.

+ Define the following configurations using the instructions in the **systemconfig.json** file:

+ - The logs that you want to ingest into Microsoft Sentinel using the instructions in the **systemconfig.json** file.

+ For more information, see [Manually configure the Microsoft Sentinel for SAP data connector](#manually-configure-the-microsoft-sentinel-for-sap-data-connector) and [Define the SAP logs that are sent to Microsoft Sentinel](#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+ To test your configuration, you might want to add the user and password directly to the **systemconfig.json** configuration file. While we recommend that you use Azure Key vault to store your credentials, you can also use an **env.list** file, [Docker secrets](#manually-configure-the-microsoft-sentinel-for-sap-data-connector), or you can add your credentials directly to the **systemconfig.json** file.

+1. Save your updated **systemconfig.json** file in the **sapcon** directory on your machine.

+ LOGWSID=<SET MICROSOFT SENTINEL WORKSPACE ID>

+ LOGWSPUBLICKEY=<SET MICROSOFT SENTINEL WORKSPACE KEY>

+1. Download and run the predefined Docker image with the SAP data connector installed. Run:

+1. Continue with deploying **Microsoft Sentinel solution for SAP applications**.

+ For more information, see [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md).

+The Microsoft Sentinel for SAP data connector is configured in the **systemconfig.json** file, which you cloned to your SAP data connector machine as part of the [deployment procedure](#perform-an-expert--custom-installation). Use the content in this section to manually configure data connector settings.

+For more information, see [Systemconfig.json file reference](reference-systemconfig-json.md), or [Systemconfig.ini file reference](reference-systemconfig.md) for legacy systems.

+### Define the SAP logs that are sent to Microsoft Sentinel

+The default **systemconfig** file is configured to cover built-in analytics, the SAP user authorization master data tables, with users and privilege information, and the ability to track changes and activities on the SAP landscape. The default configuration provides more logging information to allow for post-breach investigations and extended hunting abilities.

+However you might want to customize your configuration over time, especially as business processes tend to be seasonal.

+Use the following sets of code to configure the **systemconfig.json** file to define the logs that are sent to Microsoft Sentinel.

+For more information, see [Microsoft Sentinel solution for SAP applications solution logs reference (public preview)](sap-solution-log-reference.md).

+#### Configure a default profile

+The following code configures a default configuration:

+#### Configure a detection-focused profile

+Use the following code to configure a detection-focused profile, which includes the core security logs of the SAP landscape required for the most of the analytics rules to perform well. Post-breach investigations and hunting capabilities are limited.

+```python

+##############################################################

+[Logs Activation Status]

+# ABAP RFC Logs - Retrieved by using RFC interface

+ABAPAuditLog = True

+ABAPJobLog = False

+ABAPSpoolLog = False

+ABAPSpoolOutputLog = False

+ABAPChangeDocsLog = True

+ABAPAppLog = False

+ABAPWorkflowLog = False

+ABAPCRLog = True

+ABAPTableDataLog = False

+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

+ABAPFilesLogs = False

+SysLog = False

+ICM = False

+WP = False

+GW = False

+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

+JAVAFilesLogs = False

+[ABAP Table Selector]

+AGR_TCODES_FULL = True

+USR01_FULL = True

+USR02_FULL = True

+USR02_INCREMENTAL = True

+AGR_1251_FULL = True

+AGR_USERS_FULL = True

+AGR_USERS_INCREMENTAL = True

+AGR_PROF_FULL = True

+UST04_FULL = True

+USR21_FULL = True

+ADR6_FULL = True

+ADCP_FULL = True

+USR05_FULL = True

+USGRP_USER_FULL = True

+USER_ADDR_FULL = True

+DEVACCESS_FULL = True

+AGR_DEFINE_FULL = True

+AGR_DEFINE_INCREMENTAL = True

+PAHI_FULL = False

+AGR_AGRS_FULL = True

+USRSTAMP_FULL = True

+USRSTAMP_INCREMENTAL = True

+AGR_FLAGS_FULL = True

+AGR_FLAGS_INCREMENTAL = True

+SNCSYSACL_FULL = False

+USRACL_FULL = False

+```

+Use the following code to configure a minimal profile, which includes the SAP Security Audit Log, which is the most important source of data that the Microsoft Sentinel solution for SAP applications uses to analyze activities on the SAP landscape. Enabling this log is the minimal requirement to provide any security coverage.

+```python

+[Logs Activation Status]

+# ABAP RFC Logs - Retrieved by using RFC interface

+ABAPAuditLog = True

+ABAPJobLog = False

+ABAPSpoolLog = False

+ABAPSpoolOutputLog = False

+ABAPChangeDocsLog = False

+ABAPAppLog = False

+ABAPWorkflowLog = False

+ABAPCRLog = False

+ABAPTableDataLog = False

+# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

+ABAPFilesLogs = False

+SysLog = False

+ICM = False

+WP = False

+GW = False

+# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login

+JAVAFilesLogs = False

+[ABAP Table Selector]

+AGR_TCODES_FULL = False

+USR01_FULL = False

+USR02_FULL = False

+USR02_INCREMENTAL = False

+AGR_1251_FULL = False

+AGR_USERS_FULL = False

+AGR_USERS_INCREMENTAL = False

+AGR_PROF_FULL = False

+UST04_FULL = False

+USR21_FULL = False

+ADR6_FULL = False

+ADCP_FULL = False

+USR05_FULL = False

+USGRP_USER_FULL = False

+USER_ADDR_FULL = False

+DEVACCESS_FULL = False

+AGR_DEFINE_FULL = False

+AGR_DEFINE_INCREMENTAL = False

+PAHI_FULL = False

+AGR_AGRS_FULL = False

+USRSTAMP_FULL = False

+USRSTAMP_INCREMENTAL = False

+AGR_FLAGS_FULL = False

+AGR_FLAGS_INCREMENTAL = False

+SNCSYSACL_FULL = False

+USRACL_FULL = False

+```

+Add the following code to the Microsoft Sentinel for SAP data connector **systemconfig.json** file to define other settings for SAP logs ingested into Microsoft Sentinel.

+|**abapseverity** |Enter the lowest, inclusive, severity level for which you want to ingest ABAP logs into Microsoft Sentinel. Values include: <br><br>- **0** = All logs <br>- **1** = Warning <br>- **2** = Error |

+|**javaseverity** |Enter the lowest, inclusive, severity level for which you want to ingest Web Service logs into Microsoft Sentinel. Values include: <br><br>- **0** = All logs <br>- **1** = Warning <br>- **2** = Error |

+To ingest tables directly from your SAP system with details about your users and role authorizations, configure your **systemconfig.json** file with a `True`/`False` statement for each table.

+For more information, see [Reference of tables retrieved directly from SAP systems](sap-solution-log-reference.md#reference-of-tables-retrieved-directly-from-sap-systems).

+## Related content

+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Troubleshooting your Microsoft Sentinel solution for SAP applications deployment](sap-deploy-troubleshoot.md)

+ Title: Microsoft Sentinel solution for SAP applications - function reference

+description: Learn about the functions available from the Microsoft Sentinel solution for SAP applications.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#customer Intent: As a security analyst, I want to understand the functions available in the Microsoft Sentinel solution for SAP applications, so that I can use them in my Kusto queries.

+# Microsoft Sentinel solution for SAP applications - functions reference

+This article describes a selection of functions that are available in your workspace after you install the Microsoft Sentinel solution for SAP applications. Discover more functions by browsing in Microsoft Sentinel and loading the function code.

+Find functions as follows:

+- In the Azure portal, in the **General > Logs** page, on the **Functions** tab, and listed under **Workspace functions**.

+- In the Defender portal, in the **Investigation & response > Advanced hunting** page, on the **Functions** tab, and listed under **Sentinel workspace functions**.

+Content in this article is intended for your **security** teams.

+## Use functions in your queries instead of underlying logs or tables

+We *strongly recommend* that you use the functions listed in this article as the subjects of their analysis whenever possible, instead of the underlying [logs or tables](sap-solution-log-reference.md).

+These functions are intended to serve as the principal user interface to the data. They form the basis for all the built-in analytics rules and workbooks available to you out of the box. Using functions allows for changes to be made to the data infrastructure beneath the functions, without breaking user-created content.

+## SAPUsersAssignments

+The **SAPUsersAssignments** function gathers data from multiple SAP data sources and creates a user-centric view of the current user master data, including the roles and profiles currently assigned.

+This function summarizes the user assignments to roles and profiles, and returns the following data:

+| Field | Description | Data Source/Notes |

+| - | -- | -- |

+| User | SAP user ID | SAL only |

+| Email | SMTP address | USR21 (SMTP_ADDR) |

+| UserType | User type | USR02 (USTYP) |

+| Timezone | Time zone | USR02 (TZONE) |

+| LockedStatus | Lock status | USR02 (UFLAG) |

+| LastSeenDate | Last seen date | USR02 (TRDAT) |

+| LastSeenTime | Last seen time | USR02 (LTIME) |

+| UserGroupAuth | User group in user master maintenance | USR02 (CLASS) |

+| Profiles | Set of profiles (default maximum set size = 50) | `["Profile 1", "Profile 2",...,"profile 50"]` |

+| DirectRoles | Set of Directly assigned roles (default max set size = 50) | `["Role 1", "Role 2",...,"ΓÇ¥"Role 50"]` |

+| ChildRoles | Set of indirectly assigned roles (default max set size = 50) | `["Role 1", "Role 2",...,"ΓÇ¥"Role 50"]` |

+| Client | Client ID | |

+| SystemID | System ID | As defined in the connector |

+## SAPUsersGetPrivileged

+The **SAPUsersGetPrivileged** function returns a list of privileged users per client and system ID.

+Users are considered privileged when they match any of the following descriptions:

+- They're listed in the *SAP - Privileged Users* watchlist

+- They're assigned to a profile listed in *SAP - Sensitive Profiles* watchlist

+- They're added to a role listed in *SAP - Sensitive Roles* watchlist

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+| TimeAgo | Optional | Seven days | Determines that the function seeks user master data from the time defined by the `TimeAgo` value until the time defined by the `now()` value.|

+The **SAPUsersGetPrivileged** function returns the following data:

+| Field | Description |

+| -- | -- |

+| User | SAP user ID |

+| Client | Client ID |

+| SystemID | System ID |

+## SAPUsersAuthorizations

+The **SAPUsersAuthorizations** function brings together data from several tables to produce a user-centric view of the current roles and authorizations assigned. Only users with active role and authorization assignments are returned.

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+| TimeAgo | Optional | Seven days | Determines that the function seeks user master data from the time defined by the `TimeAgo` value until the time defined by the `now()` value. |

+The **SAPUsersAuthorizations** function returns the following data:

+| Field | Description | Notes |

+| -- | -- | -- |

+| User | SAP user ID | |

+| Roles | Set of roles (default max set size = 50) | `["Role 1", "Role 2",...,"Role 50"]` |

+| AuthorizationsDetails | Set of authorizations (default max set size = 100) | `{{AuthorizationsDeatils1}`,<br>`{AuthorizationsDeatils2}`, <br>...,<br>`{AuthorizationsDeatils100}}` |

+| Client | Client ID | |

+| SystemID | System ID | |

+## SAPConnectorHealth

+The **SAPConnectorHealth** function reflects the status of the agent's and the underlying SAP system's connectivity. Based on the heartbeat log *SAP_HeartBeat_CL* and other health indicators, it returns the following data:

+| Field | Description |

+| | -- |

+| Agent | Agent ID in agent's configuration (automatically generated) |

+| SystemID | SAP system ID |

+| Status | Overall connectivity status |

+| Details | Connectivity details |

+| ExtendedDetails | Connectivity extended details |

+| LastSeen | Timestamp of latest activity |

+| StatusCode | Code reflecting the system's status |

+## SAPConnectorOverview

+The **SAPConnectorOverview** function shows row counts of each SAP table per System ID. It returns a list of data records per system ID, and their time generated.

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+|TimeAgo | Optional | Seven days | Determines that the function seeks user master data from the time defined by the `TimeAgo` value until the time defined by the `now()` value. |

+The **SAPConnectorOverview** function returns the following data:

+| Field | Description |

+| | -- |

+| TimeGenerated | A datetime value of the timestamp of the record's generation |

+| SystemID_s | A string representing the SAP system ID |

+Use the following Kusto query to perform a daily trend analysis:

+```kusto

+SAPConnectorOverview(7d)

+| summarize count() by bin(TimeGenerated, 1d), SystemID_s

+```

+## SAPUsersEmail

+The **SAPUsersEmail** function allows for a performance oriented lookup of an SAP user's email address per SAP system and client, normally used to associate it with an active directory account.

+The **SAPUsersEmail** function uses data extracted from SAP tables USR21 (User Name/Address Key Assignment) and ADR6 (E-Mail Addresses) to look for an email address. In case no email address is found, the user ID is returned instead.

+This behavior ensures that SAP service accounts such as DDIC, which often aren't associated with an email addresses, are logged as pseudo AD accounts. This also opens up some UEBA features, aiding in the investigation of incidents and hunting activities.

+The **SAPUsersEmail** function returns the following data:

+| Field | Description |

+| | -- |

+| ClientID | The SAP client ID |

+| SystemID | The SAP system ID |

+| User | The SAP user ID |

+| Email | The email address of the SAP user |

+## SAPSystems

+The **SAPSystems** function is used to centrally present the per-system configuration made using the *SAP - Systems* watchlist.

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+| SelectedSystems | Optional | `All Systems` | Used to filter specific SAP systems |

+| SelectedSystemRoles | Optional | `All System Roles` | Determines the roles of the SAP Systems to be looked at, as defined in the *SAP - Systems* watchlist|

+The **SAPSystems** function returns the following data:

+| Field | Description | Data Source/Notes |

+| - | - | -|

+| SearchKey | Search key | Indexed field for SAP system ID |

+| SystemRole | The SAP system's role | Production, UAT |

+| SystemUsage | The main usage of the SAP system | ERP, CRM |

+| SystemID | The SAP system ID | |

+## SAPAuditLogConfiguration

+The **SAPAuditLogConfiguration** function returns the local configuration of the SAP audit log alerts to the Log Analytics workspace enabled for Microsoft Sentinel. This configuration is used for SAP audit log-related alerts.

+The **SAPAuditLogConfiguration** function joins the data in the *SAP Dynamic Audit Log Monitor Configuration* and *SAP - Systems* watchlists to provide a per-system configuration at a per-system-role effort.

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+|SelectedSystems |Optional | `All Systems`| Used to filter specific SAP systems to look at.|

+| SelectedSystemRoles| Optional|`All System Roles` |Determines the roles of the SAP Systems to be looked at (as defined in the *SAP - Systems* watchlist). |

+| SelectedSeverities|Optional |[`High`, `Medium`] |Used to determine events to be looked at in terms of their severities. Severities per SAP audit log message ID and system role are defined in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist. |

+| SelectedRuleTypes| Optional| `All RuleTypes`|Determines which events are relevant for detecting the anomalies on. Rule types per SAP audit log message ID and system role are defined in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist. |

+The **SAPAuditLogConfiguration** function returns the following data:

+| Field | Description | Data Source/Notes |

+| - | - | - |

+| CategoryName | SAP given event category | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| DestinationEmail | Email address of the Assigned Team | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| DetailedDescription | A markdown formatted text to be displayed on alerts | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| MessageID | The SAP audit log message ID | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| MessageText | A sample message text | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| RolesTagsToExclude | an ABAP Role, Profile, or free text tag | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| RuleType | Anomaly or deterministic | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| Tactics | The MITRE ATTA&CK tactic | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| TeamsChannelID | Teams Channel | *SAP Dynamic Audit Log Monitor Configuration* watchlist |

+| SystemID | The SAP system ID | *SAP - Systems* watchlist |

+| SystemRole | The SAP System's Role | *SAP - Systems* watchlist |

+| SystemUsage | The main usage of the SAP system | *SAP - Systems* watchlist |

+| IsProd | Production system flag | *SAP - Systems* watchlist |

+| Severity | The derived severity | Severity per system usage |

+| Threshold | The derived threshold | Event count per system usage |

+| BagOfDetails | Bag of Details | A dictionary detailing the event definition |

+For more information, see [Available watchlists](sap-solution-security-content.md#available-watchlists).

+## SAPAuditLogAnomalies

+The **SAPAuditLogAnomalies** function uses Microsoft Sentinel's underlying Kusto database's built-in machine learning capabilities to help detect anomalous events observed on the SAP audit log.

+The **SAPAuditLogAnomalies** function was developed for the *SAP - (Experimental) Dynamic Anomaly based Audit Log Monitor Alerts* analytics rule. While its original design is to alert on recent anomalies, it can also help to highlight historical anomalies. For more information, see [Sample uses](#sample).

+The **SAPAuditLogAnomalies** function learns the slice of the history defined by the different input parameters, at the following levels:

+- User

+- Network attributes

+- System

+- Seasonality

+- Activity levels

+The **SAPAuditLogAnomalies** function then judges events occurring within the last `DetectingTime` timespan according to what it learned, applying thresholds and other configurable exclusion criteria obtained from the SAP audit log configuration watchlist.

+Once a sliding window of user activity is deemed anomalous, a second query returns the entire user activity as evidence supporting the decision.

+**Parameters:**

+| Name | Optional/Required | Default | Description |

+| - | -- | - | -- |

+| LearningTime | Optional | 14 days | Determines the timespan used for the model learning. |

+| DetectingTime | Optional | One hour | Determines the timespan to be looked at for detecting anomalies. Calling this function with `DetectingTime = 0h` highlights anomalies across the entire `LearningTime` timespan. |

+| SelectedSystems | Optional | `All Systems` | Used to filter specific SAP systems to look at. |

+| SelectedSystemRoles | Optional | `All System Roles` | Determines the roles of the SAP Systems to be looked at, as defined in the *SAP - Systems* watchlist |

+| SelectedSeverities | Optional | [`High`, `Medium`] | Used to determine events to be looked at in terms of their severities. Severities per SAP audit log message ID and system role are defined in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist. |

+| SelectedPrefixMask | Optional | 24 | Used to determine the subnet mask level used for learning and detecting. |

+| SelectedRuleTypes | Optional | `AnomaliesOnly` | Determines what events are relevant for detecting the anomalies on. Rule types per SAP audit log message ID and system role are defined in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist. |

+The **SAPAuditLogAnomalies** function returns the following data:

+| Field | Description |

+| | -- |

+| **Multiple fields from SAPAuditLog** | Key fields from the SAP Audit log |

+| **Multiple fields from SAPAuditLogConfiguration** | Key fields from the Microsoft Sentinel for SAP audit log configuration |

+| DiscoveredOn | The rounded hour on which the anomaly was observed on |

+| EventCount | Number of events counted per row returned|

+| AnomalCount | Number of events observed within relevant sliding window|

+| MinTime | Time of first event observed |

+| MaxTime | Time of last event observed|

+| Score | the anomaly scores as produced by the anomaly model|

+**Recommendations**:

+As with any machine learning solution, the **SAPAuditLogAnomalies** function performs better with time, and can be adjusted as needed as time goes on.

+We recommend restricting the size of the learned database to be under 100 million records using the many available input parameters.

+<a name="sample"></a>**Sample uses include**:

+- To search for anomalies for events of high severity that occurred within the past hour on production systems for event types that are marked as *AnomaliesOnly* in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist, run:

+ ```kusto

+ SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=1h, SelectedSystemRoles= dynamic(["Production"]),

+ SelectedSeverities= dynamic(["High"]), SelectedRuleTypes= dynamic(["AnomaliesOnly"]))

+ ```

+- To search for all anomalies in the last 14 days in the *BIP* system, run:

+ ```kusto

+ SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=0h, SelectedSystems= dynamic(["BIP"]))

+ ```

+For more information, see [Built-in SAP analytics rules for monitoring the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log) and [Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/anomaly-detection-on-the-sap-audit-log-using-the-microsoft/ba-p/3418709) (blog).

+## SAPAuditLogConfigRecommend

+The **SAPAuditLogConfigRecommend** is a helper function designed to offer recommendations for the configuration of the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](sap-solution-security-content.md#monitor-the-sap-audit-log) analytics rule.

+For more information, see [Monitor the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log).

+## SAPUsersGetVIP

+The [Microsoft Sentinel solution for SAP applications](solution-overview.md) uses a concept of central user tagging and explicit exclusions, designed to help you lower false positives with minimal effort.

+Use the **SAPUsersGetVIP** function to exclude users from triggering alerts by specifying SAP user roles, SAP user functions, or tags that represent those users. For more information, see [Handle false positives in Microsoft Sentinel](../false-positives.md#example-manage-exceptions-for-the-microsoft-sentinel-solution-for-sap-applications).

+Tags specified as input for the **SAPUsersGetVIP** function exclude all users with a tag listed in the *SAP_User_Config* watchlist. The same functionality is extended to work with wildcards, allowing you to assign a single tag to a group of users with the same naming syntax.

+1. Tag users in the *SAP_User_Config* watchlist as follows:

+ - Add multiple tags to each user in the *SAP_User_Config* watchlist, as needed to cover various scenarios. Each alert rule has its own relevant tags, if any, and you can add custom tags as needed.

+ - Use an asterisk (*) as a wildcard to include users with a specific naming syntax template.

+1. Add the **SAPUsersGetVIP** function in your analytics rules to request the lists of users you've defined to be excluded from alerts. In the function call, add an array with the tags, SAP roles, and SAP profiles that you'd like to exclude.

+For example, use the following KQL query in your analytics rule to exclude any users configured with the *RunObsoleteProgOK* tag in the *SAP_User_Config* watchlist, or any users with the sample *SAP_BASIS_ADMIN_ROLE* role or the sample *SAP_ADMIN_PROFILE* profile.

+When copying this sample function call, replace *SAP_BASIS_ADMIN_ROLE* role and *SAP_ADMIN_PROFILE* profile with your own SAP roles or profiles as needed.

+For example:

+```kusto

+// Execution of Obsolete/Insecure Program

+let ObsoletePrograms = _GetWatchlist("SAP - Obsolete Programs");

+// here you can exclude system users which are OK to run obsolete/ sensitive programs

+// by adding those users in the SAP_User_Config watchlist with a tag of 'RunObsoleteProgOK'

+// can also specify SAP roles or SAP profiles that group the users you would like to exclude

+let excludeUsersTagsRolesProfiles= dynamic(["RunObsoleteProgOK","SAP_BASIS_ADMIN_ROLE", "SAP_ADMIN_PROFILE"]);

+let excludedUsers= SAPUsersGetVIP(SearchForTags= excludeUsersTagsRolesProfiles)| summarize by User2Exclude=SAPUser;

+// Query logic

+SAPAuditLog

+| where MessageID == 'AUW'

+| where ABAPProgramName in (ObsoletePrograms) // The program is obsolete

+| join kind=leftantisemi excludedUsers on $left.User == $right.User2Exclude

+```

+The **SAPUsersGetVIP** function is commonly used in *Deterministic and Anomalous Audit Log Monitor* alerts. Associate a tag with an SAP audit log message ID, or extend the rule template to a custom rule that matches your organization's needs.

+> [!TIP]

+> We recommend that contacting your SAP system admin to understand which SAP users, roles, and profiles to include in your *SAP_User_Config* watchlist.

+>

+**Parameters:**

+|Name |Optional/Required |Default |Description |

+|||||

+|**SearchForTags** | Optional | `dynamic('All Tags')` | When `SearchForTags` equals `All Tags`, all users are returned along with their tags. <br><br>Otherwise, only users bearing the tags, SAP roles, or SAP profiles specified in `SearchForTags` are returned. `TagsIntersect` shows the tags that are found, and `IntersectionSize` holds the number of tags that are found. |

+|**SpecialFocusTags** | Optional | `Do not return any in-focus users` | Returns all users bearing the tags specified in `SpecialFocusTags`, and marked those with `specialFocusTagged = true`. |

+The **SAPUsersGetVIP** function returns the following output:

+| Source | Field | Description | Notes |

+| - | - | - | - |

+| The *SAP_User_Config* watchlist | `SearchKey` | Search key | |

+| The *SAP_User_Config* watchlist | `SAPUser` | The SAP user | OSS, DDIC |

+| The *SAP_User_Config* watchlist | `Tags` | String of tags assigned to user | `RunObsoleteProgOK` |

+| The *SAP_User_Config* watchlist | User's Microsoft Entra object ID | Microsoft Entra object ID | |

+| The *SAP_User_Config* watchlist | User identifier | Azure Directory user identifier | |

+| The *SAP_User_Config* watchlist | User on-premises SID | | |

+| The *SAP_User_Config* watchlist | User principal name | | |

+| The *SAP_User_Config* watchlist | `TagsList` | A list of tags assigned to user | `ChangeUserMasterDataOK`;`RunObsoleteProgOK` |

+| Logic | TagsIntersect | A set of tags that matched `SearchForTags` | ["ChangeUserMasterDataOK","RunObsoleteProgOK"] |

+| Logic | SpecialFocusTagged | Special focus indication | `True`, `False` |

+| Logic | IntersectionSize | The number of intersected tags | |

+## SAPUsersHeader

+The **SAPUsersHeader** function is designed to provide a high-level view of the SAP user. It uses data extracted from both the SAP user master data tables and recent activity on the SAP audit log to gather email and IP addresses. It then returns last known email and IP addresses along with primary email and IP addresses.

+**Parameters:**

+| Name | Optional/Required | Default | Description |

+| - | -- | - | -- |

+| SelectedSystems | Optional | `All Systems` | Used to filter specific SAP systems to look at |

+| SelectedSystemRoles | Optional | `All System Roles` | Determines the roles of the SAP Systems to be looked at, as defined in the *SAP - Systems* watchlist. |

+| SelectedUsers | Optional | `All Users` | Can input lists of users. |

+| SelectedUser | Optional | `All Users` | Accepts a single user only. |

+For example:

+```kusto

+SelectedSystemRoles:dynamic = dynamic(["All System Roles"]) SelectedSystems:dynamic = dynamic(["All Systems"]) SelectedUsers:dynamic = dynamic(["All Users"]) SelectedUser:string = "All Users"

+```

+> [!TIP]

+> For performance considerations, only a few days of audit activity are considered.

+> For a full history of user activity, run a custom KQL query against the *SAPAuditLog* function.

+>

+The **SAPUsersHeader** function returns the following output:

+| Source | Field | Description | Notes |

+| - | - | - | - |

+| | User | The SAP user | |

+| SAP tables ADR6 and USR21 | Email | Taken from user's master data | OSS, DDIC |

+| SAP table USR02 | UserType | String of tags assigned to user | `RunObsoleteProgOK` |

+| SAP table USR02 | Timezone | Microsoft Entra object ID | |

+| SAP table USR02 | LockedStatus | Azure Directory user identifier | |

+| SAP audit log | LastSeen | A timestamp | Last audit event observed for the user |

+| SAP audit log | LastSeenDaysAgo | Days passed since `LastSeen` | |

+| SAP audit log | PrimaryIP | Most frequently used IP address | `ChangeUserMasterDataOK`;`RunObsoleteProgOK` |

+| SAP audit log | LastKnownIP | Most recently used IP address | ["ChangeUserMasterDataOK","RunObsoleteProgOK"] |

+| SAP audit log | PrimaryEmail | Most frequently used email address | `True`, `False` |

+| SAP audit log | KnownIPs | List of known IP addresses | Sorted by most frequent first |

+| SAP audit log | KnownEmails | List of known email addresses | Sorted by most frequent first |

+| | Client | The SAP client ID | |

+| | SystemID | The SAP system ID | |

+| | SystemRole | The SAP system's role | Production, UAT |

+| | SystemUsage | The main usage of the SAP system | ERP, CRM |

+## Related content

+For more information, see:

+- [Functions in Azure Monitor log queries](/azure/azure-monitor/logs/functions)

+- [Log and table reference for the Microsoft Sentinel solution for SAP applications](sap-solution-log-reference.md)

+ Title: Log and table reference for the Microsoft Sentinel solution for SAP applications

+description: Learn about the SAP logs, tables, and functions available from the Microsoft Sentinel solution for SAP applications.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Log and table reference for the Microsoft Sentinel solution for SAP applications

+This article describes the logs and tables available as part of the Microsoft Sentinel solution for SAP applications and its data connector.

+Some logs, noted in this article, aren't sent to Microsoft Sentinel by default, but you can manually add them as needed. For more information, see [Define the SAP logs that are sent to Microsoft Sentinel](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel)

+Content in this article is intended for your **SAP BASIS** teams.

+> [!IMPORTANT]

+> Some components of the Microsoft Sentinel Threat Monitoring for SAP solution are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## Use functions in your queries instead of underlying logs or tables

+We *strongly recommend* that you use available functions as the subjects of their analysis whenever possible, instead of the underlying logs or tables.

+[Functions](/azure/azure-monitor/logs/functions) provided with the Microsoft Sentinel solution for SAP applications are intended to serve as the principal user interface to the data. They form the basis for all the built-in analytics rules and workbooks available to you out of the box. Using functions allows for changes to be made to the data infrastructure beneath the functions, without breaking user-created content.

+For more information, see [Microsoft Sentinel solution for SAP applications - functions reference](sap-solution-function-reference.md) and [Functions in Azure Monitor log queries](/azure/azure-monitor/logs/functions).

+## Log coverage

+The Microsoft Sentinel solution for SAP applications collects logs from the application, OS, and data layers, providing comprehensive protection for your SAP system:

+- **Application layer**: Microsoft Sentinel monitors activities within the ABAP layer, which is the primary application layer in SAP systems, responsible for executing business logic and processing transactions. For example, Microsoft Sentinel collects logs that include user actions like sign-ins, password changes, and access to reports or files.

+ In addition to security monitoring, logs collected at the application layer can also be used for compliance and auditing purposes.

+- **OS layer**: Microsoft Sentinel gathers logs from the operating system to provide insights into OS-level activities, such as from the ABAP server and the virtual machines on which the SAP applications are running.

+ Use the Microsoft Sentinel solution for SAP applications together with security content and data connectors for your other services for comprehensive and central monitoring, correlating information across all your systems and enhancing your overall security posture.

+- **Database layer**: Ingest database logs into Microsoft Sentinel to monitor database activities, such as database administration activities and changes to table data. The Microsoft Sentinel solution for SAP applications is database-agnostic.

+All logs collected by the data connector agent are stored first on the data collector agent machine, at `/opt/sapcon/<sid>/log` folder in the container instance. The logs are then forwarded to your Log Analytics workspace, where you can view, audit, and query them from Microsoft Sentinel.

+Audit logs are collected and ingested every minute, while other logs might be ingested less frequently. Microsoft Sentinel also monitors the data connector agent heartbeat to ensure that logs are being collected and sent to the Log Analytics workspace.

+## Log reference

+The following sections describe the SAP logs available from the Microsoft Sentinel solution for SAP applications data connector, including the table names in Microsoft Sentinel, the log purposes, and detailed log schemas.

+Schema field descriptions are based on the field descriptions in the relevant [SAP documentation](https://help.sap.com/).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+- **Log purpose**: Monitors Gateway activities. Available by the SAP Control web service. This log is generated with data across all clients.

+#### ABAPOS_GW_CL log schema

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+ Available by the SAP Control web service. This log is generated with data across all clients.

+- **Log purpose**: Serves as the main log for SAP printing with the history of spool requests. (SP01).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+ Available by the SAP Control web service. This log is generated with data across all clients.

+ For example, unmapped business processes might be simple release or approval procedures, or more complex business processes such as creating base material and then coordinating the associated departments.

+| SimpleContainer | Simple container, packed as a list of key-value entities for the work item |

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+ Available by the SAP Control web service. This log is generated with data across all clients.

+Collecting the HANA DB Audit Trail log is an example of how Microsoft Sentinel collects database layer activities. To have this log sent to Microsoft Sentinel, you must [deploy Azure Monitor Agent](../connect-cef-syslog-ama.md) to gather Syslog data from the machine running HANA DB.

+ Available by the Microsoft Sentinel Linux Agent for Syslog. This log is generated with data across all clients.

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel).

+ Available by the SAP Control web service. This log is generated with data across all clients.

+| LogName | Java logName, such as: `Available`, `defaulttrace`, `dev*`, `security`, and so on |

+| system_id_s | Netweaver ABAP System ID /<br>Netweaver SAPControl Host (preview) /<br>Java SAPControl host (preview) |

+## Reference of tables retrieved directly from SAP systems

+This section lists the data tables that are retrieved directly from the SAP system and ingested into Microsoft Sentinel exactly as they are.

+To have the data from these tables ingested into Microsoft Sentinel, configure the relevant settings in the **systemconfig.json** file. For more information, see [Configuring user master data collection](sap-solution-deploy-alternate.md#configuring-user-master-data-collection).

+For best results, refer to these tables using the name in the **Microsoft Sentinel function name** column in the following table:

+| Table name | Table description | Microsoft Sentinel function name |

+| USR02 | Sign-in data (kernel-side use) | SAP_USR02 |

+| USR21 | User name / Address key assignment | SAP_USR21 |

+| ADCP | Person / Address assignment (business address services) | SAP_ADCP |

+## Related content

+- [Deploy the Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Microsoft Sentinel solution for SAP applications: built-in security content](sap-solution-security-content.md)

+- [Troubleshooting your Microsoft Sentinel solution for SAP applications deployment](sap-deploy-troubleshoot.md)

+ Title: Microsoft Sentinel solution for SAP applications - security content reference

+description: Learn about the built-in security content provided by the Microsoft Sentinel solution for SAP applications.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+# Microsoft Sentinel solution for SAP applications: security content reference

+> While the Microsoft Sentinel solution for SAP applications is in GA, some specific components remain in PREVIEW. This article indicates the components that are in preview in the relevant sections below. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Content in this article is intended for your **security** team.

+Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the **Templates** tab.

+| <a name="sapsystem-applications-and-products-workbook"></a>**[SAP - Audit Log Browser](sap-audit-log-workbook.md)** | Displays data such as: <br><br>- General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run <br>-Severities of events occurring in your system <br>- Authentication and authorization events occurring in your system |Uses data from the following log: <br><br>[ABAPAuditLog_CL](sap-solution-log-reference.md#abap-security-audit-log) |

+For more information, see [Tutorial: Visualize and monitor your data](../monitor-your-data.md) and [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+This section describes a selection of [built-in analytics rules](deploy-sap-security-content.md) provided together with the Microsoft Sentinel solution for SAP applications. For the most recent updates, check the Microsoft Sentinel content hub for new and updated rules.

+### Monitor the configuration of static SAP security parameters (Preview)

+To secure the SAP system, SAP has identified security-related parameters that need to be monitored for changes. With the "SAP - (Preview) Sensitive Static Parameter has Changed" rule, the Microsoft Sentinel solution for SAP applications tracks [over 52 static security-related parameters](sap-suspicious-configuration-security-parameters.md) in the SAP system, which are built into Microsoft Sentinel.

+> For the Microsoft Sentinel solution for SAP applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. For more information, see [Verify that the PAHI table is updated at regular intervals](preparing-sap.md#verify-that-the-pahi-table-is-updated-at-regular-intervals).

+To understand parameter changes in the system, the Microsoft Sentinel solution for SAP applications uses the parameter history table, which records changes made to system parameters every hour.

+The parameters are also reflected in the [SAPSystemParameters watchlist](#systemparameters). This watchlist allows users to add new parameters, disable existing parameters, and modify the values and severities per parameter and system role in production or nonproduction environments.

+Review the [list of parameters](sap-suspicious-configuration-security-parameters.md) that this rule monitors.

+### Monitor the SAP audit log

+Many of the analytics rules in the Microsoft Sentinel solution for SAP applications use SAP audit log data. Some analytics rules look for specific events in the log, while others correlate indications from several logs to create high-fidelity alerts and incidents.

+Use the following analytics rules to either monitor all audit log events on your SAP system or trigger alerts only when anomalies are detected:

+|Rule name |Description |

+|||

+|**SAP - Missing configuration in the Dynamic Security Audit Log Monitor** | By default, runs daily to provide configuration recommendations for the SAP audit log module. Use the rule template to create and customize a rule for your workspace. |

+|**SAP - Dynamic Deterministic Audit Log Monitor (PREVIEW)** | By default, runs every 10 minutes and focuses on the SAP audit log events marked as **Deterministic**. Use the rule template to create and customize a rule for your workspace, such as for a lower false positive rate. <br><br>This rule requires deterministic alert thresholds and user exclusion rules. |

+|**SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)** | By default, runs hourly and focuses on SAP events marked as **AnomaliesOnly**, alerting on SAP audit log events when anomalies are detected. <br><br>This rule applies extra machine learning algorithms to filter out background noise in an unsupervised manner. |

+By default, most event types or SAP message IDs in the SAP audit log are sent to the anomaly based *Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)* analytics rule, while the easier to define event types are sent to the deterministic *Dynamic Deterministic Audit Log Monitor (PREVIEW)* analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions.

+The SAP audit log monitoring rules are delivered as part of the [Microsoft Sentinel for SAP solution security content](sap-solution-security-content.md#monitor-the-sap-audit-log), and allow for further fine tuning using the *SAP_Dynamic_Audit_Log_Monitor_Configuration* and *SAP_User_Config watchlists*.

+For example, the following table lists several examples of how you can use the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist to configure the types of events that produce incidents, reducing the number of incidents generated.

+|Option |Description |

+|||

+|**Set severities and disable unwanted events** |By default, both the deterministic rules and the rules based on anomalies create alerts for events marked with medium and high severities. <br><br>You might want to configure severities separately production and nonproduction environments. For example, you might set a debugging activity event as *high* severity in production systems, and turn off the same events entirely in nonproduction systems. |

+|**Exclude users by their SAP roles or SAP profiles** |Microsoft Sentinel for SAP ingests the SAP userΓÇÖs authorization profile, including direct and indirect role assignments, groups, and profiles, so that you can speak the SAP language in your SIEM.<br><br>You might want to configure an SAP event to exclude users based on their SAP roles and profiles. In the watchlist, add the roles or profiles that group your RFC interface users in the **RolesTagsToExclude** column, next to the **Generic table access by RFC** event. This configuration triggers alerts only for users that are missing these roles. |

+|**Exclude users by their SOC tags** |Use tags to create your own grouping, without relying on complicated SAP definitions or even without SAP authorization. This method is useful for SOC teams that want to create their own grouping for SAP users.<br><br>For example, if you don't want specific service accounts to be alerted for **Generic table access by RFC** events, but canΓÇÖt find an SAP role or an SAP profile that groups these users, use tags as follows: <br>1. Add the **GenTableRFCReadOK** tag next to the relevant event in the watchlist. <br>2. Go to the **SAP_User_Config** watchlist and assign the interface users the same tag. |

+|**Specify a frequency threshold per event type and system role** |Works like a speed limit. For example, you might configure **User Master Record Change** events to only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limitΓÇöfor example, 2 events in a 10-minute windowΓÇöan incident is triggered. |

+|**Determinism or anomalies** |If you know the eventΓÇÖs characteristics, use the deterministic capabilities. If you aren't sure how to correctly configure the event, allow the machine learning capabilities to decide to start, and then make subsequent updates as needed. |

+|**SOAR capabilities** |Use Microsoft Sentinel to further orchestrate, automate, and respond to incidents created by SAP audit log dynamic alerts. For more information, see [Automation in Microsoft Sentinel: Security orchestration, automation, and response (SOAR)](../automation/automation.md). |

+For more information, see [Available watchlists](sap-solution-security-content.md#available-watchlists) and [Microsoft Sentinel for SAP News - Dynamic SAP Security Audit Log Monitor feature available now! (blog)](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-for-sap-news-dynamic-sap-security-audit-log/ba-p/3326842#feedback-success).

+| **SAP - Login from unexpected network** | Identifies a sign-in from an unexpected network. <br><br>Maintain networks in the [SAP - Networks](#networks) watchlist. | Sign in to the backend system from an IP address that isn't assigned to one of the networks. <br><br>**Data sources**: SAPcon - Audit Log | Initial Access |

+| **SAP - Dialog logon attempt from a privileged user** | Identifies dialog sign-in attempts, with the **AUM** type, by privileged users in an SAP system. For more information, see the [SAPUsersGetPrivileged](sap-solution-function-reference.md#sapusersgetprivileged). | Attempt to sign in from the same IP to several systems or clients within the scheduled time interval<br><br>**Data sources**: SAPcon - Audit Log | Impact, Lateral Movement |

+| **SAP - Brute force attacks** | Identifies brute force attacks on the SAP system using RFC logons | Attempt to sign in from the same IP to several systems/clients within the scheduled time interval using RFC<br><br>**Data sources**: SAPcon - Audit Log | Credential Access |

+| **SAP - Multiple Logons by User** | Identifies sign-ins of the same user from several terminals within scheduled time interval. <br><br>Available only via the Audit SAL method, for SAP versions 7.5 and higher. | Sign in using the same user, using different IP addresses. <br><br>**Data sources**: SAPcon - Audit Log | Pre-Attack, Credential Access, Initial Access, Collection <br><br>**Sub-use case**: [Persistency](#persistency) |

+| **SAP - FTP for non authorized servers** |Identifies an FTP connection for a nonauthorized server. | Create a new FTP connection, such as by using the FTP_CONNECT Function Module. <br><br>**Data sources**: SAPcon - Audit Log | Discovery, Initial Access, Command and Control |

+| **SAP - Insecure FTP servers configuration** |Identifies insecure FTP server configurations, such as when an FTP allowlist is empty or contains placeholders. | Don't maintain or maintain values that contain placeholders in the `SAPFTP_SERVERS` table, using the `SAPFTP_SERVERS_V` maintenance view. (SM30) <br><br>**Data sources**: SAPcon - Audit Log | Initial Access, Command and Control |

+| **SAP - Sensitive Tables Direct Access By RFC Logon** |Identifies a generic table access by RFC sign in. <br><br> Maintain tables in the [SAP - Sensitive Tables](#tables) watchlist.<br><br>Relevant for production systems only. | Open the table contents using SE11/SE16/SE16N.<br><br>**Data sources**: SAPcon - Audit Log | Collection, Exfiltration, Credential Access |

+| **SAP - Execution of Obsolete or Insecure Function Module** |Identifies the execution of an obsolete or insecure ABAP function module. <br><br>Maintain obsolete functions in the [SAP - Obsolete Function Modules](#modules) watchlist. Make sure to activate table logging changes for the `EUFUNC` table in the backend. (SE13)<br><br>Relevant for production systems only. | Run an obsolete or insecure function module directly using SE37. <br><br>**Data sources**: SAPcon - Table Data Log | Discovery, Command and Control |

+| **SAP - Execution of Obsolete/Insecure Program** |Identifies the execution of an obsolete or insecure ABAP program. <br><br> Maintain obsolete programs in the [SAP - Obsolete Programs](#programs) watchlist.<br><br>Relevant for production systems only. | Run a program directly using SE38/SA38/SE80, or by using a background job. <br><br>**Data sources**: SAPcon - Audit Log | Discovery, Command and Control |

+| **SAP - Execution of Sensitive Function Module** | Identifies the execution of a sensitive ABAP function module. <br><br>**Sub-use case**: [Persistency](#persistency)<br><br>Relevant for production systems only. <br><br>Maintain sensitive functions in the [SAP - Sensitive Function Modules](#modules) watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13) | Run a sensitive function module directly using SE37. <br><br>**Data sources**: SAPcon - Table Data Log | Discovery, Command and Control |

+| **SAP - User Creates and uses new user** | Identifies a user creating and using other users. <br><br>**Sub-use case**: [Persistency](#persistency) | Create a user using SU01, and then sign in, using the newly created user and the same IP address.<br><br>**Data sources**: SAPcon - Audit Log | Discovery, Pre-Attack, Initial Access |

+| **SAP - User Unlocks and uses other users** | Identifies a user being unlocked and used by other users. <br><br>**Sub-use case**: [Persistency](#persistency) | Unlock a user using SU01, and then sign in using the unlocked user and the same IP address.<br><br>**Data sources**: SAPcon - Audit Log, SAPcon - Change Documents Log | Discovery, Pre-Attack, Initial Access, Lateral Movement |

+The following table lists the [watchlists](deploy-sap-security-content.md) available for the Microsoft Sentinel solution for SAP applications, and the fields in each watchlist.

+These watchlists provide the configuration for the Microsoft Sentinel solution for SAP applications. The [SAP watchlists](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Analytics/Watchlists) are available in the Microsoft Sentinel GitHub repository.

+| <a name="objects"></a>**SAP - Critical Authorization Objects** | Critical Authorizations object, where assignments should be governed. <br><br>- **AuthorizationObject**: An SAP authorization object, such as `S_DEVELOP`, `S_TCODE`, or `Table TOBJ` <br>- **AuthorizationField**: An SAP authorization field, such as `OBJTYP` or `TCD` <br>- **AuthorizationValue**: An SAP authorization field value, such as `DEBUG` <br>- **ActivityField** : SAP activity field. For most cases, this value is `ACTVT`. For Authorizations objects without an **Activity**, or with only an **Activity** field, filled with `NOT_IN_USE`. <br>- **Activity**: SAP activity, according to the authorization object, such as: `01`: Create; `02`: Change; `03`: Display, and so on. <br>- **Description**: A meaningful Critical Authorization Object description. |

+| <a name="systems"></a>**SAP - Systems** | Describes the landscape of SAP systems according to role, usage, and configuration.<br><br>- **SystemID**: the SAP system ID (SYSID) <br>- **SystemRole**: the SAP system role, one of the following values: `Sandbox`, `Development`, `Quality Assurance`, `Training`, `Production` <br>- **SystemUsage**: The SAP system usage, one of the following values: `ERP`, `BW`, `Solman`, `Gateway`, `Enterprise Portal` <br>- **InterfaceAttributes**: an optional dynamic parameter for use in [playbooks](sap-solution-security-content.md#available-playbooks). |

+| <a name="systemparameters"></a>**SAPSystemParameters** | Parameters to watch for [suspicious configuration changes](#monitor-the-configuration-of-static-sap-security-parameters-preview). This watchlist is prefilled with recommended values (according to SAP best practice), and you can extend the watchlist to include more parameters. If you don't want to receive alerts for a parameter, set `EnableAlerts` to `false`.<br><br>- **ParameterName**: The name of the parameter.<br>- **Comment**: The SAP standard parameter description.<br>- **EnableAlerts**: Defines whether to enable alerts for this parameter. Values are `true` and `false`.<br>- **Option**: Defines in which case to trigger an alert: If the parameter value is greater or equal (`GE`), less or equal (`LE`), or equal (`EQ`)<br> For example, if the `login/fails_to_user_lock` SAP parameter is set to `LE` (less or equal), and a value of `5`, once Microsoft Sentinel detects a change to this specific parameter, it compares the newly reported value and the expected value. If the new value is `4`, Microsoft Sentinel doesn't trigger an alert. If the new value is `6`, Microsoft Sentinel triggers an alert.<br>- **ProductionSeverity**: The incident severity for production systems.<br>- **ProductionValues**: Permitted values for production systems.<br>- **NonProdSeverity**: The incident severity for nonproduction systems.<br>- **NonProdValues**: Permitted values for nonproduction systems. |

+| <a name="transactions"></a>**SAP - Transactions for ABAP Generations** | Transactions for ABAP generations whose execution should be governed. <br><br>- **TransactionCode**: Transaction Code, such as SE11. <br>- **Description**: A meaningful Transaction Code description |

+| <a name="servers"></a>**SAP - FTP Servers** | FTP Servers for identification of unauthorized connections. <br><br>- **Client**: such as 100. <br>- **FTP_Server_Name**: FTP server name, such as `http://contoso.com/` <br>-**FTP_Server_Port**:FTP server port, such as 22. <br>- **Description**A meaningful FTP Server description |

+| <a name="objects"></a>**SAP_Dynamic_Audit_Log_Monitor_Configuration** | Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, nonproduction). This watchlist details all available SAP standard audit log message IDs. The watchlist can be extended to contain extra message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the **SAP_User_Config** watchlist. This watchlist is one of the core components used for configuring the [built-in SAP analytics rules for monitoring the SAP audit log](#monitor-the-sap-audit-log). For more information, see [Monitor the SAP audit log](#monitor-the-sap-audit-log). <br><br>- **MessageID**: The SAP Message ID, or event type, such as `AUD` (User master record changes), or `AUB` (authorization changes). <br>- **DetailedDescription**: A markdown enabled description to be shown on the incident pane. <br>- **ProductionSeverity**: The desired severity for the incident to be created with for production systems `High`, `Medium`. Can be set as `Disabled`. <br>- **NonProdSeverity**: The desired severity for the incident to be created with for nonproduction systems `High`, `Medium`. Can be set as `Disabled`. <br>- **ProductionThreshold** The "Per hour" count of events to be considered as suspicious for production systems `60`. <br>- **NonProdThreshold** The "Per hour" count of events to be considered as suspicious for nonproduction systems `10`. <br>- **RolesTagsToExclude**: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list. <br>- **RuleType**: Use `Deterministic` for the event type to be sent off to the *SAP - Dynamic Deterministic Audit Log Monitor* rule, or `AnomaliesOnly` to have this event covered by the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) rule. For more information, see [Monitor the SAP audit log](#monitor-the-sap-audit-log). <br>- **TeamsChannelID**: an optional dynamic parameter [for use in playbooks](sap-solution-security-content.md#available-playbooks).<br>- **DestinationEmail**: an optional dynamic parameter [for use in playbooks](sap-solution-security-content.md#available-playbooks).<br><br>For the **RolesTagsToExclude** field:<br>- If you list SAP roles or [SAP profiles](sap-solution-deploy-alternate.md#configuring-user-master-data-collection), this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the `BASIC_BO_USERS` ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.<br>- Tagging an event type is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP BASIS team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the `MassiveAuthChanges` tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace `SAPAuditLogConfigRecommend` function produces a list of recommended tags to be assigned to users, such as `Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist`. |

+| <a name="objects"></a>**SAP_User_Config** | Allows for fine tuning alerts by excluding /including users in specific contexts and is also used for configuring the [built-in SAP analytics rules for monitoring the SAP audit log](#monitor-the-sap-audit-log). For more information, see [Monitor the SAP audit log](#monitor-the-sap-audit-log).<br><br> - **SAPUser**: The SAP user <br> - **Tags**: Tags are used to identify users against certain activity. For example Adding the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV will prevent RFC related incidents to be created for this specific user <br>**Other active directory user identifiers** <br>- AD User Identifier <br>- User On-Premises Sid <br>- User Principal Name |

+Playbooks provided by Microsoft Sentinel solution for SAP applications help you automate SAP incident response workloads, improving the efficiency and effectiveness of security operations.

+This section describes [built-in analytics playbooks](deploy-sap-security-content.md) provided together with the Microsoft Sentinel solution for SAP applications.

+The following sections describe sample uses cases for each of the provided playbooks, in a scenario where an incident warned you of suspicious activity in one of the SAP systems, where a user is trying to execute one of these highly sensitive transactions.

+During the incident triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Microsoft Entra ID.

+For more information, see [Automate threat response with playbooks in Microsoft Sentinel](../automation/automate-responses-with-playbooks.md)

+The process for deploying Standard logic apps generally is more complex than it is for Consumption logic apps. We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see [Step-by-Step Installation Guide](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP/Playbooks/INSTALLATION.md).

+> [!TIP]

+> Watch the [SAP playbooks folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Playbooks) in the GitHub repository for more playbooks as they become available. There's also a [short introductory video (external link)](https://www.youtube.com/watch?v=b-AZnR-nQpg) there to help you get started.

+### Lock out a user from a single system

+Build an [automation rule](../automate-incident-handling-with-automation-rules.md) to invoke the **Lock user from Teams - Basic** playbook whenever a sensitive transaction execution by an unauthorized user is detected. This playbook uses Teams' adaptive cards feature to request approval before unilaterally blocking the user.

+For more information, see [From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals - YouΓÇÖre gonna hear me SOAR! Part 1](https://blogs.sap.com/2023/05/22/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-youre-gonna-hear-me-soar-part-1/) (SAP blog post).

+The **Lock user from Teams - Basic** playbook is a Standard playbook, and Standard playbooks are generally more complex to deploy than Consumption playbooks.

+We've created a series of shortcuts to help you deploy them quickly from the Microsoft Sentinel GitHub repository. For more information, see [Step-by-Step Installation Guide](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP/Playbooks/INSTALLATION.md) and [Supported logic app types](../automation/logic-apps-playbooks.md#supported-logic-app-types).

+### Lock out a user from multiple systems

+The **Lock user from Teams - Advanced** playbook accomplishes the same objective, but is designed for more complex scenarios, allowing a single playbook to be used for multiple SAP systems, each with its own SAP SID.

+The **Lock user from Teams - Advanced** playbook seamlessly manages the connections to all of these systems, and their credentials, using the *InterfaceAttributes* optional dynamic parameter in the *SAP - Systems* watchlist and Azure Key Vault.

+The **Lock user from Teams - Advanced** playbook also allows you to communicate to the parties in the approval process using [Outlook actionable messages](/outlook/actionable-messages/get-started) together with Teams, using the *TeamsChannelID* and *DestinationEmail* parameters in the *SAP_Dynamic_Audit_Log_Monitor_Configuration* watchlist.

+For more information, see [From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals ΓÇô Part 2](https://blogs.sap.com/2023/05/23/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-part-2/) (SAP blog post).

+### Prevent deactivation of audit logging

+You might also be concerned about the SAP audit log, which is one of your security data sources, being deactivated. We recommend that you build an automation rule based on the **SAP - Deactivation of Security Audit Log** analytics rule to invoke the **Reenable audit logging once deactivated** playbook to make sure the SAP audit log isn't deactivated.

+The **SAP - Deactivation of Security Audit Log** playbook also uses Teams, informing security personnel after the fact. The severity of the offense and the urgency of its mitigation indicate that immediate action can be taken with no approval required.

+Since the **SAP - Deactivation of Security Audit Log** playbook also uses Azure Key Vault to manage credentials, the playbook's configuration is similar to that of the **Lock user from Teams - Advanced** playbook. For more information, see [From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals ΓÇô Part 3](https://blogs.sap.com/2023/05/23/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-part-3/) (SAP blog post).

+## Related content

+For more information, see [Deploying Microsoft Sentinel solution for SAP applications](deployment-overview.md).

+ Title: SAP security parameters monitored by the Microsoft Sentinel solution for SAP to detect suspicious configuration changes

+description: Learn about the security parameters in the SAP system that the Microsoft Sentinel solution for SAP applications monitors for suspicious configuration changes.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+This article lists the static security parameters in the SAP system that the Microsoft Sentinel solution for SAP applications monitors as part of the [*SAP - (Preview) Sensitive Static Parameter has Changed* analytics rule](sap-solution-security-content.md#monitor-the-configuration-of-static-sap-security-parameters-preview).

+The Microsoft Sentinel solution for SAP applications provides updates for this content according to SAP best practice changes. Add parameters to watch for by changing values according to your organization's needs, and turn off specific parameters in the [*SAPSystemParameters* watchlist](sap-solution-security-content.md#systemparameters).

+This article doesn't describe the parameters, and isn't a recommendation to configuring the parameters. For configuration considerations, consult your SAP admins. For parameter descriptions, see the SAP documentation.

+Content in this article is intended for your **SAP BASIS** teams.

+## Prerequisites

+For the Microsoft Sentinel solution for SAP applications to successfully monitor the SAP security parameters, the solution needs to successfully monitor the SAP PAHI table at regular intervals. For more information, see [Verify that the PAHI table is updated at regular intervals](preparing-sap.md#verify-that-the-pahi-table-is-updated-at-regular-intervals).

+### Authentication parameters

+| Parameter | Security value/considerations |

+| | |

+| auth/no_check_in_some_cases | While this parameter might improve performance, it can also pose a security risk by allowing users to perform actions they might not have permission for. |

+| auth/object_disabling_active | Can help improve security by reducing the number of inactive accounts with unnecessary permissions. |

+| auth/rfc_authority_check | High. Enabling this parameter helps prevent unauthorized access to sensitive data and functions via RFCs. |

+### Gateway parameters

+| Parameter | Security value/considerations |

+| | |

+| gw/accept_remote_trace_level | The parameter can be configured to restrict the trace level accepted from external systems. Setting a lower trace level might reduce the amount of information that external systems can obtain about the internal workings of the SAP system. |

+| gw/acl_mode | High. This parameter controls access to the gateway and helps prevent unauthorized access to the SAP system. |

+| gw/logging | High. This parameter can be used to monitor and detect suspicious activity or potential security breaches. |

+| gw/monitor | |

+| gw/sim_mode | Enabling this parameter can be useful for testing purposes and can help prevent any unintended changes to the target system. |

+### Internet Communication Manager (ICM) parameters

+| Parameter | Security value/considerations |

+| | |

+| icm/accept_remote_trace_level | Medium <br><br>Allowing remote trace level changes can provide valuable diagnostic information to attackers and potentially compromise system security. |

+### Sign-in parameters

+| Parameter | Security value/considerations |

+| | |

+| login/accept_sso2_ticket | Enabling SSO2 can provide a more streamlined and convenient user experience, but also introduces extra security risks. If an attacker gains access to a valid SSO2 ticket, they might be able to impersonate a legitimate user and gain unauthorized access to sensitive data or perform malicious actions. |

+| login/create_sso2_ticket | |

+| login/disable_multi_gui_login | This parameter can help improve security by ensuring that users are only logged in to one session at a time. |

+| login/failed_user_auto_unlock | |

+| login/fails_to_session_end | High. This parameter helps prevent brute-force attacks on user accounts. |

+| login/fails_to_user_lock | Helps prevent unauthorized access to the system and helps protect user accounts from being compromised. |

+| login/min_password_diff | High. Requiring a minimum number of character differences can help prevent users from choosing weak passwords that can easily be guessed. |

+| login/min_password_digits | High. This parameter increases the complexity of passwords and makes them harder to guess or crack. |

+| login/min_password_letters | Specifies the minimum number of letters that must be included in a user's password. Setting a higher value helps increase password strength and security. |

+| login/min_password_lng | Specifies the minimum length that a password can be. Setting a higher value for this parameter can improve security by ensuring that passwords aren't easily guessed. |

+| login/min_password_lowercase | |

+| login/min_password_specials | |

+| login/min_password_uppercase | |

+| login/multi_login_users | Enabling this parameter can help prevent unauthorized access to SAP systems by limiting the number of concurrent logins for a single user. When this parameter is set to `0`, only one login session is allowed per user, and other login attempts are rejected. This can help prevent unauthorized access to SAP systems in case a user's login credentials are compromised or shared with others. |

+| login/no_automatic_user_sapstar | High. This parameter helps prevent unauthorized access to the SAP system via the default SAP* account. |

+| login/password_change_for_SSO | High. Enforcing password changes can help prevent unauthorized access to the system by attackers who might have obtained valid credentials through phishing or other means. |

+| login/password_change_waittime | Setting an appropriate value for this parameter can help ensure that users change their passwords regularly enough to maintain the security of the SAP system. At the same time, setting the wait time too short can be counterproductive because users might be more likely to reuse passwords or choose weak passwords that are easier to remember. |

+| login/password_compliance_to_current_policy | High. Enabling this parameter can help ensure that users comply with the current password policy when changing passwords, which reduces the risk of unauthorized access to SAP systems. When this parameter is set to `1`, users are prompted to comply with the current password policy when changing their passwords. |

+| login/password_downwards_compatibility | |

+| login/password_expiration_time | Setting this parameter to a lower value can improve security by ensuring that passwords are changed frequently. |

+| login/password_history_size | This parameter prevents users from repeatedly using the same passwords, which can improve security. |

+| login/password_max_idle_initial | Setting a lower value for this parameter can improve security by ensuring that idle sessions aren't left open for extended periods of time. |

+| login/ticket_only_by_https | High. Using HTTPS for ticket transmission encrypts the data in transit, making it more secure. |

+### Remote dispatcher parameters

+| Parameter | Security value/considerations |

+| | |

+| rdisp/gui_auto_logout | High. automatically logging out inactive users can help prevent unauthorized access to the system by attackers who might have access to a user's workstation. |

+| rfc/ext_debugging | |

+| rfc/reject_expired_passwd | Enabling this parameter can be helpful when enforcing password policies and preventing unauthorized access to SAP systems. When this parameter is set to `1`, RFC connections are rejected if the user's password expired, and the user is prompted to change their password before they can connect. This helps ensure that only authorized users with valid passwords can access the system. |

+| rsau/enable | High. This Security Audit log can provide valuable information for detecting and investigating security incidents. |

+| rsau/max_diskspace/local | Setting an appropriate value for this parameter helps prevent the local audit logs from consuming too much disk space, which could lead to system performance issues or even denial of service attacks. On the other hand, setting a value that's too low might result in the loss of audit log data, which might be required for compliance and auditing. |

+| rsau/max_diskspace/per_day | |

+| rsau/max_diskspace/per_file | Setting an appropriate value helps manage the size of audit files and avoid storage issues. |

+| rsau/selection_slots | Helps ensure that audit files are retained for a longer period of time, which can be useful in a security breach. |

+| rspo/auth/pagelimit | This parameter doesn't directly affect the security of the SAP system, but can help to prevent unauthorized access to sensitive authorization data. By limiting the number of entries displayed per page, it can reduce the risk of unauthorized individuals viewing sensitive authorization information. |

+### Secure network communications (SNC) parameters

+| Parameter | Security value/considerations |

+| | |

+| snc/accept_insecure_cpic | Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted. |

+| snc/accept_insecure_gui | Setting the value of this parameter to `0` is recommended to ensure that SNC connections made through the SAP GUI are secure, and to reduce the risk of unauthorized access or interception of sensitive data. Allowing insecure SNC connections might increase the risk of unauthorized access to sensitive information or data interception, and should only be done when there's a specific need and the risks are properly assessed. |

+| snc/accept_insecure_r3int_rfc | Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted. |

+| snc/accept_insecure_rfc | Enabling this parameter can increase the risk of data interception or manipulation, because it accepts SNC-protected connections that don't meet the minimum security standards. Therefore, the recommended security value for this parameter is to set it to `0`, which means that only SNC connections that meet the minimum security requirements are accepted. |

+| snc/data_protection/max | Setting a high value for this parameter can increase the level of data protection and reduce the risk of data interception or manipulation. The recommended security value for this parameter depends on the organization's specific security requirements and risk management strategy. |

+| snc/data_protection/min | Setting an appropriate value for this parameter helps ensure that SNC-protected connections provide a minimum level of data protection. This setting helps prevent sensitive information from being intercepted or manipulated by attackers. The value of this parameter should be set based on the security requirements of the SAP system and the sensitivity of the data transmitted over SNC-protected connections. |

+| snc/data_protection/use | |

+| snc/enable | When enabled, SNC provides an extra layer of security by encrypting data transmitted between systems. |

+| snc/extid_login_diag | Enabling this parameter can be helpful for troubleshooting SNC-related issues, because it provides extra diagnostic information. However, the parameter might also expose sensitive information about the external security products used by the system, which could be a potential security risk if that information falls into the wrong hands. |

+| snc/extid_login_rfc | |

+### Web dispatcher parameters

+| Parameter | Security value/considerations |

+| | |

+| wdisp/ssl_encrypt | High. This parameter ensures that data transmitted over HTTP is encrypted, which helps prevent eavesdropping and data tampering. |

+## Related content

+- [Deploy and configure the container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications solution deployment](sap-deploy-troubleshoot.md)

+- [Systemconfig.json file reference](reference-systemconfig-json.md)

+ Title: Microsoft Sentinel solution for SAP applications overview

+description: This article provides an overview of the Microsoft Sentinel solution for SAP applications and available support.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security operations team member, I want to monitor and protect SAP systems using Microsoft Sentinel so that I can detect, analyze, and respond to threats effectively across all layers of the SAP environment.

+# Microsoft Sentinel solutions for SAP applications

+SAP systems pose a unique security challenge, as they handle sensitive information, are a prime target for attackers, and traditionally provide little visibility for security operations teams.

+An SAP system breach could result in stolen files, exposed data, or a disrupted supply chain. Once an attacker is in the system, there are few controls to detect exfiltration or other bad acts. SAP activity needs to be correlated with other data across the organization for effective threat detection.

+To help close this gap, Microsoft Sentinel offers Microsoft Sentinel solutions for SAP applications, which use components at every level of Microsoft Sentinel to offer end-to-end detection, analysis, investigation, and response to threats in your SAP environment.

+## SIEM and SOAR features and sample architecture

+The Microsoft Sentinel solution for SAP applications continuously monitor SAP systems for threats at all layers - business logic, application, database, and OS. It allows you to:

+- **Security information and event management (SIEM)**: Correlate SAP monitoring with other signals across your organization. Use out-of-the-box and custom detections to monitor sensitive transactions and other business risks, such as privilege escalation, unapproved changes, and unauthorized access.

+- **Security orchestration, automation and response (SOAR)**: Build automated response processes that interact with your SAP systems to stop active security threats.

+For example, the following image shows a sample environment where the Microsoft Sentinel solution for SAP applications is deployed. This sample architecture uses a multi-SID SAP landscape with a split between productive and nonproductive systems. All of the systems in this image are onboarded to Microsoft Sentinel for the SAP solution.

+Microsoft Sentinel also provides the [Microsoft Sentinel solution for SAP BTP](sap-btp-solution-overview.md), which offers threat monitoring and detection for SAP Business Technology Platform (BTP).

+## Threat detection coverage

+The Microsoft Sentinel solution for SAP applications supports threat detections such as the following, and more:

+- **Suspicious privileges operations**, such as privileged user creation or usage of break-glass users

+- **Attempts to bypass SAP security mechanisms**, such as disabling audit logging, or execution of sensitive function modules

+- **Backdoor creation (persistency)**, such as creation of new internet facing interfaces (ICF) or directly accessing sensitive tables by remote-function-call

+- **Data exfiltration**, such as multiple file downloads or spool takeovers

+- **Initial Access**, such as brute force or multiple sign-ins from the same IP

+For more information, see [Built-in analytics rules](sap-solution-security-content.md#built-in-analytics-rules).

+## Investigation support

+Investigate SAP incidents just as you would any other incidents in Microsoft Sentinel and Microsoft Defender. For more information, see:

+- [Navigate and investigate incidents in Microsoft Sentinel](../investigate-incidents.md)

+- [Investigate and respond with Microsoft Defender XDR](/defender-xdr/incident-response-overview)

+Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4 on-premises.

+- The integration scenarios include S/4-BC-XAL 1.0/S/4 EXTERNAL ALERT AND MONITORING 1.0 (for S/4).

+- Our certification includes S/4 and SAP Rise S/4 HANA Cloud Private Edition running in any cloud and on-premises.

+- We support hybrid deployments that can cover the entire customer estate.

+For more information, see the certification on the [SAP Certified Solutions Directory](https://www.sap.com/dmc/exp/2013_09_adpd/enEN/#/solutions?id=s:33db1376-91ae-4f36-a435-aafa892a88d8).

+## Solution pricing

+While the Microsoft Sentinel for SAP solutions are free to install, there's an extra hourly charge for activating and using the solution on production systems.

+- The extra hourly charge applies to connected, active production systems only. Inactive systems aren't subject to charges. If a system's status is unknown to Microsoft Sentinel, such as because of permission issues, it's counted as a production system.

+- Microsoft Sentinel identifies a production system by looking at the configuration on the SAP system.

+Microsoft Sentinel ingestion costs might vary and are influenced by the volume of SAP logs ingested. For more information, see:

+- [Plan costs and understand Microsoft Sentinel pricing and billing](../billing.md)

+- [Reduce costs for Microsoft Sentinel](../billing-reduce-costs.md)

+- [Manage and monitor costs for Microsoft Sentinel](../billing-monitor-costs.md)

+- [Microsoft Sentinel solution for SAP applications](https://azure.microsoft.com/pricing/offers/microsoft-sentinel-sap-promo/).

+## Related content

+For more information, see:

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Enable SAP detections and threat protection](deployment-solution-configuration.md)

+- [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md)

+ Title: Stop SAP data collection

+description: Learn about how to stop Microsoft Sentinel from collecting data from your SAP applications.

+ai-usage: ai-assisted

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#customerIntent: As an SAP admin, I want to stop Microsoft Sentinel from collecting data from our SAP applications.

+# Stop SAP data collection

+There might be instances where you need to halt the data collection from your SAP applications by Microsoft Sentinel, whether for maintenance, troubleshooting, or other administrative reasons.

+This article provides step-by-step instructions on how to stop the ingestion of SAP logs into Microsoft Sentinel and disable the data connector.

+## Prerequisites

+Before you stop the data collection from your SAP applications, ensure you have administrative access to:

+- The Log Analytics workspace that's enabled for Microsoft Sentinel. For more information, see [Roles and permissions in Microsoft Sentinel](../roles.md).

+- The SAP data connector agent machine or container.

+## Stop log ingestion and disable the connector

+To stop ingesting SAP logs into Microsoft and to stop the data stream from the Docker container, sign into your data connector agent machine and run:

+```bash

+docker stop sapcon-[SID/agent-name]

+```

+The Docker container stops and doesn't send any more SAP logs to Microsoft Sentinel. This stops both the ingestion and billing for the SAP system related to the connector.

+If you need to reenable the Docker container, sign into the data connector agent machine and run:

+```bash

+docker start sapcon-[SID]

+```

+To stop ingesting a specific SID for a multi-SID container, make sure that you also delete the SID from the connector page UI in Microsoft Sentinel. This option is relevant only if you [deployed the agent via the portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview).

+1. In Microsoft Sentinel, select **Configuration > Data connectors** and search for **Microsoft Sentinel for SAP**.

+1. Select the data connector row and then select **Open connector page** in the side pane.

+1. In the **Configuration** area on the **Microsoft Sentinel for SAP** data connector page, locate the SID agent you want to remove and select **Delete**.

+## Remove the user role and any optional CR installed on your ABAP system

+If you're turning off the SAP data connector agent and stopping log ingestion from your SAP system, you might want to also remove the user role and optional CRs installed on your ABAP system.

+To do so, import the deletion CR *NPLK900259* into your ABAP system. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).

+## Related content

+For more information, see:

+- [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md)

+- [Connect your SAP system by deploying your data connector agent container](deploy-data-connector-agent-container.md)

+ Title: Update the Microsoft Sentinel for SAP applications data connector agent

+# Update the Microsoft Sentinel for SAP applications data connector agent

+This article shows you how to update an already existing Microsoft Sentinel for SAP data connector to its latest version so that you can use the latest features and improvements.

+During the data connector agent update process, there might be a brief downtime of approximately 10 seconds. To ensure data integrity, a database entry stores the timestamp of the last fetched log. After the update is complete, the data fetching process resumes from the last log fetched, preventing duplicates and ensuring a seamless data flow.

+The automatic or manual updates described in this article are relevant to the SAP connector agent only, and not to the Microsoft Sentinel solution for SAP applications. To successfully update the solution, your agent needs to be up to date. The solution is updated separately, as you would any other [Microsoft Sentinel solution](../sentinel-solutions-deploy.md#install-or-update-content).

+Content in this article is relevant for your **security**, **infrastructure**, and **SAP BASIS** teams.

+Before you start:

+- Make sure that you have all the prerequisites for deploying Microsoft Sentinel solution for SAP applications. For more information, see [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md).

+- Make sure that you understand your SAP and Microsoft Sentinel environments and architecture, including the machines where your connector agents and collectors are [installed](deploy-data-connector-agent-container.md).

+## Configure automatic updates for the SAP data connector agent (Preview)

+Configure automatic updates for the connector agent, either for [all existing containers](#configure-automatic-updates-for-all-existing-containers) or a [specific container](#configure-automatic-updates-on-a-specific-container).

+The commands described in this section create a cron job that runs daily, checks for updates, and updates the agent to the latest GA version. Containers running a preview version of the agent that's newer than the latest GA version aren't updated. Log files for automatic updates are located on the collector machine, at */var/log/sapcon-sentinel-register-autoupdate.log*.

+After you configure automatic updates for an agent once, it's always configured for automatic updates.

+### Configure automatic updates for all existing containers

+To turn on automatic updates for all existing containers with a connected SAP agent, run the following command on the collector machine:

+```bash

+If you're working with multiple containers, the cron job updates the agent on all containers that existed at the time when you ran the original command. If you add containers after you create the initial cron job, the new containers aren't updated automatically. To update these containers, [run an extra command to add them](#configure-automatic-updates-on-a-specific-container).

+### Configure automatic updates on a specific container

+To configure automatic updates for a specific container or containers, such as if you added containers after running the [original automation command](#configure-automatic-updates-for-all-existing-containers), run the following command on the collector machine:

+```bash

+Alternately, in the */opt/sapcon/[SID or Agent GUID]/settings.json* file, define the `auto_update` parameter for each of the containers as `true`.

+### Turn off automatic updates

+To turn off automatic updates for a container or containers, open the */opt/sapcon/[SID or Agent GUID]/settings.json* file for editing and define the `auto_update` parameter for each of the containers as `false`.

+To manually update the connector agent, make sure that you have the most recent versions of the relevant deployment scripts from the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP).

+For more information, see [Microsoft Sentinel solution for SAP applications data connector agent update file reference](reference-update.md).

+**On the data connector agent machine, run**:

+```bash

+The SAP data connector Docker container on your machine is updated.

+Be sure to check for any other available updates, such as SAP change requests.

+- A Microsoft Sentinel SAP data connector agent, version 90847355 or higher. [Check your current agent version](#verify-your-current-data-connector-agent-version) and update it if you need to.

+- The following roles in Azure and SAP:

+ - **Azure role requirement**: The identity of your data connector agent VM must be assigned to the **Microsoft Sentinel Business Applications Agent Operator** Azure role. Verify this assignment and [assign this role manually](#assign-required-azure-roles-manually) if you need to.

+ - **SAP role requirement**: The **/MSFTSEN/SENTINEL_RESPONDER** SAP role must be applied to your SAP system and assigned to the SAP user account used by the data connector agent. Verify this assignment and [apply and assign the role](#apply-and-assign-the-sentinel_responder-sap-role-to-your-sap-system) if you need to.

+The following procedures describe how to fulfill these requirements if they aren't already met.

+Attack disruption for SAP requires that you grant your agent's VM identity with specific permissions to the Log Analytics workspace enabled for Microsoft Sentinel, using the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** roles.

+To perform this procedure, you must be a resource group owner on your Log Analytics workspace enabled for Microsoft Sentinel.

+#### [Portal](#tab/portal)

+> If you must assign the roles [via the Azure portal](/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition), we recommend assigning the roles on a small scope, such as only on the Log Analytics workspace enabled for Microsoft Sentinel.

+ |`<SUB_ID>` | The subscription ID for your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<RESOURCE_GROUP_NAME>` | The resource group name for your Log Analytics workspace enabled for Microsoft Sentinel |

+ |`<WS_NAME>` | The name of your Log Analytics workspace enabled for Microsoft Sentinel |

+Apply **/MSFTSEN/SENTINEL_RESPONDER** SAP role to your SAP system and assign it to the SAP user account used by Microsoft Sentinel's SAP data connector agent.

+1. Assign the **/MSFTSEN/SENTINEL_RESPONDER** role to the SAP user account used by Microsoft Sentinel's SAP data connector agent. For more information, see [Configure your SAP system for the Microsoft Sentinel solution](preparing-sap.md).

+ Alternately, manually assign the following authorizations to the current role already assigned to the SAP user account used by Microsoft Sentinel's SAP data connector. These authorizations are included in the **/MSFTSEN/SENTINEL_RESPONDER** SAP role specifically for attack disruption response actions.

+ | Authorization object | Field | Value |

+ | -- | -- | -- |

+ |S_RFC |RFC_TYPE |Function Module |

+ |S_RFC |RFC_NAME |BAPI_USER_LOCK |

+ |S_RFC |RFC_NAME |BAPI_USER_UNLOCK |

+ |S_RFC |RFC_NAME |TH_DELETE_USER <br>In contrast to its name, this function doesn't delete users, but ends the active user session. |

+ |S_USER_GRP |CLASS |* <br>We recommend replacing S_USER_GRP CLASS with the relevant classes in your organization that represent dialog users. |

+ |S_USER_GRP |ACTVT |03 |

+ |S_USER_GRP |ACTVT |05 |

+ For more information, see [Required ABAP authorizations](required-abap-authorizations.md).

+## Related content

+For more information, see:

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications deployment](sap-deploy-troubleshoot.md)

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **CiscoUCS**. Alternatively, directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20UCS/Parsers/CiscoUCS.yaml). It might take about 15-minutes post-installation to update.

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation. To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **CitrixADCEvent**. Alternatively, you can directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC/Parsers/CitrixADCEvent.yaml). It might take about 15 minutes post-installation to update.

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **Infoblox**. Alternatively, you can directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parsers/Infoblox.yaml). It might take about 15 minutes post-installation to update.

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **SymantecVIP**. Alternatively, directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20VIP/Parsers/SymantecVIP.yaml). It might take about 15 minutes post-installation to update.

+Azure Service Bus uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics.

+For more information about these properties, [Create or Update Private Endpoint Connections](/rest/api/servicebus/controlplane-preview/private-endpoint-connections/create-or-update).

+For more information about these properties, see [Create or Update Private Endpoint Connections](/rest/api/servicebus/controlplane-preview/private-endpoint-connections/create-or-update).

+> As of 28 February 2025, TLS 1.0 and TLS 1.1 will no longer be supported on Azure Service Bus. The minimum TLS version will be 1.2 for all Service Bus deployments.

+- Added support for V2A Modernized. Latest version won't support V2A Classic, and supports only V2A Modernized.

+| Configure the .NET Core runtime version. | Supports *Net6.0*, and *Net8.0*. <br> You can configure through a *runtimeconfig.json* or MSBuild Project file. <br> The default runtime is *6.0.\**. | N/A | N/A |

+| Specify the PHP version. | Configures the PHP version. Currently supported: PHP *8.1.\**, *8.2.\**, and *8.3.\**. The default value is *8.1.\** | `BP_PHP_VERSION` | `--build-env BP_PHP_VERSION=8.1.*` |

+|  |**Pure Storage**<br>Pure delivers a modern data experience that empowers organizations to run their operations as a true, automated, storage as-a-service model seamlessly across multiple clouds.|[Partner page](https://www.purestorage.com/company/technology-partners/microsoft.html)<br>[Solution Video](https://azure.microsoft.com/resources/videos/pure-storage-overview)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/purestoragemarketplaceadmin.pure_cloud_block_store_product_deployment?tab=overview)|

+1. Go to the predictive sentiment analytics model page in the Cortana Intelligence Gallery.

+> Read the hosted Azure Time Series Insights client SDK sample visualization to learn how to authenticate with the Azure Time Series Insights APIs programmatically using the [JavaScript Client SDK](https://github.com/microsoft/tsiclient/blob/master/docs/API.md) along with charts and graphs.

+1. Navigate to the TSI Sample Wind Farm Pusher. The site creates and runs simulated windmill devices.

+> Read hosted client SDK visualization samples

+If you're using packages on devices that aren't connected to the internet, you need to make sure the package licenses are installed on your device to successfully run the app. If your device is online, the required licenses should download automatically.

+# Update session hosts using session host update in Azure Virtual Desktop (preview)

+- Optimize drives (defrag)

+- Support for the [preview of graphics encoding with HEVC/H.265](whats-new.md#enabling-hevc-gpu-acceleration-for-azure-virtual-desktop-is-now-in-preview).

+- Addressed an issue when using a RemoteApp that could cause the text highlight color in the File Explorer's address bar to appear incorrectly.

+Routing Intent and Routing policies allow you to configure your Virtual WAN hub to send Internet-bound and Private (Point-to-site, Site-to-site, ExpressRoute, Network Virtual Appliances inside the Virtual WAN Hub and virtual network) Traffic via an Azure Firewall, Next-Generation Firewall NVA or software-as-a-service solution deployed in the Virtual WAN hub. There are two types of Routing Policies: Internet Traffic and Private Traffic Routing Policies. Each Virtual WAN hub can have, at most, one Internet Traffic Routing Policy and one Private Traffic Routing Policy, each with a Next Hop resource.

+While Private Traffic includes both branch and virtual network address prefixes, Routing Policies considers them as one entity within the Routing Intent concepts.

+* **Internet Traffic Routing Policy**: When an Internet Traffic Routing Policy is configured on a Virtual WAN hub, all branch (User VPN (Point-to-site VPN), Site-to-site VPN and ExpressRoute), and virtual network connections to that Virtual WAN hub will forward Internet-bound traffic to the Azure Firewall resource or a third-party security provider specified as part of the routing policy.

+* **Private Traffic Routing Policy**: When a Private Traffic Routing Policy is configured on a Virtual WAN hub, **all** branch and virtual network traffic in and out of the Virtual WAN hub including inter-hub traffic will be forwarded to the Next Hop Azure Firewall resource that was specified in the Private Traffic Routing Policy.

+For more information, see [How to configure Virtual WAN hub routing intent and routing policies](how-to-routing-policies.md).

+Each connection is associated to one route table. Associating a connection to a route table allows the traffic (from that connection) to be sent to the destination indicated as routes in the route table. The routing configuration of the connection shows the associated route table. Multiple connections can be associated to the same route table. All VPN, ExpressRoute, and User VPN connections are associated to the same (default) route table.

+By default, all connections are associated to a **Default route table** in a virtual hub. Each virtual hub has its own Default route table, which can be edited to add a static route or routes. Routes added statically take precedence over dynamically learned routes for the same prefixes.

+Labels provide a mechanism to logically group route tables. This is especially helpful during propagation of routes from connections to multiple route tables. For example, the **Default Route Table** has a built-in label called 'Default'. When users propagate connection routes to 'Default' label, it automatically applies to all the Default Route Tables across every hub in the virtual WAN.

+If no label is specified in the list of labels that a virtual network connection is propagating to, then the virtual network connection will automatically propagate to the 'Default' label.

+Configuring static routes provides a mechanism to steer traffic from the hub through a next hop IP, which could be of a Network Virtual Appliance (NVA) provisioned in a Spoke virtual network attached to a virtual hub. The static route is composed of a route name, list of destination prefixes, and a next hop IP.

+Route tables now have features for association and propagation. A pre-existing route table is a route table that doesn't have these features. If you have pre-existing routes in hub routing and would like to use the new capabilities, consider the following items:

+* **Standard virtual WAN with pre-existing routes in a virtual hub**:

+ If you have pre-existing routes in Routing section for the hub in the Azure portal, you need to first delete them, and then attempt to create new route tables (available in the Route Tables section for the hub in Azure portal).

+* **Basic virtual WAN with pre-existing routes in a virtual hub**:

+ If you have pre-existing routes in Routing section for the hub in Azure portal, you need to first delete them, then **upgrade** your Basic virtual WAN to a Standard virtual WAN. See [Upgrade a virtual WAN from Basic to Standard](upgrade-virtual-wan.md).

+Virtual hub **Reset** is available only in the Azure portal. Resetting provides you with a way to bring any failed resources such as route tables, hub router, or the virtual hub resource itself back to its rightful provisioning state. Consider resetting the hub before contacting Microsoft for support. This operation doesn't reset any of the gateways in a virtual hub.

+Consider the following items when configuring Virtual WAN routing:

+* All branch connections (Point-to-site, Site-to-site, and ExpressRoute) need to be associated to the Default route table. That way, all branches learn the same prefixes.

+* You can specify multiple next hop IP addresses on a single virtual network connection. However, a virtual network connection doesn't support ΓÇÿmultiple/uniqueΓÇÖ next hop IP to the ΓÇÿsameΓÇÖ network virtual appliance in a spoke virtual network 'if' one of the routes with next hop IP is indicated to be public IP address or 0.0.0.0/0 (internet)

+* While it's true that two hubs on the same virtual WAN announce routes to each other (as long as the propagation is enabled to the same labels), this only applies to dynamic routing. Once you define a static route, this isn't the case.

+* When configuring static routes, don't use the hub router IPs as the next hop.

+* For more information about Virtual WAN, see the [FAQ](virtual-wan-faq.md).