workflow
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
< 🏡home
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SAP |
| Source | View on GitHub |
⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 0 | 1 |
azuresentinel |
Managed | 0 | 2 |
azurevm |
Managed | 0 | 1 |
teams |
Managed | 0 | 6 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_SAPConnectorHealth_check | post | /queryData |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_SAP_SOC_comment_to_incident | post | /Incidents/Comment |
— |
| Add_comment_to_incident | post | /Incidents/Comment |
— |
azurevm (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Restart_Sentinel_Collector_virtual_machine | post | /subscriptions/@{encodeURIComponent(parameters('SentinelCollectorSubscriptionId'))}/resourcegroups/@{encodeURIComponent(parameters('SentinelCollectorResourceGroup'))}/providers/Microsoft.Compute/virtualMachines/@{encodeURIComponent(parameters('SentinelCollectorVMName'))}/restart |
— |
teams (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Reply_with_processed_message_in_a_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_with_restart_error_message_in_a_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Reply_with_restart_success_message_in_a_channel | post | /v1.0/teams/conversation/replyWithMessage/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_adaptive_card_for_unlikely_attack_in_a_chat_or_channel | post | /v1.0/teams/conversation/adaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_REST_API_error_message_in_a_chat_or_channel | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_card_in_a_chat_or_channel_despite_ACSS_connection_error | post | /v1.0/teams/conversation/adaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_SAP_virtual_instance_state_by_SID_from_ACSS_via_Azure_Resource_Graph | POST | https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01 |
— |
Additional Documentation
📄 Source: SAPCollectorRemediate-STD/readme.md
Remediate SAP Sentinel Collector Agent attack
< 🏡home
Sophisticated scenario distinguishing between SAP maintenance events and malicious deactivation of the audit log ingestion into Sentinel.
Used Sentinel alert rule [SAP - Data collection health check](https://learn.microsoft.com/azure/sentinel/monitor-sap-system-health#use-an-alert-rule-template)
Azure Center for SAP Solutions (ACSS) health info exposed via the Azure Resource Graph qualify the incident to drive better triage processes at the SAP Security Operations teams.
👨🏽🔧installation guide.
| Step | 🪂 |
|---|---|
| Logic Apps Infrastructure | |
| Logic Apps Connections | |
| Logic Apps Standard Connections configuration | 🔗link |
| Logic Apps Standard workflow | 🔗link |
| Logic Apps Standard workflow parameters | 🔗link |
Required Azure Roles
| Role Name | Resource Type Scope | Purpose |
|---|---|---|
| Microsoft Sentinel Responder | At least resource group where Sentinel lives | Required for Incident state update |
| Azure Center for SAP solutions reader | Subscription level | Required for Azure resource graph SAP Virtual Instance discovery by Sentinel known SAP SID |
| Virtual Machine Contributor | At least resource group/virtual machine where Sentinel Collector runs | Required for remediation option to restart the collector VM |
Learn more about Microsoft Sentinel built-in roles here and Azure built-in roles here.
Additional integration options with Azure Resource Graph query for ACSS
Azure Resource Graph Explorer🔗
This playbook uses below query (dynmic SID param coming from Sentinel). Get inspired from it to expand to your own scenarios.
Find the REST API docs for the resource graph here/resources/resources?tabs=HTTP).
POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01
BODY
// Global SAP ACSS details by SID
// Click the "Run query" command above to execute the query and see results.
resources
| where type =~ 'Microsoft.Workloads/sapVirtualInstances' //get all resources of type SAP Virtual Instance
| where name == 'P01' //get selected SAP SID
| project id,name,tenantId,resourceGroup,subscriptionId,properties.health,properties.status //get only required fields
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊