What Changed
Added new Consumption Logic App playbook for SAP user blocking that dynamically searches all alerts in an incident for SAP-specific Custom Details (SAP_User, SidGuid, AgentGuid), making it compatible with complex Defender XDR incidents.
Key Enhancements
- Dynamic alert parsing: Unlike existing playbooks that assume SAP alert is always first, this version filters all alerts to find SAP details
- Defender XDR compatibility: Handles multi-alert incidents where SAP alerts may not be the primary trigger
- SAP Integration Suite: Uses OAuth2 client credentials for agentless SAP ERP user locking via CPI iFlow
- Teams integration: Presents adaptive cards for analyst decision-making (block user or flag false positive)
Deployment Requirements
- SAP Integration Suite with community user lock/unlock iFlow deployed
- OAuth2 client credentials from SAP Process Integration runtime
- Microsoft Teams channel configured for incident notifications
- Microsoft Sentinel Responder role assigned to Logic App managed identity
Security Impact
This playbook addresses a critical gap in SAP incident response automation for environments using Microsoft Defender XDR. Previously, complex incidents with multiple alerts could not reliably trigger SAP user blocking due to static alert indexing. This enhancement enables consistent automated response to SAP security events regardless of incident complexity.
Affected Files
Solutions/SAP/Playbooks/Basic-SAPLockUser/README.md
Solutions/SAP/Playbooks/Basic-SAPLockUser/azuredeploy.json
Solutions/SAP/Playbooks/README.md