{"id":17992087,"url":"https://github.com/martinpankraz/security-insights-2-action","last_synced_at":"2025-04-04T04:27:42.922Z","repository":{"id":178281063,"uuid":"607046065","full_name":"MartinPankraz/Security-Insights-2-Action","owner":"MartinPankraz","description":"Content supporting the Microsoft hands-on at DSAG Technology Days March 2023","archived":false,"fork":false,"pushed_at":"2023-03-20T12:43:35.000Z","size":12680,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-02-09T16:11:21.182Z","etag":null,"topics":["audit","azure","logic-apps","microsoft-sentinel","sap","security","sentinel"],"latest_commit_sha":null,"homepage":"https://dsagtechtage.plazz.net/?utm_campaign=technologietage#359","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MartinPankraz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-27T07:40:32.000Z","updated_at":"2023-04-30T14:37:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"f66a1bdc-8ff9-4af0-825e-f3ab3da52f13","html_url":"https://github.com/MartinPankraz/Security-Insights-2-Action","commit_stats":null,"previous_names":["martinpankraz/security-insights-2-action"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MartinPankraz%2FSecurity-Insights-2-Action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MartinPankraz%2FSecurity-Insights-2-Action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MartinPankraz%2FSecurity-Insights-2-Action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MartinPankraz%2FSecurity-Insights-2-Action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MartinPankraz","download_url":"https://codeload.github.com/MartinPankraz/Security-Insights-2-Action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247121365,"owners_count":20887077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","azure","logic-apps","microsoft-sentinel","sap","security","sentinel"],"created_at":"2024-10-29T19:26:57.808Z","updated_at":"2025-04-04T04:27:42.902Z","avatar_url":"https://github.com/MartinPankraz.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🕵️ Security-Insights 2 Action with SOAR 🚀 - Automatic locking of users on suspicious activity in SAP systems\n\n`Content supporting hands-on session 1 \"Automatisches Sperren von Benutzern bei ungewöhnlichen Aktivitäten\" @ DSAG Technology Days March 2023`\n\nSecurity incidents **affect every company** at some point. Given the threat landscape: It is **not** a question of **if but when**. According to [Statista 2022](https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/) the average downtime duration increases year over year and circles around 22 days currently. That is enough for some companies to suffer considerable damage or even go out of business. **SAP systems are a prime target** for cyber attackers.\n\nThe ability to detect suspicious activity automatically and timely react on them is key to reduce damage. This practice is called `Security Orchestration, Automation and Response (SOAR)`.\n\n## 🔭 Introduction\n\nIn this hands-on session you will embark on a journey to design automatic workflows based on raised security incidents from SAP S/4HANA. You will learn how to use Azure Sentinel to detect suspicious activity and how to automate the locking of users in SAP systems and Azure AD.\n\n## 🧙🏾‍♀️Epic Quests\n\nBefore you go: verify [prerequisites](PREREQUISITES.md) are met (backpack, lunch box, good-bye kiss, haunted jewelry, etc.)\n\n0. [The Journey](student/quest0.md) - Where will those quests take us\n1. [Novice's path](student/quest1.md) - Raise an incident in Microsoft Sentinel and investigate the incident details\n2. [Apprentice's curious road](student/quest2.md) - Understand the workflow and see the `SAP user blocking` in action\n3. [Debutant's journey](student/quest3.md) - Adjust the workflow blueprint to add the transaction code to the Microsoft Teams message\n4. [Master's trail](student/quest4.md) - Go all in and add Azure AD user locking\n\n🏆Finish the final quest, collect the pass phrase, and redeem it to [claim your badge](https://webhostingforconverter.z16.web.core.windows.net/claim-reward.html) 😎\n\nGet the slide deck from [here](https://aka.ms/dsagtt23-sentinel-slides).\n\n## ✨Recommended courses and further learning\n\n### Applied security science\n\n- [Ransomware struck on-premises but Azure Cloud survived | a customer story](https://customers.microsoft.com/en-us/story/1512571257640211870-campari-group-consumer-goods-sap-on-azure)\n- [Get started with SAP and Azure integration scenarios](https://learn.microsoft.com/azure/sap/workloads/integration-get-started)\n- [Microsoft Sentinel solution for SAP® applications: security content reference](https://learn.microsoft.com/azure/sentinel/sap/sap-solution-security-content)\n\n### Handy work\n\n- Adaptive [Card Desginer](https://adaptivecards.io/designer/), the [Schema explorer](https://adaptivecards.io/explorer/AdaptiveCard.html), and the [templating language](https://learn.microsoft.com/adaptive-cards/templating/language)\n- Outlook [Actionable Messages](https://learn.microsoft.com/outlook/actionable-messages/) and [Debugger](https://appsource.microsoft.com/product/office/wa104381686?tab=overview\u0026exp=ubp8)\n- [Kusto Query Language Overview](https://learn.microsoft.com/azure/data-explorer/kusto/query/)\n- [Kusto Query learning exercise - Data Detective](https://detective.kusto.io/)\n\n### SAP Legacy interfaces at their best\n\n- [Connect to SAP RFCs/BAPIs from workflows in Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-using-sap-connector)\n\n## 📢Feedback\n\nThis repos encourages contributions and feedback via the [GitHub Issues](https://github.com/MartinPankraz/Security-Insights-2-Action/issues/new/choose).\n\n## 🚸 Adventure Guides [🔗](mentor/quest1.md)\n\n- [Holger Bruchelt - Microsoft Engineering](https://www.linkedin.com/in/holger-bruchelt/)\n- [Martin Pankraz - Microsoft Engineering](https://www.linkedin.com/in/martin-pankraz/)\n- [Ofer Inbar - Microsoft Sentinel Engineering](https://www.linkedin.com/in/ofer-inbar/)\n- [Sebastian Ullrich - Microsoft Cloud Solution Architect](https://www.linkedin.com/in/sebastian-ullrich-677b36168/)\n- [Martin Steiner - Microsoft Security Cloud Solution Architect](https://www.linkedin.com/in/martin-steiner-28312b141/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmartinpankraz%2Fsecurity-insights-2-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmartinpankraz%2Fsecurity-insights-2-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmartinpankraz%2Fsecurity-insights-2-action/lists"}