add sap playbook for agentless and XDR

[MartinPankraz]

Change(s):

• playbook added supporting SAP Integration Suite for agentless for user blocking
• altered alert parsing logic compared to existing playbooks to cater for XDR correlated incidents rather than isolated SAP incidents in Sentinel only

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new “Lock SAP User” consumption playbook that supports agentless user blocking via SAP Integration Suite and improves alert parsing to work with correlated Defender XDR incidents (multi-alert).

Changes:

• Added a new Consumption Logic App playbook with dynamic extraction of SAP Custom Details across all incident alerts.
• Updated the SAP Playbooks index to list both Consumption and Standard variants.
• Added documentation for deployment, parameters, and extension points of the new playbook.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
Solutions/SAP/Playbooks/README.md	Updates playbook index to include the new Consumption variant alongside the existing Standard variant.
Solutions/SAP/Playbooks/Basic-SAPLockUser/azuredeploy.json	Introduces the new Consumption Logic App ARM template, including XDR-friendly alert filtering and Teams adaptive card workflow.
Solutions/SAP/Playbooks/Basic-SAPLockUser/README.md	Documents purpose, prerequisites, deployment parameters, and differences vs. STD.