ofer's comment

batamig · batamig · commit 1c1a3a794997 · 2024-01-15T13:20:31.000+02:00
diff --git a/articles/sentinel/false-positives.md b/articles/sentinel/false-positives.md
@@ -4,7 +4,7 @@ description: Learn how to resolve false positives in Microsoft Sentinel by creat
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 01/11/2024
+ms.date: 01/15/2024
 ---
 
 # Handle false positives in Microsoft Sentinel
@@ -142,9 +142,12 @@ let subnets = _GetWatchlist('subnetallowlist');
 
 ### Example: Manage exceptions for the Microsoft Sentinel solution for SAP® applications
 
-The [Microsoft Sentinel solution for SAP® applications](sap/solution-overview.md) provides functions that call watchlists, where you can define excluded users or systems from triggering alerts.
+The [Microsoft Sentinel solution for SAP® applications](sap/solution-overview.md) provides functions you can use to exclude users or systems from triggering alerts.
 
-- Use the [**SAPUsersGetVIP**](sap/sap-solution-log-reference.md#sapusersgetvip) function to tag users and exclude them from triggering alerts. List specific users to exclude, or users with specific SAP roles or profiles. Use asterisks (*****) as wildcards when defining the user names to exclude all users with a specified syntax.
+- Use the [**SAPUsersGetVIP**](sap/sap-solution-log-reference.md#sapusersgetvip) function to:
+
+    - Call tags for users you want to exclude from triggering alerts. Tag users in the *SAP_User_Config* watchlist, using asterisks (*) as wildcards to tag all users with a specified naming syntax.
+    - List specific SAP roles and/or profiles you want to exclude from triggering alerts.
 
 - Use functions that support the *SelectedSystemRoles* parameter to determine that only specific types of systems trigger alerts, including only *Production* systems, only *UAT* systems, or both.
 
diff --git a/articles/sentinel/sap/sap-solution-log-reference.md b/articles/sentinel/sap/sap-solution-log-reference.md
@@ -341,14 +341,14 @@ The **SAPUsersGetVIP** function is commonly used in *Deterministic and Anomalous
 
 | Source | Field | Description | Notes  
 | ------------- | ------------- | ------------- | -------------  
-| The *SAP User Config* watchlist | SearchKey | Search Key |
-| The *SAP User Config* watchlist | SAPUser | The SAP User | OSS, DDIC  
-| The *SAP User Config* watchlist | Tags | String of tags assigned to user | RunObsoleteProgOK |  
-| The *SAP User Config* watchlist | User's Microsoft Entra Object ID | Microsoft Entra Object ID |   
-| The *SAP User Config* watchlist | User Identifier | AD User Identifier |
-| The *SAP User Config* watchlist | User on-premises Sid |  |
-| The *SAP User Config* watchlist | User Principal Name |  |
-| The *SAP User Config* watchlist | TagsList | A list of tags assigned to user | ChangeUserMasterDataOK;RunObsoleteProgOK |
+| The *SAP_User_Config* watchlist | SearchKey | Search Key |
+| The *SAP_User_Config* watchlist | SAPUser | The SAP User | OSS, DDIC  
+| The *SAP_User_Config* watchlist | Tags | String of tags assigned to user | RunObsoleteProgOK |  
+| The *SAP_User_Config* watchlist | User's Microsoft Entra Object ID | Microsoft Entra Object ID |   
+| The *SAP_User_Config* watchlist | User Identifier | AD User Identifier |
+| The *SAP_User_Config* watchlist | User on-premises Sid |  |
+| The *SAP_User_Config* watchlist | User Principal Name |  |
+| The *SAP_User_Config* watchlist | TagsList | A list of tags assigned to user | ChangeUserMasterDataOK;RunObsoleteProgOK |
 | Logic | TagsIntersect | A set of tags that matched SearchForTags | ["ChangeUserMasterDataOK","RunObsoleteProgOK"]  |
 | Logic | SpecialFocusTagged | Special focus indication | True, False  
 | Logic | IntersectionSize | The number of intersected Tags |
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -29,7 +29,7 @@ Use analytics rules together with the [Microsoft Sentinel solution for SAP® app
 
 - The [**SAPUsersGetVIP**](sap/sap-solution-log-reference.md#sapusersgetvip) function now supports excluding users according to their SAP-given roles or profile.
 
-- The **SAP User Config** watchlist now supports using wildcards in the **SAPUser** field to exclude all users with a specific syntax.
+- The **SAP_User_Config** watchlist now supports using wildcards in the **SAPUser** field to exclude all users with a specific syntax.
 
 For more information, see [Microsoft Sentinel solution for SAP® applications data reference](sap/sap-solution-log-reference.md) and [Handle false positives in Microsoft Sentinel](false-positives.md).
 
