Merge pull request #197024 from MSFTandrelom/andrelom-docsv2.1

Edits to v2 docs

Author: Maggiemouse1

articles/sentinel/sap/configure-snc.md

@@ -134,25 +134,28 @@ This section explains how to import a certificate so that it's trusted by your A
     chmod +x ./sapcon-sentinel-kickstart.sh
     ```
 
-1. Run the script, specifying the following parameters:
+1. Run the script, specifying the following base parameters:
 
     ```bash
     ./sapcon-sentinel-kickstart.sh \
     --use-snc \
     --cryptolib <path to sapcryptolib.so> \
     --sapgenpse <path to sapgenpse> \
-    # CLIENT CERTIFICATE
-    # If client certificate is in .crt/.key format
+    --server-cert <path to server certificate public key> \
+    ```
+    If the client certificate is in .crt/.key format, use the following switches:
+    ```bash
     --client-cert <path to client certificate public key> \
     --client-key <path to client certificate private key> \
-    # If client certificate is in .pfx or .p12 format
+    ```
+    If client certificate is in .pfx or .p12 format
+    ```bash
     --client-pfx <pfx filename>
     --client-pfx-passwd <password>
-    # If client certificate issued by enterprise CA
-    --cacert <path to ca certificate> # for each CA in the trust chain
-    # SERVER CERTIFICATE
-    --server-cert <path to server certificate public key> \
-    
+    ```
+    If client certificate issued by enterprise CA, add the switch for **each** CA in the trust chain
+    ```bash
+    --cacert <path to ca certificate> # 
     ```
 
     For example:
@@ -162,17 +165,10 @@ This section explains how to import a certificate so that it's trusted by your A
     --use-snc \
     --cryptolib /home/azureuser/libsapcrypto.so \
     --sapgenpse /home/azureuser/sapgenpse \
-    # CLIENT CERTIFICATE
-    # If client certificate is in .crt/.key format
     --client-cert /home/azureuser/client.crt \
     --client-key /home/azureuser/client.key \
-    # If client certificate is in .pfx or .p12 format
-    --client-pfx /home/azureuser/client.pfx \
-    --client-pfx-passwd <password>
-    # If client certificate issued by enterprise CA
     --cacert /home/azureuser/issuingca.crt
     --cacert /home/azureuser/rootca.crt
-    # SERVER CERTIFICATE
     --server-cert /home/azureuser/server.crt \
     ```
 

articles/sentinel/sap/configure-transport.md

@@ -75,7 +75,7 @@ The following steps show the process for configuring the Transport Management Sy
 Now that you've configured the Transport Management System, you'll be able to successfully complete the `STMS_IMPORT` transaction and you can continue [preparing your SAP environment](preparing-sap.md) for deploying the Continuous Threat Monitoring solution for SAP in Microsoft Sentinel.
 
 > [!div class="nextstepaction"]
-> [Deploy SAP Change Requests and configure authorization](preparing-sap.md#set-up-the-applications)
+> [Deploy SAP Change Requests and configure authorization](preparing-sap.md#import-the-crs)
 
 Learn more about the Microsoft Sentinel SAP solutions:
 

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -37,19 +37,19 @@ Deployment of the SAP continuous threat monitoring solution is divided into the
 
 ## Data connector agent deployment overview
 
-The Continuous Threat Monitoring solution for SAP is built on first getting all your SAP log data into Microsoft Sentinel, so that all the other components of the solution can do their jobs. To accomplish this, you need to deploy the SAP data connector agent.
+For the Continuous Threat Monitoring solution for SAP to operate correctly, data must first be ingested from SAP system into Microsoft Sentinel. To accomplish this, you need to deploy the Continuous Threat Monitoring solution for SAP data connector agent.
 
-The data connector agent runs as a container on a Linux virtual machine (VM). This VM can be hosted either in Azure, in other clouds, or on-premises. You install and configure this container using a *kickstart* script.
+The data connector agent runs as a container on a Linux virtual machine (VM). This VM can be hosted either in Azure, in a third-party cloud, or on-premises. The recommended way for you to install and configure this container is by using a *kickstart* script, however you can choose to deploy the container [manually](?tabs=deploy-manually)
 
-The agent connects to your SAP system to pull the logs from it, and then sends those logs to your Microsoft Sentinel workspace. To do this, the agent has to authenticate to your SAP system - that's why you created a user and a role for the agent in your SAP system in the previous step. 
+The agent connects to your SAP system to pull logs and other data from it, then sends those logs to your Microsoft Sentinel. To do this, the agent has to authenticate to your SAP system - that's why you created a user and a role for the agent in your SAP system in the previous step. 
 
 Your SAP authentication infrastructure, and where you deploy your VM, will determine how and where your agent configuration information, including your SAP authentication secrets, is stored. These are the options, in descending order of preference:
 
 - An Azure Key Vault, accessed through an Azure **system-assigned managed identity**
 - An Azure Key Vault, accessed through an Azure AD **registered-application service principal**
 - A plaintext **configuration file**
 
-If your **SAP authentication** infrastructure is based on **PKI**, using **X.509 certificates**, your only option is to use a configuration file. Select the **Configuration file** tab below for the instructions to deploy your agent container.
+If your **SAP authentication** infrastructure is based on **SNC**, using **X.509 certificates**, your only option is to use a configuration file. Select the **Configuration file** tab below for the instructions to deploy your agent container.
 
 If not, then your SAP configuration and authentication secrets can and should be stored in an [**Azure Key Vault**](../../key-vault/general/authentication.md). How you access your key vault depends on where your VM is deployed:
 
@@ -65,11 +65,18 @@ If not, then your SAP configuration and authentication secrets can and should be
 
 # [Managed identity](#tab/managed-identity)
 
+1. Transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine on which you want to install the agent.
+1. 
 1. Run the following command to **Create a VM** in Azure (substitute actual names for the `<placeholders>`):
 
     ```azurecli
     az vm create --resource-group <resource group name> --name <VM Name> --image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest --admin-username <azureuser> --public-ip-address "" --size  Standard_D2as_v5 --generate-ssh-keys --assign-identity
     ```
+    For more information, see [Quickstart: Create a Linux virtual machine with the Azure CLI](../../virtual-machines/linux/quick-create-cli.md).
+
+    > [!IMPORTANT]
+    > After the VM is created, be sure to apply any security requirements and hardening procedures applicable in your organization.
+    >
 
     The command above will create the VM resource, producing output that looks like this:
 
@@ -92,33 +99,21 @@ If not, then your SAP configuration and authentication secrets can and should be
     ```
 
 1. Copy the **systemAssignedIdentity** GUID, as it will be used in the coming steps.
-
-    For more information, see [Quickstart: Create a Linux virtual machine with the Azure CLI](../../virtual-machines/linux/quick-create-cli.md).
-
-    > [!IMPORTANT]
-    > After the VM is created, be sure to apply any security requirements and hardening procedures applicable in your organization.
-    >
-
-1. Run the following commands to **create a key vault** (substitute actual names for the `<placeholders>`):
+   
+1. Run the following commands to **create a key vault** (substitute actual names for the `<placeholders>`). If you'll be using an existing key vault, ignore this step:
 
     ```azurecli
-    kvgp=<KVResourceGroup>
-    kvname=<keyvaultname>
-
-    #Create a key vault
     az keyvault create \
-      --name $kvname \
-      --resource-group $kvgp
-    ```
-
-    If you'll be using an existing key vault, ignore this step.
+      --name <KeyVaultName> \
+      --resource-group <KeyVaultResourceGroupName>
+    ```    
 
 1. Copy the name of the (newly created or existing) key vault and the name of its resource group. You'll need these when you run the deployment script in the coming steps.
 
 1. Run the following command to **assign a key vault access policy** to the VM's system-assigned identity that you copied above (substitute actual names for the `<placeholders>`):
 
     ```azurecli
-    az keyvault set-policy -n <key vault name> -g <key vault resource group> --object-id <VM system-assigned identity> --secret-permissions get list set
+    az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --object-id <VM system-assigned identity> --secret-permissions get list set
     ```
 
     This policy will allow the VM to list, read, and write secrets from/to the key vault.
@@ -133,7 +128,7 @@ If not, then your SAP configuration and authentication secrets can and should be
     wget -O sapcon-sentinel-kickstart.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh && bash ./sapcon-sentinel-kickstart.sh
     ```
 
-    The script updates the OS components and installs the Azure CLI and Docker software.
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts, or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md)
 
 1. **Follow the on-screen instructions** to enter your SAP and key vault details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 
@@ -153,6 +148,8 @@ If not, then your SAP configuration and authentication secrets can and should be
 
 # [Registered application](#tab/registered-application)
 
+1. Transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine on which you want to install the agent.
+1. 
 1. Run the following command to **create and register an application**:
 
     ```azurecli
@@ -172,26 +169,19 @@ If not, then your SAP configuration and authentication secrets can and should be
 
 1. Copy the **appId**, **tenant**, and **password** from the output. You'll need these for assigning the key vault access policy and running the deployment script in the coming steps.
 
-1. Run the following commands to **create a key vault** (substitute actual names for the `<placeholders>`):
+1. Run the following commands to **create a key vault** (substitute actual names for the `<placeholders>`). If you'll be using an existing key vault, ignore this step :
 
     ```azurecli
-    kvgp=<KVResourceGroup>
-    kvname=<keyvaultname>
-
-    #Create a key vault
     az keyvault create \
-      --name $kvname \
-      --resource-group $kvgp
-    ```
-
-    If you'll be using an existing key vault, ignore this step.
-
+      --name <KeyVaultName> \
+      --resource-group <KeyVaultResourceGroupName>
+    ```    
 1. Copy the name of the (newly created or existing) key vault and the name of its resource group. You'll need these for assigning the key vault access policy and running the deployment script in the coming steps.
 
 1. Run the following command to **assign a key vault access policy** to the registered application ID that you copied above (substitute actual names or values for the `<placeholders>`):
 
     ```azurecli
-    az keyvault set-policy -n <key vault name> -g <key vault resource group> --spn <appid> --secret-permissions get list set
+    az keyvault set-policy -n <KeyVaultName> -g <KeyVaultResourceGroupName> --spn <appId> --secret-permissions get list set
     ```
 
     For example:
@@ -215,7 +205,7 @@ If not, then your SAP configuration and authentication secrets can and should be
     ./sapcon-sentinel-kickstart.sh --keymode kvsi --appid aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa --appsecret ssssssssssssssssssssssssssssssssss -tenantid bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb -kvaultname <key vault name>
     ```
 
-    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values.
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts, or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md)
 
 1. **Follow the on-screen instructions** to enter the requested details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 
@@ -235,6 +225,8 @@ If not, then your SAP configuration and authentication secrets can and should be
 
 # [Configuration file](#tab/config-file)
 
+1. Transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine on which you want to install the agent.
+1. 
 1. Run the following commands to **download the deployment Kickstart script** from the Microsoft Sentinel GitHub repository and **mark it executable**:
 
     ```bash
@@ -248,7 +240,7 @@ If not, then your SAP configuration and authentication secrets can and should be
     ./sapcon-sentinel-kickstart.sh --keymode cfgf
     ```
 
-    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values.
+    The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl), and prompts you for configuration parameter values. You can supply additional parameters to the script to minimize the amount of prompts, or to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md)
 
 1. **Follow the on-screen instructions** to enter the requested details and complete the deployment. When the deployment is complete, a confirmation message is displayed:
 
@@ -269,11 +261,11 @@ If not, then your SAP configuration and authentication secrets can and should be
 
 ---
 
-## Deploy the SAP data connector manually
+# [Manual Deployment](#tab/deploy-manually)
 
 1. Transfer the [SAP NetWeaver SDK](https://aka.ms/sap-sdk-download) to the machine on which you want to install the agent.
 
-1. Install [Docker](https://www.docker.com/)
+1. Install [Docker](https://www.docker.com/) on the VM, following [recommended deployment steps](https://docs.docker.com/engine/install/) for the chosen operating system
 
 1. Use the following commands (replacing <*SID*> with the name of the SAP instance) to create a folder to store the container configuration and metadata, and to download a sample systemconfig.ini file into that folder.
 
@@ -295,14 +287,20 @@ If not, then your SAP configuration and authentication secrets can and should be
    docker create -d --restart unless-stopped -v /opt/sapcon/$sid/:/sapcon-app/sapcon/config/system --name sapcon-$sid sapcon   
    ````
 
-1. Run the following command (replacing <*SID*> with the name of the SAP instance) to copy the SDK into the container.
+1. Run the following command (replacing <*SID*> with the name of the SAP instance and <*sdkfilename*> with full filename of the SAP NetWeaver SDK) to copy the SDK into the container.
 
    ````bash
    sdkfile=<sdkfilename> 
    sid=<SID>
    docker cp $sdkfile sapcon-$sid:/sapcon-app/inst/
    ````
 
+1. Run the following command (replacing <*SID*> with the name of the SAP instance) to start the container.
+   ````bash
+   sid=<SID>
+   docker start sapcon-$sid
+   ````
+
 ## Next steps
 
 Once connector is deployed, proceed to deploy Continuous Threat Monitoring for SAP solution content

articles/sentinel/sap/deploy-sap-security-content.md

@@ -41,8 +41,6 @@ Deploy the [SAP security content](sap-solution-security-content.md) from the Mic
 
 The **Microsoft Sentinel - Continuous Threat Monitoring for SAP** solution enables the SAP data connector to be displayed in the Microsoft Sentinel **Data connectors** area. The solution also deploys the **SAP - System Applications and Products** workbook and SAP-related analytics rules.
 
-Add SAP-related watchlists to your Microsoft Sentinel workspace manually.
-
 To deploy SAP solution security content, do the following:
 
 1. In Microsoft Sentinel, on the left pane, select **Content hub (Preview)**.
@@ -53,12 +51,10 @@ To deploy SAP solution security content, do the following:
 
     :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot of the 'Microsoft Sentinel - Continuous Threat Monitoring for SAP' solution pane." lightbox="media/deploy-sap-security-content/sap-solution.png":::
 
-1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription, resource group, and Log Analytics workspace where you want to deploy the solution.
+1. To launch the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription, resource group, and Log Analytics workspace (the one which is used by Microsoft Sentinel) where you want to deploy the solution.
 
 1. Select **Next** to cycle through the **Data Connectors**, **Analytics**, and **Workbooks** tabs, where you can learn about the components that will be deployed with this solution.
 
-    The default name for the workbook is **SAP - System Applications and Products**. Change it in the workbooks tab as needed.
-
     For more information, see [Microsoft Sentinel SAP solution: security content reference (public preview)](sap-solution-security-content.md).
 
 1. On the **Review + create tab** pane, wait for the **Validation Passed** message, then select **Create** to deploy the solution.
@@ -73,16 +69,6 @@ To deploy SAP solution security content, do the following:
     - **Threat Management** > **Workbooks** > **My workbooks**, to find the [built-in SAP workbooks](sap-solution-security-content.md#built-in-workbooks).
     - **Configuration** > **Analytics** to find a series of [SAP-related analytics rules](sap-solution-security-content.md#built-in-analytics-rules).
 
-1. Add SAP-related watchlists to use in your search, detection rules, threat hunting, and response playbooks. These watchlists provide the configuration for the Microsoft Sentinel SAP Continuous Threat Monitoring solution. Do the following:
-
-    1. Download SAP watchlists from the Microsoft Sentinel GitHub repository at https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Analytics/Watchlists.
-    
-    1. In the Microsoft Sentinel **Watchlists** area, add the watchlists to your Microsoft Sentinel workspace. Use the downloaded CSV files as the sources, and then customize them as needed for your environment.  
-
-    [![SAP-related watchlists added to Microsoft Sentinel.](./media/deploy-sap-security-content/sap-watchlists.png)](./media/deploy-sap-security-content/sap-watchlists.png#lightbox)
-
-    For more information, see [Use Microsoft Sentinel watchlists](../watchlists.md) and [Available SAP watchlists](sap-solution-security-content.md#available-watchlists).
-
 1. In Microsoft Sentinel, go to the **Microsoft Sentinel Continuous Threat Monitoring for SAP** data connector to confirm the connection:
 
     [![Screenshot of the Microsoft Sentinel Continuous Threat Monitoring for SAP data connector page.](./media/deploy-sap-security-content/sap-data-connector.png)](./media/deploy-sap-security-content/sap-data-connector.png#lightbox)