Feedback

limwainstein · limwainstein · commit 7641edfd9bd7 · 2023-03-29T14:09:15.000+03:00
diff --git a/articles/sentinel/sap/sap-risky-configuration-parameters.md b/articles/sentinel/sap/sap-risky-configuration-parameters.md
@@ -13,9 +13,11 @@ This article details the security parameters in the SAP system that the Microsof
 
 ## Monitored SAP security parameters
 
+This list includes the SAP security parameters that the Microsoft Sentinel solution for SAP® applications monitors to protect your SAP system. The list isn't a recommendation for configuring these parameters. For configuration considerations, consult your SAP admin and security team. 
+
 |Parameter  |Description  |Security value/considerations |
 |---------|---------|---------|
-|gw/accept_remote_trace_level     |Controls whether or not the Central Process Integration (CPI) and Remote Function Call (RFC) subsystems adopt the remote trace level. When this parameter is set to `1`, the CPI and RFC subsystems accept and adopt the remote trace levels. When set to `0`, remote trace levels aren't accepted and the local trace level is used instead.<br><br>The trace level is a setting that determines the level of detail recorded in the system log for a specific program or process. When the subsystems adopt the trace levels, you can set the trace level for a program or process from a remote system and not only from the local system. This setting can be useful in situations where remote debugging or troubleshooting is required.          | |
+|gw/accept_remote_trace_level     |Controls whether or not the Central Process Integration (CPI) and Remote Function Call (RFC) subsystems adopt the remote trace level. When this parameter is set to `1`, the CPI and RFC subsystems accept and adopt the remote trace levels. When set to `0`, remote trace levels aren't accepted and the local trace level is used instead.<br><br>The trace level is a setting that determines the level of detail recorded in the system log for a specific program or process. When the subsystems adopt the trace levels, you can set the trace level for a program or process from a remote system and not only from the local system. This setting can be useful in situations where remote debugging or troubleshooting is required.          |The parameter can be configured to restrict the trace level accepted from external systems. Setting a lower trace level may reduce the amount of information that external systems can obtain about the internal workings of the SAP system. |
 |login/password_change_for_SSO      |Controls how password changes are enforced in single sign-on situations. |High, because enforcing password changes can help prevent unauthorized access to the system by attackers who may have obtained valid credentials through phishing or other means.         |
 |icm/accept_remote_trace_level      |Determines whether the Internet Communication Manager (ICM) accepts remote trace level changes from external systems. |Medium, because allowing remote trace level changes can provide valuable diagnostic information to attackers and potentially compromise system security.         |
 |rdisp/gui_auto_logout      |Specifies the maximum idle time for SAP GUI connections before automatically logging out the user. | High, because automatically logging out inactive users can help prevent unauthorized access to the system by attackers who may have gained access to a user's workstation.         |
@@ -29,8 +31,8 @@ This article details the security parameters in the SAP system that the Microsof
 |login/fails_to_session_end      |Sets the number of invalid login attempts allowed before the user's session is terminated. |High, because the parameter helps prevent brute-force attacks on user accounts.         |
 |wdisp/ssl_encrypt      |Sets the mode for SSL re-encryption of HTTP requests. |High, because this parameter ensures that data transmitted over HTTP is encrypted, which helps prevent eavesdropping and data tampering.         |
 |login/no_automatic_user_sapstar      |Controls the automatic login of the SAP* user. |High, because this parameter helps prevent unauthorized access to the SAP system via the default SAP* account.         |
-|rsau/max_diskspace/local    |Defines the maximum amount of disk space that can be used for local storage of audit logs. This security parameter helps to prevent the filling up of disk space and ensures that audit logs are available for investigation.         | |
-|snc/extid_login_diag     |Enables or disables the logging of external ID in Secure Network Communication (SNC) logon errors. This security parameter can help identify attempts of unauthorized access to the system.         | |
+|rsau/max_diskspace/local    |Defines the maximum amount of disk space that can be used for local storage of audit logs. This security parameter helps to prevent the filling up of disk space and ensures that audit logs are available for investigation.         |Setting an appropriate value for this parameter helps prevent the local audit logs from consuming too much disk space, which could lead to system performance issues or even denial of service attacks. On the other hand, setting a value that's too low may result in the loss of audit log data, which may be required for compliance and auditing. |
+|snc/extid_login_diag     |Enables or disables the logging of external ID in Secure Network Communication (SNC) logon errors. This security parameter can help identify attempts of unauthorized access to the system.         |Enabling this parameter can be helpful for troubleshooting SNC-related issues, because it provides additional diagnostic information. However, the parameter may also expose sensitive information about the external security products used by the system, which could be a potential security risk if that information falls into the wrong hands.  |
 |login/password_change_waittime     |Defines the number of days a user must wait before changing their password again. This security parameter helps enforce password policies and ensure that users change their passwords periodically.         | |
 |snc/accept_insecure_cpic     |Determines whether or not the system accepts insecure SNC connections using the CPIC protocol. This security parameter controls the level of security for SNC connections.         | |
 |snc/accept_insecure_r3int_rfc     |Determines whether or not the system accepts insecure SNC connections for R/3 and RFC protocols. This security parameter controls the level of security for SNC connections.         | |
@@ -50,13 +52,13 @@ This article details the security parameters in the SAP system that the Microsof
 |auth/object_disabling_active |Disables specific authorization objects for user accounts that have been inactive for a specified period of time. |Can help improve security by reducing the number of inactive accounts with unnecessary permissions. |
 |login/disable_multi_gui_login |Prevents a user from being logged in to multiple GUI sessions simultaneously. |This parameter can help improve security by ensuring that users are only logged in to one session at a time. |
 |login/min_password_lng |Specifies the minimum length that a password can be. |Setting a higher value for this parameter can improve security by ensuring that passwords aren't easily guessed. |
-|rfc/reject_expired_passwd |Prevents the execution of RFCs when the user's password has expired. |Can help improve security by ensuring that only authenticated and authorized users are allowed to execute RFCs. |
+|rfc/reject_expired_passwd |Prevents the execution of RFCs when the user's password has expired. |Enabling this parameter can be helpful when enforcing password policies and preventing unauthorized access to SAP systems. When this parameter is set to `1`, RFC connections are rejected if the user's password has expired, and the user is prompted to change their password before they can connect. This helps ensure that only authorized users with valid passwords can access the system.  |
 |rsau/max_diskspace/per_file |Sets the maximum size of an audit file that SAP system auditing can create. Setting a lower value helps prevent excessive growth of audit files and thus helps ensure adequate disk space. |Setting an appropriate value helps manage the size of audit files and avoid storage issues. |
 |login/min_password_letters |Specifies the minimum number of letters that must be included in a user's password. Setting a higher value helps increase password strength and security. |Setting an appropriate value helps enforce password policies and improve password security. |
 |rsau/selection_slots |Sets the number of selection slots that can be used for audit files. Setting a higher value can help to avoid overwriting of older audit files. |Helps ensure that audit files are retained for a longer period of time, which can be useful in a security breach. |
 |gw/sim_mode |This parameter sets the gateway's simulation mode. When enabled, the gateway only simulates communication with the target system, and no actual communication takes place. |Enabling this parameter can be useful for testing purposes and can help prevent any unintended changes to the target system. |
 |login/fails_to_user_lock |Sets the number of failed login attempts after which the user account gets locked. Setting a lower value helps prevent brute force attacks. |Helps prevent unauthorized access to the system and helps protect user accounts from being compromised. | 
-|login/password_compliance_to_current_policy |Enforces the compliance of new passwords with the current password policy of the system. Its value should be set to `1` to enable this feature. |High. |
+|login/password_compliance_to_current_policy |Enforces the compliance of new passwords with the current password policy of the system. Its value should be set to `1` to enable this feature. |High. Enabling this parameter can help ensure that users comply with the current password policy when changing passwords, which reduces the risk of unauthorized access to SAP systems. When this parameter is set to `1`, users are prompted to comply with the current password policy when changing their passwords. |
 |rfc/ext_debugging  |Enables the RFC debugging mode for external RFC calls. Its value should be set to `0` to disable this feature. | |
 |gw/monitor |Enables monitoring of gateway connections. Its value should be set to `1` to enable this feature. | |
 |login/create_sso2_ticket |Enables the creation of SSO2 tickets for users. Its value should be set to `1` to enable this feature. | |
@@ -66,7 +68,7 @@ This article details the security parameters in the SAP system that the Microsof
 |snc/extid_login_rfc |Enables the use of SNC for external RFC calls. Its value should be set to `1` to enable this feature. | |
 |login/min_password_lowercase  |Sets the minimum number of lowercase letters required in new passwords. Its value should be set to a positive integer. 
 |login/password_downwards_compatibility |Allows passwords to be set using old hashing algorithms for backwards compatibility with older systems. Its value should be set to `0` to disable this feature. | |
-|snc/data_protection/min |Sets the minimum level of data protection that must be used for SNC-protected connections. Its value should be set to a positive integer. | |
+|snc/data_protection/min |Sets the minimum level of data protection that must be used for SNC-protected connections. Its value should be set to a positive integer. |Setting an appropriate value for this parameter helps ensure that SNC-protected connections provide a minimum level of data protection. This setting helps prevent sensitive information from being intercepted or manipulated by attackers. The value of this parameter should be set based on the security requirements of the SAP system and the sensitivity of the data transmitted over SNC-protected connections. |
 
 ## Next steps
 
diff --git a/articles/sentinel/sap/sap-solution-security-content.md b/articles/sentinel/sap/sap-solution-security-content.md
@@ -33,24 +33,23 @@ For more information, see [Tutorial: Visualize and monitor your data](../monitor
 
 ## Built-in analytics rules
 
-### Risky configuration manipulation
+### Risky configuration of security parameters
 
-To ensure the security of the SAP system, SAP has identified security-relevant parameters that need to be monitored for changes. With the TBD rule, the Microsoft Sentinel solution for SAP® applications tracks over 52 security-related parameters in the SAP system, and triggers an alert once these parameters are changed not according to the policy.  
+To ensure the security of the SAP system, SAP has identified security-relevant parameters that need to be monitored for changes. With the "Risky Configuration" rule, the Microsoft Sentinel solution for SAP® applications tracks over 52 security-related parameters in the SAP system, and triggers an alert once these parameters are changed not according to the policy.  
 
 To understand parameter changes in the system, the Microsoft Sentinel solution for SAP® applications uses the parameter history table, which records changes made to both static and dynamic parameters in the system every hour.  
 
 These parameters can have different severities for production and non-production systems, as well as different recommended values for each parameter. When a change is made to a security-related parameter, Microsoft Sentinel checks to see if the change is security-related and if the value is set according to the recommended values. If the change is suspected as outside the safe zone, Microsoft Sentinel creates an incident detailing the change, and identifies who made the change.  
 
-You can also add new configurations to create alerts for specific parameters and values.
-
 Review the [list of parameters](sap-risky-configuration-parameters.md) that this rule monitors. 
 
 ### Monitoring the SAP audit log
 
 The SAP Audit log data is used across many of the analytics rules of the Microsoft Sentinel solution for SAP® applications. Some analytics rules look for specific events on the log, while others correlate indications from several logs to produce high fidelity alerts and incidents.
+
 In addition, there are two analytics rules which are designed to accommodate the entire set of standard SAP audit log events (183 different events), and any other custom events you may choose to log using the SAP audit log.
 
-Both SAP audit log monitoring analytics rules share the same data sources and the same configuration but differ in one critical aspect. While the “SAP - Dynamic Deterministic Audit Log Monitor” requires deterministic alert thresholds and user exclusion rules, the “SAP - Dynamic Anomaly-based Audit Log Monitor Alerts (PREVIEW)” applies additional machine learning algorithms to filter out background noise in an unsupervised manner. For this reason, by default, most event types (or SAP message IDs) of the SAP audit log are being sent to the "Anomaly based" analytics rule, while the easier to define event types are sent to the deterministic analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions. 
+Both SAP audit log monitoring analytics rules share the same data sources and the same configuration but differ in one critical aspect. While the "SAP - Dynamic Deterministic Audit Log Monitor" rule requires deterministic alert thresholds and user exclusion rules, the "SAP - Dynamic Anomaly-based Audit Log Monitor Alerts (PREVIEW)" rule applies additional machine learning algorithms to filter out background noise in an unsupervised manner. For this reason, by default, most event types (or SAP message IDs) of the SAP audit log are being sent to the "Anomaly based" analytics rule, while the easier to define event types are sent to the deterministic analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions. 
 
 #### SAP - Dynamic Deterministic Audit Log Monitor
 
