Merge pull request #222740 from kobymymon/patch-2

add new 5 rules

Author: prmerger-automator[bot]

articles/sentinel/sap/sap-solution-security-content.md

@@ -87,6 +87,11 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Spool Takeover** |Identifies a user printing a spool request that was created by someone else. | Create a spool request using one user, and then output it in using a different user. <br><br>**Data sources**: SAPcon -  Spool Log, SAPcon -  Spool Output Log, SAPcon - Audit Log | Collection, Exfiltration, Command and Control |
 | **SAP - Dynamic RFC Destination** | Identifies the execution of RFC using dynamic destinations. <br><br>**Sub-use case**: [Attempts to bypass SAP security mechanisms](#built-in-sap-analytics-rules-for-attempts-to-bypass-sap-security-mechanisms)| Execute an ABAP report that uses dynamic destinations (cl_dynamic_destination). For example, DEMO_RFC_DYNAMIC_DEST.   <br><br>**Data sources**: SAPcon - Audit Log | Collection, Exfiltration |
 | **SAP - Sensitive Tables Direct Access By Dialog Logon** | Identifies generic table access via dialog sign-in. | Open table contents using `SE11`/`SE16`/`SE16N`. <br><br>**Data sources**: SAPcon - Audit Log | Discovery |
+| **SAP - (Preview) File Downloaded From a Malicious IP Address** | Identifies download of a file from an SAP system using an IP address known to be malicious. Malicious IP addresses are obtained from [threat intelligence services](../understand-threat-intelligence.md). | Download a file from a malicious IP. <br><br>**Data sources**: SAP security Audit log, Threat Intelligence | Exfiltration |
+| **SAP - (Preview) Data Exported from a Production System using a Transport** | Identifies data export from a production system using a transport. Transports are used in development systems and are similar to pull requests. This alert rule triggers incidents with medium severity when a transport that includes data from any table is released from a production system. The rule creates a high severity incident when the export includes data from a sensitive table. | Release a transport from a production system. <br><br>**Data sources**: SAP CR log, [SAP - Sensitive Tables](#tables) | Exfiltration |
+| **SAP - (Preview) Sensitive Data Saved into a USB Drive** | Identifies export of SAP data via files. The rule checks for data saved into a recently mounted USB drive in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to a sensitive table. | Export SAP data via files and save into a USB drive. <br><br>**Data sources**: SAP Security Audit Log, DeviceFileEvents (Microsoft Defender for Endpoint), [SAP - Sensitive Tables](#tables), [SAP - Sensitive Transactions](#transactions), [SAP - Sensitive Programs](#programs) | Exfiltration |
+| **SAP - (Preview) Printing of Potentially Sensitive data** | Identifies a request or actual printing of potentially sensitive data. Data is considered sensitive if the user obtains the data as part of a sensitive transaction, execution of a sensitive program, or direct access to a sensitive table.  | Print or request to print sensitive data. <br><br>**Data sources**:  SAP Security Audit Log, SAP Spool logs, [SAP - Sensitive Tables](#tables), [SAP - Sensitive Programs](#programs) | Exfiltration |
+| **SAP - (Preview) High Volume of Potentially Sensitive Data Exported** | Identifies export of a high volume of data via files in proximity to an execution of a sensitive transaction, a sensitive program, or direct access to sensitive table. | Export high volume of data via files. <br><br>**Data sources**:  SAP Security Audit Log, [SAP - Sensitive Tables](#tables), [SAP - Sensitive Transactions](#transactions), [SAP - Sensitive Programs](#programs) | Exfiltration |
 
 
 ### Built-in SAP analytics rules for persistency