naomi's comments

Author: batamig

articles/sentinel/TOC.yml

@@ -196,10 +196,10 @@
             href: sap/sap-audit-controls-workbook.md
         - name: SAP solution content reference
           items:
-          - name: Monitored SAP security parameters
-            href: sap/sap-suspicious-configuration-security-parameters.md
           - name: SAP security content reference
             href: sap/sap-solution-security-content.md
+          - name: Monitored SAP security parameters
+            href: sap/sap-suspicious-configuration-security-parameters.md
           - name: SAP solution function reference
             href: sap/sap-solution-function-reference.md
           - name: SAP solution log and table reference

articles/sentinel/sap/reference-systemconfig-json.md

@@ -75,7 +75,7 @@ The following table describes each overall section in the `systemconfig.json` fi
   "secrets": "AZURE_KEY_VAULT|DOCKER_FIXED",
   # Storage location of SAP credentials and Log Analytics workspace ID and key
   # AZURE_KEY_VAULT - store in an Azure Key Vault. Requires keyvault option and intprefix option
-  # DOCKER_FIXED - store in systemconfig.ini file. Requires user, passwd, loganalyticswsid and publickey options
+  # DOCKER_FIXED - store in systemconfig.json file. Requires user, passwd, loganalyticswsid and publickey options
 
   "keyvault": "<vaultname>",
   # Azure Keyvault name, in case secrets = AZURE_KEY_VAULT

articles/sentinel/sap/reference-update.md

@@ -15,7 +15,7 @@ ms.collection: usx-security
 
 The Microsoft Sentinel SAP data connector agent container users an [update script](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP)) to simplify the update process. 
 
-This article describes the configurable parameters available in the update script.
+This article describes the configurable parameters available in the update script. For more information, see [Update the Microsoft Sentinel for SAP applications data connector agent](update-sap-data-connector.md).
 
 Content in this article is intended for your **SAP BASIS** teams.
 

articles/sentinel/sap/required-abap-authorizations.md

@@ -20,7 +20,7 @@ This article lists the ABAP authorizations required to ensure that the SAP user
 The required authorizations are listed here by their purpose. You only need the authorizations that are listed for the kinds of logs you want to bring into Microsoft Sentinel and the attack disruption response actions you want to apply.
 
 > [!TIP]
-> To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file. <!--can we do this by CR?-->
+> To create a role with all the required authorizations, load the role authorizations from the [**/MSFTSEN/SENTINEL_RESPONDER**](https://aka.ms/SAP_Sentinel_Responder_Role) file.
 >
 > Alternately, to enable only log retrieval, without attack disruption response actions, deploy the SAP *NPLK900271* CR on the SAP system to create the **/MSFTSEN/SENTINEL_CONNECTOR** role, or load the role authorizations from the [**/MSFTSEN/SENTINEL_CONNECTOR**](https://aka.ms/SAP_Sentinel_Connector_Role) file.
 

articles/sentinel/sap/sap-solution-function-reference.md

@@ -14,7 +14,12 @@ ms.collection: usx-security
 
 # Microsoft Sentinel solution for SAP applications - functions reference
 
-This article describes the functions that are available in your workspace after you install the Microsoft Sentinel solution for SAP applications. Find these functions in the Microsoft Sentinel **Logs** page to use in your KQL queries, listed under **Workspace functions**.
+This article describes a selection of functions that are available in your workspace after you install the Microsoft Sentinel solution for SAP applications. Discover more functions by browsing in Microsoft Sentinel and loading the function code.
+
+Find functions as follows:
+
+- In the Azure portal, in the **General > Logs** page, on the **Functions** tab, and listed under **Workspace functions**.
+- In the Defender portal, in the **Investigation & response > Advanced hunting** page, on the **Functions** tab, and listed under **Sentinel workspace functions**.
 
 Content in this article is intended for your **security** teams.
 
@@ -205,6 +210,8 @@ For more information, see [Available watchlists](sap-solution-security-content.m
 
 ## SAPAuditLogAnomalies
 
+<!--ask ofer whether we're comfortable mentioning machine learning here-->
+
 The **SAPAuditLogAnomalies** function uses Microsoft Sentinel's underlying Kusto database's built-in machine learning capabilities to help detect anomalous events observed on the SAP audit log.
 
 The **SAPAuditLogAnomalies** function was developed for the *SAP - (Experimental) Dynamic Anomaly based Audit Log Monitor Alerts* analytics rule. While it's original design is to alert on recent anomalies, it can also help to highlight historical anomalies. For more information, see [Sample uses](#sample).

articles/sentinel/sap/sap-solution-log-reference.md

@@ -38,7 +38,7 @@ For more information, see [Microsoft Sentinel solution for SAP applications - fu
 
 The Microsoft Sentinel solution for SAP applications collects logs from the application, OS, and data layers, providing comprehsive protection for your SAP system:
 
-- **Application layer**: Microsoft Sentinel monitors activities within the ABAP layer, which is the primary application layer in SAP systems, responsible for executing business logic and processing transactions. For example, Microsoft Sentinel collects logs from this later that include user actions like sign-ins, password changes, and access to reports or files.
+- **Application layer**: Microsoft Sentinel monitors activities within the ABAP layer, which is the primary application layer in SAP systems, responsible for executing business logic and processing transactions. For example, Microsoft Sentinel collects logs that include user actions like sign-ins, password changes, and access to reports or files.
 
     In addition to security monitoring, logs collected at the application layer can also be used for compliance and auditing purposes.
 
@@ -577,7 +577,7 @@ To have this log sent to Microsoft Sentinel, you must [add it manually to the **
 
 ### HANA DB Audit Trail
 
-To have this log sent to Microsoft Sentinel, you must [deploy a Microsoft Management Agent](../connect-syslog.md) to gather Syslog data from the machine running HANA DB.
+The HANA DB Audit Trail is an example of a database level log collection. To have this log sent to Microsoft Sentinel, you must [deploy Azure Monitor Agent](../connect-cef-syslog-ama.md) to gather Syslog data from the machine running HANA DB.
 
 - **Microsoft Sentinel function for querying this log**: SAPSyslog
 

articles/sentinel/sap/sap-solution-security-content.md

@@ -27,18 +27,20 @@ Content in this article is intended for your **security** team.
 
 ## Built-in workbooks
 
-Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the **My workbooks** tab.
+Use the following built-in workbooks to visualize and monitor data ingested via the SAP data connector. After you deploy the SAP solution, you can find SAP workbooks in the **Templates** tab.
 
 | Workbook name | Description | Logs |
 | --------- | --------- | --------- |
-| <a name="sap---system-applications-and-products-workbook"></a>**SAP - Audit Log Browser** | Displays data such as: <br><br>- General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run <br>-Severities of events occurring in your system <br>- Authentication and authorization events occurring in your system |Uses data from the following log: <br><br>[ABAPAuditLog_CL](sap-solution-log-reference.md#abap-security-audit-log) |
+| <a name="sap---system-applications-and-products-workbook"></a>**[SAP - Audit Log Browser](sap-audit-log-workbook.md)** | Displays data such as: <br><br>- General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run <br>-Severities of events occurring in your system <br>- Authentication and authorization events occurring in your system |Uses data from the following log: <br><br>[ABAPAuditLog_CL](sap-solution-log-reference.md#abap-security-audit-log) |
 | [**SAP Audit Controls**](sap-audit-controls-workbook.md) | Helps you check your SAP environment's security controls for compliance with your chosen control framework, using tools for you to do the following: <br><br>- Assign analytics rules in your environment to specific security controls and control families<br>- Monitor and categorize the incidents generated by the SAP solution-based analytics rules<br>- Report on your compliance | Uses data from the following tables: <br><br>- `SecurityAlert`<br>- `SecurityIncident`|
 
+<!--we're missing SAP -Monitors- Alerts and Performance. ask ofer-->
+
 For more information, see [Tutorial: Visualize and monitor your data](../monitor-your-data.md) and [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).
 
 ## Built-in analytics rules
 
-This section describes [built-in analytics rules](deploy-sap-security-content.md) provided together with the Microsoft Sentinel solution for SAP applications.
+This section describes a selection of [built-in analytics rules](deploy-sap-security-content.md) provided together with the Microsoft Sentinel solution for SAP applications. For the most recent updates, check the Microsoft Sentinel content hub for new and updated rules.
 
 ### Monitor the configuration of static SAP security parameters (Preview)
 

articles/sentinel/sap/stop-collection.md

@@ -5,7 +5,7 @@ description: Learn about how to stop Microsoft Sentinel from collecting data fro
 author: batamig
 ms.author: bagol
 ms.topic: how-to
-ms.date: 09/12/2024
+ms.date: 10/08/2024
 ai-usage: ai-assisted
 appliesto:
     - Microsoft Sentinel in the Azure portal
@@ -28,7 +28,7 @@ Before you stop the data collection from your SAP applications, ensure you have
 - The SAP data connector agent
 - The machine or container where the data connector agent is running
 
-We recommend that you back up your current configuration and logs before making any changes.
+We recommend that you back up your current configuration and logs before making any changes. <!--is this correct?-->
 
 
 ## Stop log ingestion and disable the connector
@@ -39,7 +39,7 @@ To stop ingesting SAP logs into the Microsoft Sentinel workspace, and to stop th
 docker stop sapcon-[SID/agent-name]
 ```
 
-To stop ingesting a specific SID for a multi-SID container, make sure that you also delete the SID from the connector page UI in Microsoft Sentinel:
+To stop ingesting a specific SID for a multi-SID container, make sure that you also delete the SID from the connector page UI in Microsoft Sentinel: This option is available only if you [deployed the agent via the portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview).
 
 1. In Microsoft Sentinel, select **Configuration > Data connectors** and search for **Microsoft Sentinel for SAP**.
 1. Select the data connector row and then select **Open connector page** in the side pane.
@@ -55,7 +55,7 @@ docker start sapcon-[SID]
 
 ## Remove the user role and any optional CR installed on your ABAP system
 
-If you're turning off the SAP data connector agent and stopping log ingestion from your SAP system, we recommend that you also remove the user role and optional CRs installed on your ABAP system.
+If you're turning off the SAP data connector agent and stopping log ingestion from your SAP system, you might want to also remove the user role and optional CRs installed on your ABAP system.
 
 To do so, import the deletion CR *NPLK900259* into your ABAP system. For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP_PLATFORM_NEW/4a368c163b08418890a406d413933ba7/e15d9acae75c11d2b451006094b9ea64.html?locale=en-US&version=LATEST).
 

articles/sentinel/sap/update-sap-data-connector.md

@@ -68,7 +68,9 @@ To turn off automatic updates for a container or containers, open the */opt/sapc
 
 To manually update the connector agent, make sure that you have the most recent versions of the relevant deployment scripts from the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP).
 
-On the data connector agent machine, run:
+For more information, see [Microsoft Sentinel solution for SAP applications data connector agent update file reference](reference-update.md).
+
+**On the data connector agent machine, run**:
 
 ```bash
 wget -O sapcon-instance-update.sh https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-instance-update.sh && bash ./sapcon-instance-update.sh