changed alert rule documentation

oferInbar · web-flow · commit 8acb0ed87f37 · 2023-04-04T03:39:56.000-07:00
SAP - Unauthorized Remote Execution of a Sensitive Function Module
diff --git a/articles/sentinel/sap/sap-solution-security-content.md b/articles/sentinel/sap/sap-solution-security-content.md
@@ -132,7 +132,7 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Execution of Sensitive Function Module** | Identifies the execution of a sensitive ABAP function module. <br><br>**Sub-use case**: [Persistency](#persistency)<br><br>**Note**: Relevant for production systems only. <br><br>Maintain sensitive functions in the [SAP - Sensitive Function Modules](#modules) watchlist, and make sure to activate table logging changes in the backend for the EUFUNC table. (SE13) | Run a sensitive function module directly using SE37. <br><br>**Data sources**: SAPcon -  Table Data Log | Discovery, Command and Control 
 | **SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes** | Identifies changes for HANA DB audit trail policies. | Create or update the existing audit policy in security definitions. <br> <br>**Data sources**: Linux Agent - Syslog | Lateral Movement, Defense Evasion, Persistence |
 | **SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail** | Identifies the deactivation of the HANA DB audit log. | Deactivate the audit log in the HANA DB security definition. <br><br>**Data sources**: Linux Agent - Syslog | Persistence, Lateral Movement, Defense Evasion |
-| **SAP - RFC Execution of a Sensitive Function Module** | Sensitive function models to be used in relevant detections.    <br><br>Maintain function modules in the [SAP - Sensitive Function Modules](#module) watchlist. | Run a function module using RFC.  <br><br>**Data sources**: SAPcon - Audit Log | Execution, Lateral Movement, Discovery |
+| **SAP - Unauthorized Remote Execution of a Sensitive Function Module** | Detects unauthorized executions of sensitive FMs by comparing the activity with the user's authorization profile while disregarding recently changed authorizations. <br><br>Maintain function modules in the [SAP - Sensitive Function Modules](#module) watchlist. | Run a function module using RFC.  <br><br>**Data sources**: SAPcon - Audit Log | Execution, Lateral Movement, Discovery |
 | **SAP - System Configuration Change** | Identifies changes for system configuration. | Adapt system change options or software component modification using the `SE06` transaction code.<br><br>**Data sources**: SAPcon - Audit Log |Exfiltration, Defense Evasion, Persistence |
 | **SAP - Debugging Activities** | Identifies all debugging related activities. <br><br>**Sub-use case**: [Persistency](#persistency) |Activate Debug ("/h") in the system, debug an active process, add breakpoint to source code, and so on. <br><br>**Data sources**: SAPcon - Audit Log | Discovery |
 | **SAP - Security Audit Log Configuration Change** | Identifies changes in the configuration of the Security Audit Log | Change any Security Audit Log Configuration using `SM19`/`RSAU_CONFIG`, such as the filters, status, recording mode, and so on. <br><br>**Data sources**: SAPcon - Audit Log | Persistence, Exfiltration, Defense Evasion |
