Merge pull request #287644 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Daidihuang

articles/app-service/configure-authentication-oauth-tokens.md

@@ -79,7 +79,7 @@ If a user revokes the permissions granted to your app, your call to `/.auth/me`
 
 ## Extend session token expiration grace period
 
-The authenticated session expires after 8 hours. After an authenticated session expires, there is a 72-hour grace period by default. Within this grace period, you're allowed to refresh the session token with App Service without reauthenticating the user. You can just call `/.auth/refresh` when your session token becomes invalid, and you don't need to track token expiration yourself. Once the 72-hour grace period is lapses, the user must sign in again to get a valid session token.
+The authenticated session expires after 8 hours. After an authenticated session expires, there is a 72-hour grace period by default. Within this grace period, you're allowed to refresh the session token with App Service without reauthenticating the user. You can just call `/.auth/refresh` when your session token becomes invalid, and you don't need to track token expiration yourself. Once the 72-hour grace period lapses, the user must sign in again to get a valid session token.
 
 If 72 hours isn't enough time for you, you can extend this expiration window. Extending the expiration over a long period could have significant security implications (such as when an authentication token is leaked or stolen). So you should leave it at the default 72 hours or set the extension period to the smallest value.
 

articles/frontdoor/front-door-route-matching.md

@@ -50,7 +50,7 @@ The decision of how to process the request depends on whether caching is enabled
 
 ## Route matching
 
-This section focuses on how Front Door matches to a routing rule. The basic concept is that Front Door always matches to the **most-specific request** looking only at the "left-hand side". Front Door first match based on protocol, then domain, and last the path.
+This section focuses on how Front Door matches to a routing rule. The basic concept is that Front Door always matches to the **most-specific request** looking only at the "left-hand side". Front Door first matches based on protocol, then domain, and last the path.
 
 ### Frontend host matching
 

articles/sentinel/sap/sap-solution-security-content.md

@@ -86,6 +86,8 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Multiple Logons from the same IP** | Identifies the sign-in of several users from same IP address within a scheduled time interval.   <br><br>**Sub-use case**: [Persistency](#persistency) | Sign in using several users through the same IP address. <br><br>**Data sources**: SAPcon - Audit Log | Initial Access |
 | **SAP - Multiple Logons by User** | Identifies sign-ins of the same user from several terminals within scheduled time interval.  <br><br>Available only via the Audit SAL method, for SAP versions 7.5 and higher. | Sign in using the same user, using different IP addresses.   <br><br>**Data sources**: SAPcon - Audit Log | PreAttack, Credential Access, Initial Access, Collection <br><br>**Sub-use case**: [Persistency](#persistency) |
 | **SAP - Informational - Lifecycle - SAP Notes were implemented in system** | Identifies SAP Note implementation in the system. | Implement an SAP Note using SNOTE/TCI. <br><br>**Data sources**: SAPcon -  Change Requests | - |
+| **SAP - (Preview) AS JAVA - Sensitive Privileged User Signed In** | Identifies a sign-in from an unexpected network. <br><br>Maintain privileged users in the [SAP - Privileged Users](#users) watchlist. | Sign in to the backend system using privileged users. <br><br>**Data sources**: SAPJAVAFilesLog | Initial Access |
+| **SAP - (Preview) AS JAVA - Sign-In from Unexpected Network** | Identifies sign-ins from an unexpected network. <br><br>Maintain privileged users in the [SAP - Networks](#networks) watchlist. |  Sign in to the backend system from an IP address that isn't assigned to one of the networks in the SAP - Networks watchlist <br><br>**Data sources**: SAPJAVAFilesLog | Initial Access, Defense Evasion |
 
 
 ### Data exfiltration
@@ -120,6 +122,7 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Execution of Obsolete or Insecure Function Module** |Identifies the execution of an obsolete or insecure ABAP function module. <br><br>Maintain obsolete functions in the [SAP - Obsolete Function Modules](#modules) watchlist. Make sure to activate table logging changes for the `EUFUNC` table in the backend. (SE13)<br><br> **Note**: Relevant for production systems only. | Run an obsolete or insecure function module directly using SE37. <br><br>**Data sources**: SAPcon -  Table Data Log | Discovery, Command and Control |
 | **SAP - Execution of Obsolete/Insecure Program** |Identifies the execution of an obsolete or insecure ABAP program. <br><br> Maintain obsolete programs in the [SAP - Obsolete Programs](#programs) watchlist.<br><br> **Note**: Relevant for production systems only. | Run a program directly using SE38/SA38/SE80, or by using a background job.  <br><br>**Data sources**: SAPcon -  Audit Log | Discovery, Command and Control |
 | **SAP - Multiple Password Changes by User** | Identifies multiple password changes by user. | Change user password <br><br>**Data sources**: SAPcon - Audit Log | Credential Access |
+| **SAP - (Preview) AS JAVA - User Creates and Uses New User** |  Identifies the creation or manipulation of users by admins within the SAP AS Java environment. | Sign in to the backend system using users that you have created or manipulated.<br><br>**Data sources**: SAPJAVAFilesLog | Persistence |
 
 ### Attempts to bypass SAP security mechanisms