ofer and martin's comments

Author: batamig

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -298,8 +298,12 @@ While deployment is also supported from the command line, we recommend that you
 
     To find your VM identity object ID in Azure:
 
-    - For a managed identity, go to **Managed identities** in Azure and select your managed identity. For user-assigned identities, the object ID is displayed on the **Overview** page. For system-assigned managed identities, the object ID is displayed on the **Identity** page.
-    - For a service principal, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page.<!--check this with Dvir-->
+    - For a managed identity, the object ID is listed on the VM's **Identity** page. Alternately:
+
+        1. Go to **Managed identities** select your managed identity. 
+        1. For user-assigned identities, the object ID is displayed on the **Overview** page. For system-assigned managed identities, the object ID is displayed on the **Identity** page.
+
+    - For a service principal, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page.
 
     These commands assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** Azure roles to your VM's managed or application identity, including only the scope of the specified agent's data in the workspace.
 
@@ -332,10 +336,18 @@ While deployment is also supported from the command line, we recommend that you
 
     If you need to copy your command again, select **View** :::image type="content" source="media/deploy-data-connector-agent-container/view-icon.png" border="false" alt-text="Screenshot of the View icon next to the Health column."::: to the right of the **Health** column and copy the command next to **Agent deployment command** on the bottom right.
 
-1. In the Microsoft Sentinel solution for SAP application's data connector page, in the **Configuration** area, select **Add new system (Preview)**, and then enter the following details: <!--From Naomi - It is not clear how to connect to an SAP system using ASCS. When selecting ABAP server, the solution will not connect to the SAP system, and there is no indication in the documentation what using the Message Server is, since this does not align to the SAP terminology. Update the documentation to align the terminology with SAP terms, and make it clearer what this configuration is used for - use scenarios and examples here.-->
+1. In the Microsoft Sentinel solution for SAP application's data connector page, in the **Configuration** area, select **Add new system (Preview)** and enter the following details:
 
     - Under **Select an agent**, select the agent you created earlier.
-    - Under **System identifier**, select the server type and provide the server details, including the ABAP Application server IP address/FQDN, the system ID and number, and the client ID.
+    - Under **System identifier**, select the server type:
+
+        - **ABAP Server**
+        - **Message Server** to use a message server as part of an ABAP SAP Central Services (ACSC).
+
+    - Continue by defining related details for your server type:
+
+        - **For an ABAP server**, enter the ABAP Application server IP address/FQDN, the system ID and number, and the client ID.
+        - **For a message server**, enter the message server IP address/FQDN, the port number or service name, and the logon group
 
     When you're done, select  **Next: Authentication**.
 

articles/sentinel/sap/preparing-sap.md

@@ -63,6 +63,8 @@ For more information, see the [SAP documentation](https://help.sap.com/docs/ABAP
 
 Some installations of SAP systems might not have audit logging enabled by default. For best results in evaluating the performance and efficacy of the Microsoft Sentinel solution for SAP applications, enable auditing of your SAP system and configure the audit parameters. If you want to ingest SAP HANA DB logs, make sure to also enable auditing for SAP HANA DB.
 
+We recommend that you configure auditing for all messages from the audit log, as this data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. <!--add this to word-->
+
 For more information, see the [SAP documentation](https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094) and [Collect SAP HANA audit logs in Microsoft Sentinel](collect-sap-hana-audit-logs.md).
 
 ## Configure support for extra data retrieval (recommended)

articles/sentinel/sap/sap-deploy-troubleshoot.md

@@ -191,11 +191,11 @@ If you get an error message similar to: **..Missing Backend RFC Authorization..*
 
 ### Missing data in your workbooks or alerts
 
-If you find that you're missing data in your Microsoft Sentinel workbooks or alerts, ensure that the **Auditlog** policy is properly enabled on the SAP side, with no errors in the log file.
+If you find that you're missing data in your Microsoft Sentinel workbooks or alerts, ensure that the **Auditlog** policy is properly enabled on the SAP side, with no errors in the container log file.
 
 Use the **RSAU_CONFIG_LOG** transaction for this step.
 
-<!--Can they also not check this somewhere in the logs/table first in sentinel?-->
+For more information, see the [SAP documentation](https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of-the-security-audit-log-sm19-rsau/ba-p/13297094) and [Collect SAP HANA audit logs in Microsoft Sentinel](collect-sap-hana-audit-logs.md).
 
 ### Missing IP address or transaction code fields in the SAP audit log
 

articles/sentinel/sap/sap-solution-security-content.md

@@ -34,8 +34,6 @@ Use the following built-in workbooks to visualize and monitor data ingested via
 | <a name="sap---system-applications-and-products-workbook"></a>**[SAP - Audit Log Browser](sap-audit-log-workbook.md)** | Displays data such as: <br><br>- General system health, including user sign-ins over time, events ingested by the system, message classes and IDs, and ABAP programs run <br>-Severities of events occurring in your system <br>- Authentication and authorization events occurring in your system |Uses data from the following log: <br><br>[ABAPAuditLog_CL](sap-solution-log-reference.md#abap-security-audit-log) |
 | [**SAP Audit Controls**](sap-audit-controls-workbook.md) | Helps you check your SAP environment's security controls for compliance with your chosen control framework, using tools for you to do the following: <br><br>- Assign analytics rules in your environment to specific security controls and control families<br>- Monitor and categorize the incidents generated by the SAP solution-based analytics rules<br>- Report on your compliance | Uses data from the following tables: <br><br>- `SecurityAlert`<br>- `SecurityIncident`|
 
-<!--we're missing SAP -Monitors- Alerts and Performance. ask ofer-->
-
 For more information, see [Tutorial: Visualize and monitor your data](../monitor-your-data.md) and [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md).
 
 ## Built-in analytics rules