Merge pull request #124528 from aghodsi/patch-2

Add Java preview detections

Author: Court72

articles/sentinel/sap/sap-solution-security-content.md

@@ -86,6 +86,8 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Multiple Logons from the same IP** | Identifies the sign-in of several users from same IP address within a scheduled time interval.   <br><br>**Sub-use case**: [Persistency](#persistency) | Sign in using several users through the same IP address. <br><br>**Data sources**: SAPcon - Audit Log | Initial Access |
 | **SAP - Multiple Logons by User** | Identifies sign-ins of the same user from several terminals within scheduled time interval.  <br><br>Available only via the Audit SAL method, for SAP versions 7.5 and higher. | Sign in using the same user, using different IP addresses.   <br><br>**Data sources**: SAPcon - Audit Log | PreAttack, Credential Access, Initial Access, Collection <br><br>**Sub-use case**: [Persistency](#persistency) |
 | **SAP - Informational - Lifecycle - SAP Notes were implemented in system** | Identifies SAP Note implementation in the system. | Implement an SAP Note using SNOTE/TCI. <br><br>**Data sources**: SAPcon -  Change Requests | - |
+| **SAP - (Preview) AS JAVA - Sensitive Privileged User Signed In** | Identifies a sign-in from an unexpected network. <br><br>Maintain privileged users in the [SAP - Privileged Users](#users) watchlist. | Sign in to the backend system using privileged users. <br><br>**Data sources**: SAPJAVAFilesLog | Initial Access |
+| **SAP - (Preview) AS JAVA - Sign-In from Unexpected Network** | Identifies sign-ins from an unexpected network. <br><br>Maintain privileged users in the [SAP - Networks](#networks) watchlist. |  Sign in to the backend system from an IP address that isn't assigned to one of the networks in the SAP - Networks watchlist <br><br>**Data sources**: SAPJAVAFilesLog | Initial Access, Defense Evasion |
 
 
 ### Data exfiltration
@@ -120,6 +122,7 @@ The following tables list the built-in [analytics rules](deploy-sap-security-con
 | **SAP - Execution of Obsolete or Insecure Function Module** |Identifies the execution of an obsolete or insecure ABAP function module. <br><br>Maintain obsolete functions in the [SAP - Obsolete Function Modules](#modules) watchlist. Make sure to activate table logging changes for the `EUFUNC` table in the backend. (SE13)<br><br> **Note**: Relevant for production systems only. | Run an obsolete or insecure function module directly using SE37. <br><br>**Data sources**: SAPcon -  Table Data Log | Discovery, Command and Control |
 | **SAP - Execution of Obsolete/Insecure Program** |Identifies the execution of an obsolete or insecure ABAP program. <br><br> Maintain obsolete programs in the [SAP - Obsolete Programs](#programs) watchlist.<br><br> **Note**: Relevant for production systems only. | Run a program directly using SE38/SA38/SE80, or by using a background job.  <br><br>**Data sources**: SAPcon -  Audit Log | Discovery, Command and Control |
 | **SAP - Multiple Password Changes by User** | Identifies multiple password changes by user. | Change user password <br><br>**Data sources**: SAPcon - Audit Log | Credential Access |
+| **SAP - (Preview) AS JAVA - User Creates and Uses New User** |  Identifies the creation or manipulation of users by admins within the SAP AS Java environment. | Sign in to the backend system using users that you have created or manipulated.<br><br>**Data sources**: SAPJAVAFilesLog | Persistence |
 
 ### Attempts to bypass SAP security mechanisms