Edits

limwainstein · limwainstein · commit df9fd1abcf40 · 2022-08-28T12:05:04.000+03:00
diff --git a/articles/sentinel/sap/configure-audit-log-rules.md b/articles/sentinel/sap/configure-audit-log-rules.md
@@ -1,16 +1,18 @@
 ---
 title: Configure SAP audit log monitoring rules
-description: Monitor the SAP audit logs and enable anomaly detection using a set of analytics rules.
+description: Monitor the SAP audit logs using Microsoft Sentinel built-in analytics rules, to easily manage your SAP logs, reducing noise with no compromise to security value. 
 author: limwainstein
 ms.author: lwainstein
 ms.topic: how-to
 ms.date: 08/19/2022
-#Customer.intent: As a security operator, I want to monitor the SAP audit logs and enable anomaly detection using a set of analytics rules, so I can better analyze SAP data and protect my SAP systems.
+#Customer.intent: As a security operator, I want to monitor the SAP audit logs and easily manage the logs, so I can reduce noise without compromising security value.
 ---
 
 # Configure SAP audit log monitoring rules
 
-The SAP audit log records audit and security actions on SAP systems, such as failed logon attempts, suspicious actions such as debug and replace, and more. Microsoft Sentinel uses the SAP audit log data for further monitoring and analysis. This article describes how to monitor and analyze the SAP audit logs and enable anomaly detection using a set of analytics rules. With this additional layer of analysis, you can better analyze SAP data and protect your SAP systems.
+The SAP audit log records audit and security actions on SAP systems, like failed logon attempts or other suspicious actions. This article describes how to monitor the SAP audit logs using Microsoft Sentinel built-in analytics rules. 
+
+With these rules, you can monitor all audit log events, or get alerts only when anomalies are detected. This way, you can better manage your SAP logs, reducing noise with no compromise to your security value.
 
 You use two analytics rules to monitor and analyze your SAP audit log data:
 
@@ -29,7 +31,7 @@ With the SAP Dynamic Deterministic Audit Log Monitor rule, you can choose:
 
 Once Microsoft Sentinel marks an SAP audit log event type for anomaly detection, the alerting engine checks if the events recently streamed in from the SAP audit log seem normal, considering the history it has learned.
 
-As an example flow: 
+As a high level flow: 
 1. Microsoft Sentinel checks an event or group of events for anomalies. 
 1. It tries to match the event or group of events with previously seen activities of the same kind, at the user and system levels. 
 1. The algorithm learns the network characteristics of the user at the subnet mask level. This is done according to seasonality.
@@ -40,13 +42,13 @@ With this ability, you can look for anomalies in previously quieted event types,
 
 1. If your SAP audit log data is not already streaming into the Microsoft Sentinel workspace, learn how to [deploy the solution](deployment-overview.md).
 1. From the Microsoft Sentinel navigation menu, under **Content management**, select **Content hub (Preview)**. 
-1. Check if your Continuous threat monitoring for SAP application has updates.
+1. Check if your **Continuous threat monitoring for SAP** application has updates.
 1. From the navigation menu, under **Analytics**, enable these 3 audit log alerts:
     - **SAP - Dynamic Deterministic Audit Log Monitor**. Runs every 10 minutes and focuses on the SAP audit log events marked as **Deterministic**.
     - **SAP - Dynamic Anomaly-based Audit Log Monitor**. Runs hourly and focuses on SAP events marked as **AnomaliesOnly**.
     - **SAP - Missing configuration in the Dynamic Security Audit Log Monitor**. Runs daily to provide configuration recommendations for the SAP audit log module.
  
-Microsoft Sentinel now scans the entire SAP audit log is  at regular intervals, for deterministic security events and anomalies. You can view the incidents this log generates in the **Incidents** blade.
+Microsoft Sentinel now scans the entire SAP audit log at regular intervals, for deterministic security events and anomalies. You can view the incidents this log generates in the **Incidents** blade.
 
 As with every machine learning solution, it will perform better with time. Anomaly detection works best using an SAP audit log history of 7 days or more. 
 
@@ -56,10 +58,10 @@ You can further configure event types that produce too many incidents using the
 
 |Option  |Description  |
 |---------|---------|
-|Set severities and disable unwanted events     |By default, both the deterministic and the anomaly-based SAP audit log analytics rules create alerts for events marked with medium and high severities. You can set these severeties specifically for production and non-production environments. For example, you can set a debugging activity event as high severity in production systems, and disable that events in non-production systems.         |
-|Exclude users by their SAP roles or SAP profiles     |Microsoft Sentinel for SAP ingests the SAP user’s master data profile, including direct and indirect role assignments, groups and profiles, so that you can speak the SAP language in your SIEM.<br><br>An SAP event can exclude users based on their SAP roles and profiles. To do this, in the watchlist, add the roles or profiles that group your RFC interface users in the RolesTagsToExclude column, next to the Generic table access by RFC event. From now on, you’ll get alerts only for users that are missing these roles.         |
-|Exclude users by their SOC tags     |This is a great way for SOC teams to come up with their own grouping, without relying on complicated SAP definitions or even without SAP authorization.<br><br>Conceptually, this works like name tags: you can set multiple events in the configuration with multiple tags. You don’t get alerts for a user with a tag associated with a specific event. For example, you don’t want specific service accounts to be alerted for Generic table access by RFC events, but can’t find an SAP role or an SAP profile that groups these users. In this case, you can add the **GenTableRFCReadOK** tag next to the relevant event in the watchlist list, and then go to the **SAP_User_Config** watchlist and assign the interface users the same tag.    |
-|Specify a frequency threshold per event type and system role     |This works like a speed limit. For example, you can decide that the noisy User Master Record Change events only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limit—for example, 2 events in a 10-minute window—an incident is triggered.  |
+|Set severities and disable unwanted events     |By default, both the deterministic and the anomaly-based SAP audit log analytics rules create alerts for events marked with medium and high severities. You can set these severeties specifically for production and non-production environments. For example, you can set a debugging activity event as high severity in production systems, and disable those events in non-production systems.         |
+|Exclude users by their SAP roles or SAP profiles     |Microsoft Sentinel for SAP ingests the SAP user’s master data profile, including direct and indirect role assignments, groups and profiles, so that you can speak the SAP language in your SIEM.<br><br>You can configure an SAP event to exclude users based on their SAP roles and profiles. To do this, in the watchlist, add the roles or profiles that group your RFC interface users in the **RolesTagsToExclude** column, next to the **Generic table access by RFC** event. From now on, you’ll get alerts only for users that are missing these roles.         |
+|Exclude users by their SOC tags     |This is a great way for SOC teams to come up with their own grouping, without relying on complicated SAP definitions or even without SAP authorization.<br><br>Conceptually, this works like name tags: you can set multiple events in the configuration with multiple tags. You don’t get alerts for a user with a tag associated with a specific event. For example, you don’t want specific service accounts to be alerted for **Generic table access by RFC** events, but can’t find an SAP role or an SAP profile that groups these users. In this case, you can add the **GenTableRFCReadOK** tag next to the relevant event in the watchlist, and then go to the **SAP_User_Config** watchlist and assign the interface users the same tag.    |
+|Specify a frequency threshold per event type and system role     |This works like a speed limit. For example, you can decide that the noisy **User Master Record Change** events only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limit—for example, 2 events in a 10-minute window—an incident is triggered.  |
 |Determinism or anomalies     |If you know the event’s characteristics, you can use the deterministic capabilities. If you aren't sure how to correctly configure the event, the machine learning capabilities can decide.         |
 |SOAR capabilities     |Microsoft Sentinel has additional capabilities intended to further orchestrate, automate and respond to incidents that can be applied to the SAP audit log dynamic alerts. Learn about [Security Orchestration, Automation, and Response (SOAR)](../automation.md).  |
 
diff --git a/articles/sentinel/sap/sap-solution-security-content.md b/articles/sentinel/sap/sap-solution-security-content.md
@@ -168,7 +168,7 @@ These watchlists provide the configuration for the Microsoft Sentinel Solution f
 | <a name="programs"></a>**SAP - Obsolete Programs** | Obsolete ABAP programs (reports), whose execution should be governed.  <br><br>- **ABAPProgram**:ABAP Program, such as TH_ RSPFLDOC  <br>- **Description**: A meaningful ABAP program description |
 | <a name="transactions"></a>**SAP - Transactions for ABAP Generations** | Transactions for ABAP generations whose execution should be governed. <br><br>- **TransactionCode**:Transaction Code, such as SE11.  <br>- **Description**: A meaningful Transaction Code description |
 | <a name="servers"></a>**SAP - FTP Servers** | FTP Servers for identification of unauthorized connections.    <br><br>- **Client**:such as 100.  <br>- **FTP_Server_Name**: FTP server name, such as http://contoso.com/ <br>-**FTP_Server_Port**:FTP server port, such as 22. <br>- **Description**A meaningful FTP Server description |
-| <a name="objects"></a>**SAP_Dynamic_Audit_Log_Monitor_Configuration** | Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, non-production).  This watchlist details all available SAP standard audit log message IDs and can be extended to contain additional message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the SAP_User_Config watchlist. This watchlist is one of the core components used for [configuring](configure-audit-log-rules.md) the [built-in SAP analytics rules for monitoring the SAP audit log](#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log).     <br><br>- **MessageID**:  The SAP Message ID, or event type, such as `AUD` (User master record changes), or `AUB ` (authorization changes).  <br>- **DetailedDescription**: A markdown enabled description to be shown on the incident pane.  <br>- **ProductionSeverity**:  The desired severity for the incident to be created with for production systems `High`, `Medium`. Can be set as `Disabled`. <br>- **NonProdSeverity**:  The desired severity for the incident to be created with for non-production systems `High`, `Medium`. Can be set as `Disabled`.  <br>- **ProductionThreshold**     The "Per hour" count of events to be considered as suspicious for production systems `60`. <br>- **NonProdThreshold**     The "Per hour" count of events to be considered as suspicious for non-production systems `10`. <br>- **RolesTagsToExclude**: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list. <br>- **RuleType**: Use `Deterministic` for the event type to be sent off to the [SAP - Dynamic Deterministic Audit Log Monitor](#sap---dynamic-deterministic-audit-log-monitor), or `AnomaliesOnly` to have this event covered by the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](#sap---dynamic-anomaly-based-audit-log-monitor-alerts-preview).<br><br>For the **RolesTagsToExclude** field:<br>- If you list SAP roles or [SAP profiles](sap-solution-deploy-alternate.md#configuring-user-master-data-collection), this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the `BASIC_BO_USERS` ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.<br>- Tagging an event type works is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the `MassiveAuthChanges` tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace `SAPAuditLogConfigRecommend` function produces a list of recommended tags to be assigned to users, such as `Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist`. 
+| <a name="objects"></a>**SAP_Dynamic_Audit_Log_Monitor_Configuration** | Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, non-production).  This watchlist details all available SAP standard audit log message IDs. The watchlist can be extended to contain additional message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the **SAP_User_Config** watchlist. This watchlist is one of the core components used for [configuring](configure-audit-log-rules.md) the [built-in SAP analytics rules for monitoring the SAP audit log](#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log).     <br><br>- **MessageID**:  The SAP Message ID, or event type, such as `AUD` (User master record changes), or `AUB ` (authorization changes).  <br>- **DetailedDescription**: A markdown enabled description to be shown on the incident pane.  <br>- **ProductionSeverity**:  The desired severity for the incident to be created with for production systems `High`, `Medium`. Can be set as `Disabled`. <br>- **NonProdSeverity**:  The desired severity for the incident to be created with for non-production systems `High`, `Medium`. Can be set as `Disabled`.  <br>- **ProductionThreshold**     The "Per hour" count of events to be considered as suspicious for production systems `60`. <br>- **NonProdThreshold**     The "Per hour" count of events to be considered as suspicious for non-production systems `10`. <br>- **RolesTagsToExclude**: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list. <br>- **RuleType**: Use `Deterministic` for the event type to be sent off to the [SAP - Dynamic Deterministic Audit Log Monitor](#sap---dynamic-deterministic-audit-log-monitor), or `AnomaliesOnly` to have this event covered by the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](#sap---dynamic-anomaly-based-audit-log-monitor-alerts-preview).<br><br>For the **RolesTagsToExclude** field:<br>- If you list SAP roles or [SAP profiles](sap-solution-deploy-alternate.md#configuring-user-master-data-collection), this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the `BASIC_BO_USERS` ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.<br>- Tagging an event type is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the `MassiveAuthChanges` tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace `SAPAuditLogConfigRecommend` function produces a list of recommended tags to be assigned to users, such as `Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist`. 
 | <a name="objects"></a>**SAP_User_Config** | Allows for fine tuning alerts by excluding /including users in specific contexts and is also used for for [configuring](configure-audit-log-rules.md) the [built-in SAP analytics rules for monitoring the SAP audit log](#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log). <br><br> - **SAPUser**: The SAP user <br> - **Tags**: Tags are used to identify users against certain activity. For example Adding the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV will prevent RFC related incidents to be created for this specific user <br>**Other active directory user identifiers** <br>-  AD User Identifier <br>- User On-Premises Sid <br>- User Principal Name |
 
 ## Next steps
