gathering open issues

Author: batamig

articles/sentinel/monitor-sap-system-health.md

@@ -47,7 +47,7 @@ This procedure describes how to check your data connector's connection status fr
 
     The fields in the **Configure an SAP system and assign it to a collector agent** area are described as follows:
 
-    - **System display name**. The SAP system ID (SID) and its client number. Together, this value qualifies the connection to the SAP system and defines for SAP BASIS which system you're connecting to. <!--verify this w martin p-->
+    - **System display name**. The SAP system ID (SID) and its client number. Together, this value qualifies the connection to the SAP system and defines for SAP BASIS which system you're connecting to. 
 
     - **System role**. Indicates whether the system is production state or not, which also affects billing. For more information, see [Solution pricing](sap/solution-overview.md#solution-pricing). Values include:
 

articles/sentinel/sap/deploy-data-connector-agent-container.md

@@ -274,10 +274,10 @@ While deployment is also supported from the command line, we recommend that you
 
     |Name |Description  |
     |---------|---------|
-    |**Agent name**     |  Enter an agent name, including any of the following characters: <ul><li> a-z<li> A-Z<li>0-9<li>_ (underscore)<li>. (period)<li>- (dash)</ul>       |
+    |**Agent name**     |  Enter an meaningful agent name for your organization. We don't recommend any specific naming convention, except that the name can include only the following types of characters: <ul><li> a-z<li> A-Z<li>0-9<li>_ (underscore)<li>. (period)<li>- (dash)</ul>       |
     |**Subscription** / **Key vault**     |   Select the **Subscription** and **Key vault** from their respective drop-downs.      |
     |**NWRFC SDK zip file path on the agent VM**     |  Enter the path in your VM that contains the SAP NetWeaver Remote Function Call (RFC) Software Development Kit (SDK) archive (.zip file). <br><br>Make sure that this path includes the SDK version number in the following syntax: `<path>/NWRFC<version number>.zip`. For example: `/src/test/nwrfc750P_12-70002726.zip`.       |
-    |**Enable SNC connection support**     |Select to ingest NetWeaver/ABAP logs over a [secure connection using SNC](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).  <br><br>If you select this option, enter the path that contains the `sapgenpse` binary and `libsapcrypto.so` library, under **SAP Cryptographic Library path on the agent VM**.     <br><br>If you want to use an SNC connection, make sure to select **Enable SNC connection support** at this stage as you can't go back and enable an SNC connection after you finish deploying the agent.    |
+    |**Enable SNC connection support**     |Select to ingest NetWeaver/ABAP logs over a [secure connection using SNC](preparing-sap.md#configure-your-system-to-use-snc-for-secure-connections).  <br><br>If you select this option, enter the path that contains the `sapgenpse` binary and `libsapcrypto.so` library, under **SAP Cryptographic Library path on the agent VM**.     <br><br>If you want to use an SNC connection, make sure to select **Enable SNC connection support** at this stage as you can't go back and enable an SNC connection after you finish deploying the agent.  If you want to change this setting afterwards, we recommend that you create a new agent instead.  |
     |**Authentication to Azure Key Vault**     |   To authenticate to your key vault using a managed identity, leave the default **Managed Identity** option selected.  To authenticate to your key vault using a registered application, select **Application Identity**. <br><br>You must have the managed identity or registered application set up ahead of time. For more information, see [Create a virtual machine and configure access to your credentials](#create-a-virtual-machine-and-configure-access-to-your-credentials).     |
 
     For example:
@@ -296,7 +296,10 @@ While deployment is also supported from the command line, we recommend that you
 
     :::image type="content" source="media/deploy-data-connector-agent-container/finish-agent-deployment-role.png" alt-text="Screenshot of the Copy icon for the command from step 1.":::
 
-    To find your VM identity object ID in Azure, go to **Enterprise application** > **All applications**, and select your VM or application name. Copy the value of the **Object ID** field to use with your copied command. <!--check this with Dvir-->
+    To find your VM identity object ID in Azure:
+
+    - For a managed identity, go to **Managed identities** in Azure and select your managed identity. For user-assigned identities, the object ID is displayed on the **Overview** page. For system-assigned managed identities, the object ID is displayed on the **Identity** page.
+    - For a service principal, go to **Enterprise application** in Azure. Select **All applications** and then select your VM. The object ID is displayed on the **Overview** page.<!--check this with Dvir-->
 
     These commands assign the **Microsoft Sentinel Business Applications Agent Operator** and **Reader** Azure roles to your VM's managed or application identity, including only the scope of the specified agent's data in the workspace.
 

articles/sentinel/sap/reference-update.md

@@ -13,7 +13,7 @@ ms.collection: usx-security
 
 # Microsoft Sentinel solution for SAP applications data connector agent update file reference
 
-The Microsoft Sentinel SAP data connector agent container users an [update script](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP)) to simplify the update process. 
+The Microsoft Sentinel SAP data connector agent container users an [update script](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP) to simplify the update process.
 
 This article describes the configurable parameters available in the update script. For more information, see [Update the Microsoft Sentinel for SAP applications data connector agent](update-sap-data-connector.md).
 

articles/sentinel/sap/sap-deploy-troubleshoot.md

@@ -210,7 +210,7 @@ If you see errors that you're missing a required SAP change request, make sure y
 
 ### No data is showing in the SAP table data log
 
-This solution allows SAP systems with versions for SAP BASIS 7.5 SP12 and above to reflect table data log changes in the `ABAPTableDataLog_CL` table. 
+In SAP systems with versions for SAP BASIS 7.5 SP12 and above, Microsoft Sentinel can reflect table data log changes in the `ABAPTableDataLog_CL` table. 
 
 If no data is showing in the `ABAPTableDataLog_CL` table, verify that the SAP system from which you're extracting the data contains the relevant change requests (transports). For more information, see [Configure support for extra data retrieval (recommended)](preparing-sap.md#configure-support-for-extra-data-retrieval-recommended).
 

articles/sentinel/sap/sap-solution-function-reference.md

@@ -210,8 +210,6 @@ For more information, see [Available watchlists](sap-solution-security-content.m
 
 ## SAPAuditLogAnomalies
 
-<!--ask ofer whether we're comfortable mentioning machine learning here-->
-
 The **SAPAuditLogAnomalies** function uses Microsoft Sentinel's underlying Kusto database's built-in machine learning capabilities to help detect anomalous events observed on the SAP audit log.
 
 The **SAPAuditLogAnomalies** function was developed for the *SAP - (Experimental) Dynamic Anomaly based Audit Log Monitor Alerts* analytics rule. While it's original design is to alert on recent anomalies, it can also help to highlight historical anomalies. For more information, see [Sample uses](#sample).
@@ -274,7 +272,7 @@ We recommend restricting the size of the learned database to be under 100 millio
     SAPAuditLogAnomalies(LearningTime = 14d, DetectingTime=0h, SelectedSystems= dynamic(["BIP"]))
     ```
 
-For more information, see [Built-in SAP analytics rules for monitoring the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log).
+For more information, see [Built-in SAP analytics rules for monitoring the SAP audit log](sap-solution-security-content.md#monitor-the-sap-audit-log) and [Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/anomaly-detection-on-the-sap-audit-log-using-the-microsoft/ba-p/3418709) (blog).
 
 ## SAPAuditLogConfigRecommend
 

articles/sentinel/sap/sap-solution-log-reference.md

@@ -42,7 +42,7 @@ The Microsoft Sentinel solution for SAP applications collects logs from the appl
 
     In addition to security monitoring, logs collected at the application layer can also be used for compliance and auditing purposes.
 
-- **OS layer**: Microsoft Sentinel gathers logs from the operating system to provide insights into OS-level activities, such as from the ABAP server and the virtual machines on which the SAP applications are running. 
+- **OS layer**: Microsoft Sentinel gathers logs from the operating system to provide insights into OS-level activities, such as from the ABAP server and the virtual machines on which the SAP applications are running.
 
     Use the Microsoft Sentinel solution for SAP applications together with security content and data connectors for your other services for comprehensive and central monitoring, correlating information across all your systems and enhancing your overall security posture.
 
@@ -577,7 +577,7 @@ To have this log sent to Microsoft Sentinel, you must [add it manually to the **
 
 ### HANA DB Audit Trail
 
-The HANA DB Audit Trail is an example of a database level log collection. To have this log sent to Microsoft Sentinel, you must [deploy Azure Monitor Agent](../connect-cef-syslog-ama.md) to gather Syslog data from the machine running HANA DB.
+Collecting the HANA DB Audit Trail log is an example of how Microsoft Sentinel collects database layer activities. To have this log sent to Microsoft Sentinel, you must [deploy Azure Monitor Agent](../connect-cef-syslog-ama.md) to gather Syslog data from the machine running HANA DB.
 
 - **Microsoft Sentinel function for querying this log**: SAPSyslog
 

articles/sentinel/sap/stop-collection.md

@@ -24,9 +24,8 @@ This article provides step-by-step instructions on how to stop the ingestion of
 
 Before you stop the data collection from your SAP applications, ensure you have administrative access to:
 
-- The Microsoft Sentinel workspace
-- The SAP data connector agent
-- The machine or container where the data connector agent is running
+- The Log Analytics workspace that's enabled for Microsoft Sentinel. For more information, see [Roles and permissions in Microsoft Sentinel](../roles.md).
+- The SAP data connector agent machine or container.
 
 We recommend that you back up your current configuration and logs before making any changes. <!--is this correct?-->
 

articles/sentinel/sap/update-sap-data-connector.md

@@ -37,6 +37,8 @@ Configure automatic updates for the connector agent, either for [all existing co
 
 The commands described in this section create a cron job that runs daily, checks for updates, and updates the agent to the lastest GA version. Containers running a preview version of the agent that's newer than the latest GA version aren't updated. Log files for automatic updates are located on the collector machine, at */var/log/sapcon-sentinel-register-autoupdate.log*.
 
+After you configure automatic updates for an agent, any new, subsequent agents that you deploy are also configured for automatic updates. <!--is this true? dvir-->
+
 > [!IMPORTANT]
 > Automatically updating the SAP data connector agent is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
@@ -88,9 +90,13 @@ Automatic attack disruption for SAP is supported with the unified security opera
 
 - A Microsoft Sentinel SAP data connector agent, version 90847355 or higher. [Check your current agent version](#verify-your-current-data-connector-agent-version) and update it if you need to.
 
-- The identity of your data connector agent VM assigned to the **Microsoft Sentinel Business Applications Agent Operator** Azure role. If this role isn't assigned, make sure to [assign these roles manually](#assign-required-azure-roles-manually).
+- The following roles in Azure and SAP:
+
+    - **Azure role requirement**: The identity of your data connector agent VM must be assigned to the **Microsoft Sentinel Business Applications Agent Operator** Azure role. Verify this assignment and [assign this role manually](#assign-required-azure-roles-manually) if you need to.
+
+    - **SAP role requirement**: The **/MSFTSEN/SENTINEL_RESPONDER** SAP role must be applied to your SAP system and assigned to the SAP user account used by the data connector agent. Verify this assignment and [apply and assign the role](#apply-and-assign-the-sentinel_responder-sap-role-to-your-sap-system) if you need to.
 
-- The **/MSFTSEN/SENTINEL_RESPONDER** SAP role [applied to your SAP system and assigned to the SAP user account](#apply-and-assign-the-sentinel_responder-sap-role-to-your-sap-system) used by Microsoft Sentinel's SAP data connector agent.
+The following procedures describe how to fulfill these requirements if they aren't already met.
 
 ### Verify your current data connector agent version