Update mde-sap-custom-detection-rules.md

denisebmsft · denisebmsft · commit 2dac0aa19f85 · 2025-05-19T15:46:10.000-07:00
diff --git a/defender-endpoint/mde-sap-custom-detection-rules.md b/defender-endpoint/mde-sap-custom-detection-rules.md
@@ -78,7 +78,25 @@ The SAP BASIS Team and the Security team should co-develop the solution. The SAP
 
    ```
 
-6. 
+6. The security team creates a rule to detect suspicious commands, specifying the action "Restrict app execution." Suspicious commands could include: 
+
+   - `ncat`
+   - `netcat`
+   - `socat`
+   - `azcopy`
+   - `wget`
+   - `curl`
+   - `echo`
+   - `base64`
+   - `/dev/tcp`
+   - `pwd`
+   - `whoami`
+   - `chmod +x`
+
+
+
+   
+
 
 
 
