You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/mde-sap-custom-detection-rules.md
+10-11Lines changed: 10 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,7 @@ audience: ITPro
25
25
- Microsoft Defender for Endpoint for servers
26
26
- Microsoft Defender for Servers Plan 1 or Plan 2
27
27
28
-
SAP Systems can execute OS level commands by using SAPXPG – Transaction Code SM49/SM69. This article describes how to use advanced hunting with Microsoft Defender for Endpoint to help safeguard the SAPXPG mechanism. The example illustrated in this article features SAP running on Linux; however, the procedure for SAP running on Windows 11 is similar.
28
+
SAP Systems can execute OS level commands by using `SAPXPG – Transaction Code SM49/SM69`. This article describes how to use advanced hunting with Microsoft Defender for Endpoint to help safeguard the SAPXPG mechanism to protect it from being exploited. The example illustrated in this article features SAP running on Linux; however, the procedure for SAP running on Windows 11 is similar.
29
29
30
30
## Before you begin
31
31
@@ -34,37 +34,36 @@ Make sure to read the following articles before you begin:
-[SAP Documentation: Starting External Commands and ProgramsLocate this document in the navigation structure](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4b/2b2bed365474fee10000000a421937/frameset.htm)
36
36
37
-
The SAP BASIS Team and the Security team should codevelop the solution. The SAP BASIS team doesn't have access to the Microsoft Defender portal, and the Security team doesn't know the specifics of the SAP Batch Jobs and External Commands.
37
+
The SAP BASIS Team and the security team should codevelop the solution. The SAP BASIS team doesn't have access to the Microsoft Defender portal, and the security team doesn't know the specifics of the SAP Batch Jobs and External Commands. Both teams should work together.
38
38
39
39
## Recommended implementation sequence
40
40
41
41
1. The SAP BASIS team identifies and categorizes the external commands and scripts running on all SAP Environments (Dev, QA, PRD).
42
42
43
-
2. The Security team and the SAP BASIS team ensure that Defender for Endpoint is correctly deployed and configured on all SAP servers. For deployment guidance, see the following articles:
43
+
2. The security team and the SAP BASIS team ensure that Defender for Endpoint is correctly deployed and configured on all SAP servers. For deployment guidance, see the following articles:
44
44
45
45
-[Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](https://aka.ms/mde4sap-linux)
46
46
-[Microsoft Defender for Endpoint on Windows Server with SAP](https://aka.ms/mde4sap-windows)
47
47
48
-
3. The Security team identifies all the SAP servers and runs a query for `"InitiatingProcessName" == "sapxpg"`, noting which servers are starting SAPXPG.
48
+
3. The security team identifies all the SAP servers and runs a query for `"InitiatingProcessName" == "sapxpg"`, noting which servers are starting SAPXPG.
49
49
50
-
- It's recommended to limit the number of servers running SAPXPG to a minimum and to disallow SAPXPG on most SAP servers.
51
-
- The SAP BASIS team and Security team should limit access to the authorization objects and transaction codes for SAPXPG.
50
+
We recommended limiting the number of servers running SAPXPG to a minimum, and disallowing SAPXPG on most SAP servers. And, the SAP BASIS team and security team should limit access to the authorization objects and transaction codes for SAPXPG.
52
51
53
-
4. The SAP BASIS team briefs the Security team on any "allowed" utilities, such as `BRTOOLS` (for Oracle customers), `AzCopy` (if used) or other specific utilities for printing or archiving.
52
+
4. The SAP BASIS team briefs the security team on any "allowed" utilities, such as `BRTOOLS` (for Oracle customers), `AzCopy` (if used) or other specific utilities for printing or archiving.
54
53
55
-
5. The security team works with the SAP BASIS team to query SAPXPG commands and parameters. An example query to detect or block "wget" (which can be used to download malicious payloads) is as follows:
54
+
5. The security team works with the SAP BASIS team to query SAPXPG commands and parameters. An example query to detect or block `wget` (which can be used to download malicious payloads) is as follows:
56
55
57
56
```kusto
58
57
59
58
DeviceProcessEvents
60
59
| where Timestamp >= ago (1d)
61
60
| where (InitiatingProcessFileName == "sapxpg" or InitiatingProcessFileName =="sapxpg.exe") and FileName == "wget"
62
61
63
-
// Query will show SAPXPG commands that execute "wget"
62
+
// Query shows SAPXPG commands that execute "wget"
64
63
65
64
```
66
65
67
-
This query is designed to work on Linux (sapxpg) and Windows (sapxpg.exe).
66
+
This query is designed to work on Linux (`sapxpg`) and Windows (`sapxpg.exe`).
68
67
69
68
Another query/rule design logic is to block SAPXPG from executing any command other than specified allowed commands. In the following query, any command that is not in the set ("cp", "ls", "mkdir") can be alerted or blocked.
70
69
@@ -74,7 +73,7 @@ The SAP BASIS Team and the Security team should codevelop the solution. The SAP
74
73
| where Timestamp >= ago (1d)
75
74
| where (InitiatingProcessFileName == "sapxpg" or InitiatingProcessFileName =="sapxpg.exe") and FileName !in ("cp", "ls", "mkdir")
76
75
77
-
//Query will show SAPXPG commands that execute any command other than "cp" or "mv" or mkdir
76
+
//Query shows SAPXPG commands that execute any command other than "cp" or "mv" or mkdir
0 commit comments