Merge pull request #3877 from MicrosoftDocs/main

denisebmsft · web-flow · commit 47891dfe1e99 · 2025-05-23T06:54:55.000-07:00
pushing updates live
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
@@ -160,8 +160,6 @@
           items:
           - name: Onboard servers through Defender for Endpoint's experience
             href: onboard-server.md
-          - name: Defender for Endpoint on Windows Server with SAP
-            href: mde-sap-windows-server.md
           - name: Onboard Windows devices using Configuration Manager
             href: configure-endpoints-sccm.md
           - name: Onboard Windows devices using Group Policy
@@ -172,6 +170,12 @@
             href: configure-endpoints-vdi.md
           - name: Direct onboarding with Defender for Cloud
             href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
+          - name: Defender for Endpoint on Windows Server with SAP
+            href: mde-sap-windows-server.md
+          - name: Deployment guidance for Defender for Endpoint on Linux for SAP
+            href: mde-linux-deployment-on-sap.md
+          - name: Use custom detection rules to protect SAPXPG
+            href: mde-sap-custom-detection-rules.md
         - name: Defender for Endpoint on macOS
           items:
           - name: Deploy Defender for Endpoint on macOS
@@ -275,8 +279,6 @@
                 href: linux-install-manually.md
               - name: Direct onboarding with Defender for Cloud
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
-              - name: Deployment guidance for Defender for Endpoint on Linux for SAP
-                href: mde-linux-deployment-on-sap.md
           - name: Configure Defender for Endpoint on Linux
             items:
             - name: Configure security policies and settings
diff --git a/defender-endpoint/mde-sap-custom-detection-rules.md b/defender-endpoint/mde-sap-custom-detection-rules.md
@@ -0,0 +1,105 @@
+---
+title: "Custom detection rules with advanced hunting: Protecting SAP external OS commands (SAPXPG)"
+description: Learn how to use advanced hunting with Defender for Endpoint to safeguard the SAPXPG mechanism with SAP systems.
+author: emmwalshh
+ms.author: ewalsh
+manager: deniseb
+ms.date: 05/20/2025
+ms.topic: overview
+ms.service: defender-endpoint
+ms.subservice: ngp
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+- partner-contribution
+ms.reviewer: cgardin
+search.appverid: MET150
+f1.keywords: NOCSH
+audience: ITPro
+---
+
+# Custom detection rules with advanced hunting: Protecting SAP external OS commands (SAPXPG)
+
+**Applies to:**
+
+- Microsoft Defender for Endpoint for servers
+- Microsoft Defender for Servers Plan 1 or Plan 2
+
+SAP Systems can execute OS level commands by using `SAPXPG – Transaction Code SM49/SM69`. This article describes how to use advanced hunting with Microsoft Defender for Endpoint to help safeguard the SAPXPG mechanism to protect it from being exploited. The example illustrated in this article features SAP running on Linux; however, the procedure for SAP running on Windows Server is similar.
+
+## Before you begin
+
+Make sure to read the following articles before you begin:
+
+- [Create custom detection rules](/defender-xdr/custom-detection-rules)
+- [SAP Documentation: Starting External Commands and Programs](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4b/2b2bed365474fee10000000a421937/frameset.htm)
+
+The SAP BASIS Team and the security team should codevelop the solution. The SAP BASIS team doesn't have access to the [Microsoft Defender portal](/defender-xdr/microsoft-365-security-center-mde), and the security team doesn't know the specifics of the SAP Batch Jobs and External Commands. Both teams should work together.
+
+## Recommended implementation sequence
+
+1. The SAP BASIS team identifies and categorizes the external commands and scripts running on all SAP Environments (Dev, QA, PRD).
+
+2. The security team and the SAP BASIS team ensure that Defender for Endpoint is correctly deployed and configured on all SAP servers. For deployment guidance, see the following articles:
+
+   - [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](https://aka.ms/mde4sap-linux)
+   - [Microsoft Defender for Endpoint on Windows Server with SAP](https://aka.ms/mde4sap-windows)
+
+3. The security team identifies all the SAP servers and runs a query for `"InitiatingProcessName" == "sapxpg"`, noting which servers are starting SAPXPG. 
+
+   We recommended limiting the number of servers running SAPXPG to a minimum, and disallowing SAPXPG on most SAP servers. And, the SAP BASIS team and security team should limit access to the authorization objects and transaction codes for SAPXPG. 
+
+4. The SAP BASIS team briefs the security team on any "allowed" utilities, such as `BRTOOLS` (for Oracle customers), `AzCopy` (if used) or other specific utilities for printing or archiving.
+
+5. The security team works with the SAP BASIS team to query SAPXPG commands and parameters. An example query to detect `wget` (which can be used to download malicious payloads) is as follows:
+
+   ```kusto
+
+   DeviceProcessEvents
+    | where Timestamp >= ago (1d)
+    | where (InitiatingProcessFileName == "sapxpg" or  InitiatingProcessFileName =="sapxpg.exe")  and FileName == "wget"
+
+   // Query shows SAPXPG commands that execute "wget"
+
+   ```
+
+   This query is designed to work on Linux (`sapxpg`) and Windows (`sapxpg.exe`).
+
+   Another query/rule design logic is to block SAPXPG from executing any command other than specified allowed commands. In the following query, any command that is not in the set ("cp", "ls", "mkdir") can be alerted or blocked. 
+
+   ```kusto
+   
+   DeviceProcessEvents
+    | where Timestamp >= ago (1d)
+    | where (InitiatingProcessFileName == "sapxpg" or  InitiatingProcessFileName =="sapxpg.exe")  and FileName !in ("cp", "ls", "mkdir")
+
+   //Query shows SAPXPG commands that execute any command other than "cp" or "mv" or mkdir
+
+   ```
+
+6. The security team [creates a custom detection rule](/defender-xdr/custom-detection-rules#2-create-new-rule-and-provide-alert-details) to detect suspicious commands. Suspicious commands could include: 
+
+   - `ncat`
+   - `netcat`
+   - `socat`
+   - `azcopy`
+   - `wget`
+   - `curl`
+   - `echo`
+   - `base64`
+   - `/dev/tcp`
+   - `pwd`
+   - `whoami`
+   - `chmod +x`
+
+7. The security team deploys the rule to non-production environments. The security team monitors detections, and the SAP BASIS team monitors jobs/interfaces for errors.
+
+8. The security team deploys the rule to production environments. The SAP BASIS team should monitor jobs and interfaces, and the security team should monitor any alerts that are generated.
+
+## Additional information
+
+- To trace SAPXPG using `sapxpg_trace`, see [SAP documentation: Analyzing Problems with External Commands and Programs](https://help.sap.com/doc/saphelp_snc700_ehp01/7.0.1/en-US/4b/272d0ed1341780e10000000a42189c/content.htm?no_cache=true).
+
+- To learn more about advanced hunting, see [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview).
+
+- To learn more about custom rules, see [Create custom detection rules](/defender-xdr/custom-detection-rules#2-create-new-rule-and-provide-alert-details).
diff --git a/defender-endpoint/microsoft-defender-antivirus-updates.md b/defender-endpoint/microsoft-defender-antivirus-updates.md
@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 05/14/2025
+ms.date: 05/22/2025
 audience: ITPro
 ms.topic: reference
 author: emmwalshh
@@ -98,11 +98,11 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
-### April-2025 (Platform: TBD | Engine: 1.1.25040.1)
+### April-2025 (Platform: 4.18.25040.2 | Engine: 1.1.25040.1)
 
 - Security intelligence update version: **1.429.3.0**
-- Release date:  **May 14, 2025 (Engine)** / (Platform pending)
-- Platform: (*coming soon*)
+- Release date:  **May 14, 2025 (Engine)** / **May 22, 2025 (Platform)**
+- Platform: **4.18.25040.2**
 - Engine: **1.1.25040.1**
 - Support phase: **Security and Critical Updates**
 
@@ -155,32 +155,6 @@ Updates contain:
 - Increased [device control policy](device-control-policies.md) limits.
 - Improved security resilience for Defender update process.
 
-### January-2025 (Platform: 4.18.25010.11 | Engine: 1.1.25010.7)
-
-- Security intelligence update version: **1.423.21.0**
-- Release date: **February 20, 2025** (Engine) / **March 5, 2025** (Platform)
-- Platform: **4.18.25010.11**
-- Engine: **1.1.25010.7**
-- Support phase: **Security and Critical Updates**
-
-#### What's new
-
-- Improved handling of [attack surface reduction rule](attack-surface-reduction-rules-reference.md) exclusions.
-- Improved AMSI scan performance with changes to exclusion handling.
-- Fixed [Controlled Folder Access](controlled-folders.md) (CFA) protection for OneDrive when backup is enabled.
-- Fixed performance issues with [full scans](schedule-antivirus-scans.md) when initiated from the Microsoft Defender portal.
-- Fixed attack surface reduction warn mode processing for containerized objects (such as Office files) when the unblock option is selected.
-- Fixed attack surface reduction warn mode processing when exclusions are applied.
-- Fixed performance handling with file transfers having Mark of the Web (MoTW) set.
-- Implemented `AzureAd` cache to handle offline environments with [device control](device-control-overview.md).
-- Resolved an issue with `TrustLabelProtectionStatus` being reset after a Microsoft Defender platform update.
-- Resolved an issue with [tamper protection for exclusions](/defender-endpoint/manage-tamper-protection-intune#tamper-protection-for-antivirus-exclusions) where an exclusion policy was handled by System Center Configuration Manager.
-- Fixed issue with device control auditing of removable media.
-- Fixed issue with MDM policy management on Azure Virtual Desktop.
-- Added support for wildcards in [tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) trusted process.
-- Improved device control policy enforcement in offline environments.
-- Fixed issue in the `WDNisDrv.sys` driver that caused system hangs during shutdown.
-
 ### Previous version updates: Technical upgrade support only
 
 After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
diff --git a/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md b/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
 ms.reviewer: pahuijbr
-ms.date: 04/07/2025
+ms.date: 05/21/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -29,6 +29,32 @@ Microsoft regularly releases [security intelligence updates and product updates
 
 ## Engine and platform updates
 
+### January-2025 (Platform: 4.18.25010.11 | Engine: 1.1.25010.7)
+
+- Security intelligence update version: **1.423.21.0**
+- Release date: **February 20, 2025** (Engine) / **March 5, 2025** (Platform)
+- Platform: **4.18.25010.11**
+- Engine: **1.1.25010.7**
+- Support phase: **Technical upgrade support (only)**
+
+#### What's new
+
+- Improved handling of [attack surface reduction rule](attack-surface-reduction-rules-reference.md) exclusions.
+- Improved AMSI scan performance with changes to exclusion handling.
+- Fixed [Controlled Folder Access](controlled-folders.md) (CFA) protection for OneDrive when backup is enabled.
+- Fixed performance issues with [full scans](schedule-antivirus-scans.md) when initiated from the Microsoft Defender portal.
+- Fixed attack surface reduction warn mode processing for containerized objects (such as Office files) when the unblock option is selected.
+- Fixed attack surface reduction warn mode processing when exclusions are applied.
+- Fixed performance handling with file transfers having Mark of the Web (MoTW) set.
+- Implemented `AzureAd` cache to handle offline environments with [device control](device-control-overview.md).
+- Resolved an issue with `TrustLabelProtectionStatus` being reset after a Microsoft Defender platform update.
+- Resolved an issue with [tamper protection for exclusions](/defender-endpoint/manage-tamper-protection-intune#tamper-protection-for-antivirus-exclusions) where an exclusion policy was handled by System Center Configuration Manager.
+- Fixed issue with device control auditing of removable media.
+- Fixed issue with MDM policy management on Azure Virtual Desktop.
+- Added support for wildcards in [tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) trusted process.
+- Improved device control policy enforcement in offline environments.
+- Fixed issue in the `WDNisDrv.sys` driver that caused system hangs during shutdown.
+
 ### September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)
 
 - Security intelligence update version: **1.421.12.0**
