Skip to content

Commit 92417fd

Browse files
denisebmsftdenisebmsft
committed
Update mde-sap-custom-detection-rules.md
1 parent a693c95 commit 92417fd

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

defender-endpoint/mde-sap-custom-detection-rules.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,40 @@ The SAP BASIS Team and the Security team should co-develop the solution. The SAP
4545
- [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](https://aka.ms/mde4sap-linux)
4646
- [Microsoft Defender for Endpoint on Windows Server with SAP](https://aka.ms/mde4sap-windows)
4747

48+
3. The Security team identifies all the SAP servers and runs a query for "InitiatingProcessName" == "sapxpg", noting which servers are starting SAPXPG.
49+
50+
- It is recommended to limit the number of servers running SAPXPG to a minimum and to disallow SAPXPG on most SAP servers.
51+
- The SAP BASIS team and Security team should limit access to the authorization objects and transaction codes for SAPXPG.
52+
53+
4. The SAP BASIS team briefs the Security team on any "allowed" utilities, such as BRTOOLS (for Oracle customers), AzCopy (if used) or other specific utilities for printing or archiving.
54+
55+
5. The Security teams works with the SAP BASIS team to query SAPXPG commands and parameters. An example query to detect or block "wget" (which can be used to download malicious payloads) is as follows:
56+
57+
```kusto
58+
59+
DeviceProcessEvents
60+
| where Timestamp >= ago (1d)
61+
| where (InitiatingProcessFileName == "sapxpg" or InitiatingProcessFileName =="sapxpg.exe") and FileName == "wget"
62+
63+
// Query will show SAPXPG commands that execute "wget"
64+
65+
```
66+
67+
This query is designed to work on Linux (sapxpg) and Windows (sapxpg.exe).
68+
69+
Another query/rule design logic is to block SAPXPG from executing any command other than specified allowed commands. In the following query, any command that is not in the set ("cp", "ls", "mkdir") can be alerted or blocked.
70+
71+
```kusto
72+
73+
DeviceProcessEvents
74+
| where Timestamp >= ago (1d)
75+
| where (InitiatingProcessFileName == "sapxpg" or InitiatingProcessFileName =="sapxpg.exe") and FileName !in ("cp", "ls", "mkdir")
76+
77+
//Query will show SAPXPG commands that execute any command other than "cp" or "mv" or mkdir
78+
79+
```
80+
81+
6.
4882

4983

5084

0 commit comments

Comments
 (0)