You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/mde-sap-custom-detection-rules.md
+28-4Lines changed: 28 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: "Microsoft Defender Endpoint on Windows Server with SAP"
3
-
description: Understand how Microsoft Defender for Endpoint with EDR and other advanced security capabilities interacts with SAP applications.
2
+
title: "Custom Detection Rules - Advanced Hunting: Protecting SAP External OS Commands (SAPXPG)"
3
+
description: Learn how to use advanced hunting with Defender for Endpoint to safeguard the SAPXPG mechanism with SAP systems.
4
4
author: emmwalshh
5
5
ms.author: ewalsh
6
6
manager: deniseb
@@ -18,9 +18,33 @@ f1.keywords: NOCSH
18
18
audience: ITPro
19
19
---
20
20
21
-
# Microsoft Defender for Endpoint on Windows Server with SAP
21
+
# Custom Detection Rules - Advanced Hunting: Protecting SAP External OS Commands (SAPXPG)
22
22
23
23
**Applies to:**
24
24
25
25
- Microsoft Defender for Endpoint for servers
26
-
- Microsoft Defender for Servers Plan 1 or Plan 2
26
+
- Microsoft Defender for Servers Plan 1 or Plan 2
27
+
28
+
SAP Systems can execute OS level commands by using SAPXPG – Transaction Code SM49/SM69. This article describes how to use advanced hunting with Microsoft Defender for Endpoint to help safeguard the SAPXPG mechanism. The example illustrated in this article features SAP running on Linux; however, the procedure for SAP running on Windows 11 is similar.
29
+
30
+
## Before you begin
31
+
32
+
Make sure to read the following articles before you begin:
-[SAP Documentation: Starting External Commands and ProgramsLocate this document in the navigation structure](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/4b/2b2bed365474fee10000000a421937/frameset.htm)
36
+
37
+
The SAP BASIS Team and the Security team should co-develop the solution. The SAP BASIS team doesn't have access to the Microsoft Defender portal, and the Security team won't know the specifics of the SAP Batch Jobs and External Commands.
38
+
39
+
## Recommended implementation sequence
40
+
41
+
1. The SAP BASIS team identifies and categorizes the external commands and scripts running on all SAP Environments (Dev, QA, PRD).
42
+
43
+
2. The Security team and the SAP BASIS team ensure that Defender for Endpoint is correctly deployed and configured on all SAP servers. For deployment guidance, see the following articles:
44
+
45
+
-[Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](https://aka.ms/mde4sap-linux)
46
+
-[Microsoft Defender for Endpoint on Windows Server with SAP](https://aka.ms/mde4sap-windows)
0 commit comments