Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

SAP Enterprise Threat Detection Sample Event Message

Use these sample event messages as a way of verifying a successful integration with JSA. Replace the sample IP addresses, and so on with your own content.

The following table provides sample event messages for the SAP Enterprise Threat Detection DSM.

Table 1: SAP Enterprise Threat Detection sample message supported by the SAP Enterprise Threat Detection DSM

Event name

Low level category

Sample log message

Blacklisted function modules

Potential Misc. Exploit

LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted function modules (http://sap.com/sec mon/basis)|devTime=2017-04-03T08:12: 01.931Z devTimeFormat=YYYY-MM-dd ’T’HH:mm:ss.SSSX cat=Access to Critical Resource PatternId=5582 4E7FE1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=2888 sev=7 MinResultTimestamp=2017-04 -03T08:10:05.000Z MaxResultTime stamp=2017-04-03T08:10:05.000Z Text=Measurement 1 reached threshold 1 for (’Event, Scenario Role Of Actor’ = ’Server’ / ’Network, Hostname, Initiator’ = ’<hostname>’/ ’Network, IP Address, Initiator’ =’IP_address>’/ ’Service, Function Name’ = ’RFC_READ_TABLE’ / ’System ID, Actor’ = ’<computer name?’/’User Pseudonym, Acting’ = ’<user name>’)Measurement=1 UiLink= http://192.0.2.*/sap/hana/uis/ clients/ushell-app/shells/fiori/ FioriLaunchpad.html?siteId=sap.sec mon.ui.mobile.launchpad|ETDLaunch pad#AlertDetails-show\?alert=<Alert Id>EventScenarioRoleOfActor= Server NetworkHostnameInitiator =<hostname> NetworkIPAddressIni tiator=192.0.2.* ServiceFunc tionName=RFC_READ_TABLE System IdActor=<computer name> UserPse udonymActing=<username>usrName=<username>

Blacklisted transactions

Potential Misc. Exploit

LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted transactions (http://sap.com/sec mon/basis)|devTime=2017-04-06T12 :39:01.834Z devTimeFormat=YYYY -MM-dd’T’HH:mm:ss.SSSX cat=Acc ess to Critical Resource Patte rnId=55824E81E1B0FE2BE10000000A4 CF109 PatternType=FLAB Alert Id=3387 sev=7 MinResultTime stamp=2017-04-06T12:38:04.000Z MaxResultTimestamp=2017-04-06T12 :38:25.000Z Text=Measurement 4 exceeded threshold 1 for (’Net work, Hostname, Initiator’ =’<hostname>’/’System ID, Actor’ = ’<computer name>’/’User Pseu donym, Acting’ = ’<username>’)Measurement=4 UiLink=http: //192.0.2.*/sap/hana/uis/clients /ushell-app/shells/fiori/Fiori Launchpad.html?siteId=sap.secmon .ui.mobile.launchpad|ETDLaunch pad#AlertDetails-show\?alert=<Alert Id>NetworkHostname Initiator=<hostname> System IdActor=<computer name>User PseudonymActing=<username>usrName=<username>

Brute force attack

Brute force attack

LEEF:1.0|SAP|ETD|1.0 SP5|Brute force attack (http://sap.com/secmon /basis)|devTime=2017-03-16T00: 10:01.891Z devTimeFormat=YY YY-MM-dd’T’HH:mm:ss.SSSX cat=Brute Force Attack Patt ernId=55827776E1B0FE2BE1000000 0A4CF109 PatternType=FLAB AlertId=1303 sev=4 Min ResultTimestamp=2017-03-15T23 :24:38.000Z MaxResultTime stamp=2017-03-16T00:08:47.000Z Text=Measurement 16 exceeded threshold 12 for ’Network, Host name, Initiator’ = ’null’ Mea surement=16 UiLink=http://192. 0.2.*/sap/hana/uis/clients/ushell -app/shells/fiori/FioriLaunchpad. html?siteId=sap.secmon.ui.mobile. launchpad|ETDLaunchpad#AlertDetai ls-show\?alert=<Alert Id> Netwo rkHostnameInitiator=null

Data Exchange by System ID with Third-Party Systems

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by System Id with Third Party Systems (http://sap.com/sec mon/basis)|devTime=2017-08-22T15: 03:12.158Z devTimeFormat=YYYYMM- dd’T’HH:mm:ss.SSSX cat=Sys tem PatternId=22610959E8B5F14 99E4CFCCB1422C3D3 PatternType =ANOMALY AlertId=12279 sev =7 MinResultTimestamp=2017-08 -22T13:00:00.000Z MaxResultTi mestamp=2017-08-22T14:00:00.000Z Text=Anomaly score is 73 for (’System ID, Actor’ = ’<computer name’/’System Type, Actor’ = ’’) Measurement=73 UiLink=http://192.0.2.*/sap/hana /uis/clients/ushell-app/shells/ fiori/FioriLaunchpad.html?siteId =sap.secmon.ui.mobile.launchpad| ETDLaunchpad#AlertDetails-show\? alert=<alert Id> SystemIdActor=<computer name>SystemType Actor=ABAP

Data Exchange by Technical User

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by Technical User (http:// sap.com/secmon/basis)|devTime=2017 -03-28T14:02:26.154Z devTimeFor mat=YYYY-MM-dd’T’HH:mm:ss.SSSX cat=Technical Users,Users Patte rnId=7CCB9FFD5249FC4AA2B83D4BC5C8EA 06 PatternType=ANOMALY Alert Id=2490 sev=10 MinResultTime stamp=2017-03-28T12:00:00.000Z MaxResultTimestamp=2017-03-28T13 :00:00.000Z Text=Anomaly score is 100 for ’User Pseudonym, Acting’ =’<username>’Measurement=100 UiLink=http://192.0.2.*/sap/hana /uis/clients/ushell-app/shells/fio ri/FioriLaunchpad.html?siteId=sap. secmon.ui.mobile.launchpad|ETDLaun chpad#AlertDetails-show\?alert=<Alert Id>UserPseudonymActing=<username> usrName=<usrName=<username>

Failed logon by RFC/CPIC call

User Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon by RFC/CPIC call (http://sap .com/secmon/basis)|devTime=2016-12 -27T11:58:24.588Z devTimeFormat =YYYY-MM-dd’T’HH:mm:ss.SSSX cat =Failed Logon PatternId=5582D94 1F02EFE2BE10000000A4CF109 Patte rnType=FLAB AlertId=177 sev=7 MinResultTimestamp=2016-12-27T 11:54:42.000Z MaxResultTimestamp =2016-12-27T11:55:01.000Z Text= Measurement 3 reached threshold 3 for (’System ID, Actor’ = ’<computer name>’’User Pseudonym, Targe ted’ = ’null’) Measurement=3 UiLink=http://192.0.2.*/sap/hana/ uis/clients/ushell-app/shells/fio ri/FioriLaunchpad.html?siteId=sap .secmon.ui.mobile.launch pad|ETDLaunchpad#AlertDetails-show \?alert=<Alert Id>SystemIdAct or=<computer name> UserPseudo nymTargeted=null

Failed logon with too many attempts

User Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon with too many attempts (http: //sap.com/secmon/basis)|devTime=20 17-06-07T17:33:02.029Z devTime Format=YYYY-MM-dd’T’HH:mm:ss.SSSX cat=Failed Logon PatternId =5582D942F02EFE2BE10000000A4CF109 PatternType=FLAB AlertId=6 287 sev=7 MinResultTimestam p=2017-06-07T16:33:01.000Z Max ResultTimestamp=2017-06-07T17:32: 59.000Z Text=Measurement 39193 exceeded threshold 3 for (’Event (Semantic)’ = ’User, Logon, Fail ure’ / ’System ID, Actor’ =’<username>’/ ’User Pseudonym, Target ed’ =’<username>’)Measuremen t=39193 UiLink=http://192.0.2. */sap/hana/uis/clients/ushell-app /shells/fiori/FioriLaunchpad.html ?siteId=sap.secmon.ui.mobile.laun chpad|ETDLaunchpad#AlertDetails-s how\?alert=<Alert Id>EventSema ntic=User, Logon, Failure Syst emIdActor=<username>UserPseud onymTargeted=<username>

Generic access to critical database tables

Database Exploit

LEEF:1.0|SAP|ETD|1.0 SP5|Generic access to critical database tables (http://sap.com/secmon/basis)|dev Time=2017-03-29T15:50:10.291Z devTimeFormat=YYYY-MM-dd’T’HH:mm: ss.SSSX cat=Data Manipulation PatternId=DF3F93F156DAAA408C1512 168E16F2B0 PatternType=FLAB AlertId=2558 sev=7 MinResult Timestamp=2017-03-29T15:48:12.000Z MaxResultTimestamp=2017-03-29T 15:48:12.000Z Text=Measurement 1 reached threshold 1 for (’Generi c, Action’ = ’03’ / ’Resource Name’ = ’<computer name>’/ ’System ID , Actor’ = ’<computer name>’/ ’User Pseudonym, Acting’ = ’<username>’)Measurement=1 UiLink=http ://192.0.2.*/sap/hana/uis/clients/ ushell-app/shells/fiori/FioriLaunch pad.html?siteId=sap.secmon.ui.mobil e.launchpad|ETDLaunchpad#AlertDetai ls-show\?alert=<Alert Id>Generic Action=03 ResourceName=<computer name> SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>

Log Volume by System Group

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Log Volume by System Group (http://sap.com/ secmon/basis)|devTime=2016-12-27T 13:02:32.321Z devTimeFormat=YY YY-MM-dd’T’HH:mm:ss.SSSX cat= System,Test PatternId=7A8D37B 77AF8CF4096B9EB49BA932ACD Pat ternType=ANOMALY AlertId=196 sev=10 MinResultTimestamp= 2016-12-27T11:00:00.000Z Max ResultTimestamp=2016-12-27T12 :00:00.000Z Text=Anomaly score is 100 for (’System Group, ID, Actor ’ = ’null’ / ’System Group, Type, Actor’ = ’null’) Measurement= 100 UiLink=http://192.0.2.*/sap /hana/uis/clients/ushell-app/shell s/fiori/FioriLaunchpad.html?siteId =sap.secmon.ui.mobile.launchpad|ET DLaunchpad#AlertDetails-show\?aler t=<Alert Id> SystemGroupIdActor= null SystemGroupTypeActor=null

Logon and Communication by System ID

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Logon and Communication by System Id (http:// sap.com/secmon/basis)|devTime=2017 -06-08T14:03:13.156Z devTimeFor mat=YYYY-MM-dd’T’HH:mm:ss.SSSX cat=System PatternId=B09BED6510 5D4D4C9EE82FBCCFAD6647 PatternT ype=ANOMALY AlertId=6634 sev =7 MinResultTimestamp=2017-06-0 8T12:00:00.000Z MaxResultTimest amp=2017-06-08T13:00:00.000Z Te xt=Anomaly score is 70 for (’Syste m ID, Actor’ = ’<computer name>’/ ’System Type, Actor’ = ’ABAP’) Measurement=70 UiLink=http:// 192.0.2.*/sap/hana/uis/clients/us hell-app/shells/fiori/FioriLaunch pad.html?siteId=sap.secmon.ui.mob ile.launchpad|ETDLaunchpad#AlertD etails-show\?alert=<Alert Id>SystemIdActor=<computer name>SystemTypeActor=ABAP

Logon success same user from different Terminal IDs

User Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Logon success same user from different Terminal IDs (http://sap.com/secmon /basis)|devTime=2016-10-24T11:13:04 .589Z devTimeFormat=YYYY-MM-dd’T ’HH:mm:ss.SSSX cat=Suspicious Lo gon PatternId=5582A320E1B0FE2BE1 0000000A4CF109 PatternType=FLAB AlertId=2 sev=7 MinResult Timestamp=2016-10-24T07:17:36.000Z MaxResultTimestamp=2016-10-24T 08:40:34.000Z Text=Measurement 2 reached threshold 2 for (’System ID, Actor’ =’<username>’/ ’User Pseudonym, Targeted’ = ’null’) Measurement=2 UiLink=http://19 2.0.2.*/sap/hana/uis/clients/ushel l-app/shells/fiori/FioriLaunchpad. html?siteId=sap.secmon.ui.mobile. launchpad|ETDLaunchpad#AlertDetails -show\?alert=<Alert Id>SystemId Actor=<username> UserPseudonym Targeted=null

Logon with SAP standard users

User Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Logon with SAP standard users (http://sap.com /secmon/basis)|devTime=2017-03-13T 21:05:01.494Z devTimeFormat=YYY Y-MM-dd’T’HH:mm:ss.SSSX cat=Sus picious Logon PatternId=5582A31 CE1B0FE2BE10000000A4CF109 Patte rnType=FLAB AlertId=1000 sev =4 MinResultTimestamp=2017-03- 13T13:32:04.000Z MaxResultTime stamp=2017-03-13T21:02:10.000Z Text=Measurement 1 reached thresh old 1 for (’Event (Semantic)’ = ’User, Logon’ / ’Network, Hostname, Initiator’ = ’null’ / ’System ID, Actor’ = ’<computer name>’/ ’User Pseudonym, Targeted’ = ’<username>’) Measurement=1 UiLink=http://192.0.2.*/sap/hana /uis/clients/ushell-app/shells/fio ri/FioriLaunchpad.html?siteId=sap. secmon.ui.mobile.launchpad|ETDLau nchpad#AlertDetails-show\?alert=<Alert Id>EventSemantic=User, Logon NetworkHostnameInitiato r=null SystemIdActor=<computer name> UserPseudonymTargeted =<username>

New Service Calls by Technical Users

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|New Service Calls by Technical Users (http:// sap.com/secmon/basis)|devTime=20 17-02-16T23:02:22.157Z devTime Format=YYYY-MM-dd’T’HH:mm:ss.SSSX cat=Technical Users,Users PatternId=5F852070B8645C42907C90C 27864E20D PatternType=ANOMALY AlertId=251 sev=7 MinRes ultTimestamp=2017-02-16T21:00:00. 000Z MaxResultTimestamp=2017- 02-16T22:00:00.000Z Text=Anoma ly score is 74 for (’System ID, Actor’ = ’<computer name>’/ ’Sy stem Type, Actor’ = ’ABAP’ / ’User Pseudonym, Acting’ = ’<computer name>’ Acting’ = ’<computer name>’Measurement=74 Ui Link=http://192.0.2.*/sap/hana/uis /clients/ushell-app/shells/fiori/ FioriLaunchpad.html?siteId=sap.sec mon.ui.mobile.launchpad|ETDLaunch pad#AlertDetails-show\?alert=<Alert Id>SystemIdActor=<computer name> SystemTypeActor=ABAP UserPseudonymActing=<computer name> usrName=<computer name>

Security relevant configuration changes

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Security relevant configuration changes ( http://sap.com/secmon/basis)|dev Time=2017-06-30T19:28:56.835Z devTimeFormat=YYYY-MM-dd’T’HH:mm :ss.SSSX cat=Configuration PatternId=558292A9E1B0FE2BE1000 0000A4CF109 PatternType=FLAB AlertId=9273 sev=7 MinRes ultTimestamp=2017-06-30T19:26:34. 000Z MaxResultTimestamp=2017- 06-30T19:26:34.000Z Text=Meas urement 1 reached threshold 1 for (’Event (Semantic)’ = ’System Ad min, Audit Policy, Alter’ / ’Net work, Hostname, Initiator’ = ’nu ll’ / ’System ID, Actor’ = ’<username>’/ ’System Type, Actor’ = ’ ABAP’ / ’User Pseudonym, Acting’ = ’null’) Measurement=1 Ui Link=http://192.0.2.*/sap/hana/ui s/clients/ushell-app/shells/fiori /FioriLaunchpad.html?siteId=sap. secmon.ui.mobile.launchpad|ETDLau nchpad#AlertDetails-show\?alert=<Alert Id> EventSemantic=System Admin, Audit Policy, Alter Net workHostnameInitiator=null Sys temIdActor=<username> System TypeActor=ABAP UserPseudonymAc ting=null usrName=null

Service Calls by System ID

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|Service Calls by System Id (http://sap.com /secmon/basis)|devTime=2017-03-22T 13:03:40.160Z devTimeFormat=YYY Y-MM-dd’T’HH:mm:ss.SSSX cat=Sys tem PatternId=8CF6323786DE67469 1BB716CAEA1111D PatternType=ANO MALY AlertId=1892 sev=10 MinResultTimestamp=2017-03-22T11:00 :00.000Z MaxResultTimestamp=2017 -03-22T12:00:00.000Z Text=Anomal y score is 99 for (’System ID, Act or’ = ’<computer name>’/ ’System Type, Actor’ = ’ABAP’) Measurem ent=99 UiLink=http://192.0.2.*/ sap/hana/uis/clients/ushell-app/she lls/fiori/FioriLaunchpad.html?site Id=sap.secmon.ui.mobile.launchpad| ETDLaunchpad#AlertDetails-show\?ale rt=<Alert Id> SystemIdActor=<computer name> SystemTypeActor=ABAP

User acts under created user

User Activity

LEEF:1.0|SAP|ETD|1.0 SP5|User acts under created user (http://sap.com /secmon/basis)|devTime=2017-04-03T 08:17:03.529Z devTimeFormat=YYY Y-MM-dd’T’HH:mm:ss.SSSX cat=Use r Maintenance PatternId=76560A1 4DBEC9C4A9EA502EFD6EA3BCC Patte rnType=FLAB AlertId=2893 sev =7 MinResultTimestamp=2017-04-0 3T08:07:34.000Z MaxResultTimest amp=2017-04-03T08:10:05.000Z Text=Measurement 2 exceeded thres hold 1 for (’Network, Hostname, In itiator’ = ’<hostname>’/ ’System ID, Actor’ = ’<computer name>’/ ’User Pseudonym, Targeted’ = ’<username>’) Measurement=2 UiLin k=http://192.0.2.*/sap/hana/uis/cl ients/ushell-app/shells/fiori/Fior iLaunchpad.html?siteId=sap.secmon. ui.mobile.launchpad|ETDLaunchpad#A lertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> UserPseudonymTargeted=<username>

User role changed

Suspicious Activity

LEEF:1.0|SAP|ETD|1.0 SP5|User role changed (http://sap.com/secmon/ basis)|devTime=2017-04-06T12:40 :42.056Z devTimeFormat=YYYYMM- dd’T’HH:mm:ss.SSSX cat=Au thorization Critical Assignment PatternId=305166E4E6C11B4593 B31CFBB6BABD44 PatternType= FLAB AlertId=3390 sev=4 MinResultTimestamp=2017-04-06 T12:40:22.000Z MaxResultTime stamp=2017-04-06T12:40:22.000Z Text=Measurement 3 exceeded threshold 1 for (’Event (Semant ic)’ = ’User Admin, Role, Creat e’ / ’Network, Hostname, Initia tor’ = ’null’ / ’System ID, Act or’ = ’<computer name>’/ ’User Pseudonym, Acting’ = ’<username>’Measurement=3 UiLink =http://192.0.2.*/sap/hana/uis/ clients/ushell-app/shells/fiori /FioriLaunchpad.html?siteId=sap .secmon.ui.mobile.launch pad|ETDLaunchpad#AlertDetails -show\?alert=<Alert Id>EventSemantic=User Admin, Role , Create NetworkHostname Initiator=null SystemIdActor=<computer name> UserPseud onymActing=<username> usr Name=<username>