SAP Enterprise Threat Detection Sample Event Message
Use these sample event messages as a way of verifying a successful integration with JSA. Replace the sample IP addresses, and so on with your own content.
The following table provides sample event messages for the SAP Enterprise Threat Detection DSM.
Event name |
Low level category |
Sample log message |
|---|---|---|
Blacklisted function modules |
Potential Misc. Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted
function modules (http://sap.com/secmon/
basis)|
devTime=2017-04-03T08:12:01.931Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Access to
Critical Resource
PatternId=55824E7FE1B0FE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=2888 sev=7
MinResultTimestamp=2017-04-03T08:10:05.0
00Z
MaxResultTimestamp=2017-04-03T08:10:05.0
00Z Text=Measurement 1 reached
threshold 1 for ('Event, Scenario Role
Of Actor' = 'Server' / 'Network,
Hostname, Initiator' = '<hostname>' /
'Network, IP Address, Initiator' =
'<IP_address>' / 'Service, Function
Name' = 'RFC_READ_TABLE' / 'System ID,
Actor' = '<computer name>' / 'User
Pseudonym, Acting' = '<username>')
Measurement=1 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
EventScenarioRoleOfActor=Server
NetworkHostnameInitiator=<hostname>
NetworkIPAddressInitiator=192.0.2.*
ServiceFunctionName=RFC_READ_TABLE
SystemIdActor=<computer name>
UserPseudonymActing=<username>
usrName=<username>
|
Blacklisted transactions |
Potential Misc. Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted
transactions (http://sap.com/secmon/
basis)|
devTime=2017-04-06T12:39:01.834Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Access to
Critical Resource
PatternId=55824E81E1B0FE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=3387 sev=7
MinResultTimestamp=2017-04-06T12:38:04.0
00Z
MaxResultTimestamp=2017-04-06T12:38:25.0
00Z Text=Measurement 4 exceeded
threshold 1 for ('Network, Hostname,
Initiator' = '<hostname>' / 'System ID,
Actor' = '<computer name>' / 'User
Pseudonym, Acting' = '<username>')
Measurement=4 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
NetworkHostnameInitiator=<hostname>
SystemIdActor=<computer name>
UserPseudonymActing=<username>
usrName=<username>
|
Brute force attack |
Brute force attack |
LEEF:1.0|SAP|ETD|1.0 SP5|Brute force attack (http://sap.com/secmon/basis)| devTime=2017-03-16T00:10:01.891Z devTimeFormat=YYYY-MMdd'T'HH: mm:ss.SSSX cat=Brute Force Attack PatternId=55827776E1B0FE2BE10000000A4CF1 09 PatternType=FLAB AlertId=1303 sev=4 MinResultTimestamp=2017-03-15T23:24:38.0 00Z MaxResultTimestamp=2017-03-16T00:08:47.0 00Z Text=Measurement 16 exceeded threshold 12 for 'Network, Hostname, Initiator' = 'null' Measurement=16 UiLink=http:// 192.0.2.*/sap/hana/uis/clients/ushellapp/ shells/fiori/FioriLaunchpad.html? siteId=sap.secmon.ui.mobile.launchpad| ETDLaunchpad#AlertDetails-show\? alert=<Alert Id> NetworkHostnameInitiator=null |
Data Exchange by System ID with Third-Party Systems |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange
by System Id with Third Party Systems
(http://sap.com/secmon/basis)|
devTime=2017-08-22T15:03:12.158Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=System
PatternId=22610959E8B5F1499E4CFCCB1422C3
D3 PatternType=ANOMALY
AlertId=12279 sev=7
MinResultTimestamp=2017-08-22T13:00:00.0
00Z
MaxResultTimestamp=2017-08-22T14:00:00.0
00Z Text=Anomaly score is 73 for
('System ID, Actor' = '<computer
name>' / 'System Type, Actor' =
'https://www.expedia.ca/Kenoza-Lake-
Hotels-Kenoza-Lake-View-
Manor.h19660605.Hotel-Information?
chkin=15%2F06%2F2018&chkout=16%2F06%2F20
18&rm1=a2®ionId=0&hwrqCacheKey=557055
a7-9bd8-4191-8044-1a9072ac2b76HWRQ152217
1541587&vip=false&c=e6079ffc-cd41-477faaedc2d9e1df2fa9&
mctc=10&exp_dp=218.48&exp_t
s=1522171542334&exp_curr=CAD&swpToggleOn
=false&exp_pg=HSR')
Measurement=73 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<computer name>
SystemTypeActor=ABAP
|
Data Exchange by Technical User |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by Technical User (http://sap.com/ secmon/basis)| devTime=2017-03-28T14:02:26.154Z devTimeFormat=YYYY-MMdd'T'HH: mm:ss.SSSX cat=Technical Users,Users PatternId=7CCB9FFD5249FC4AA2B83D4BC5C8EA 06 PatternType=ANOMALY AlertId=2490 sev=10 MinResultTimestamp=2017-03-28T12:00:00.0 00Z MaxResultTimestamp=2017-03-28T13:00:00.0 00Z Text=Anomaly score is 100 for 'User Pseudonym, Acting' = '<username>' Measurement=100 UiLink=http://192.0.2.*/sap/hana/uis/ clients/ushell-app/shells/fiori/ FioriLaunchpad.html? siteId=sap.secmon.ui.mobile.launchpad| ETDLaunchpad#AlertDetails-show\? alert=<Alert Id> UserPseudonymActing=<username> usrName=<username> |
|
Debugging in systems assigned to critical roles |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Debugging in
systems assigned to critical roles
(http://sap.com/secmon/basis)|
devTime=2017-04-03T08:06:06.370Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Debugging
PatternId=937627F31E37524F837F9374804DE2
34 PatternType=FLAB
AlertId=2880 sev=7
MinResultTimestamp=2017-04-03T08:06:04.7
52Z
MaxResultTimestamp=2017-04-03T08:06:04.7
52Z Text=Measurement 1 reached
threshold 1 for ('Network, Hostname,
Initiator' = '<hostname>' / 'System ID,
Actor' = '<computer name>' / 'System
Type, Actor' = 'ABAP' / 'User
Pseudonym, Acting' = '<username>')
Measurement=1 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
NetworkHostnameInitiator=<hostname>
SystemIdActor=<computer name>
SystemTypeActor=ABAP
UserPseudonymActing=<username>
usrName=<username>
|
Failed logon by RFC/CPIC call |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon
by RFC/CPIC call (http://sap.com/secmon/
basis)|
devTime=2016-12-27T11:58:24.588Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Failed
Logon
PatternId=5582D941F02EFE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=177 sev=7
MinResultTimestamp=2016-12-27T11:54:42.0
00Z
MaxResultTimestamp=2016-12-27T11:55:01.0
00Z Text=Measurement 3 reached
threshold 3 for ('System ID, Actor' =
'<computer name>' / 'User Pseudonym,
Targeted' = 'null') Measurement=3
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<computer name>
UserPseudonymTargeted=null
|
Failed logon with too many attempts |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon
with too many attempts (http://sap.com/
secmon/basis)|
devTime=2017-06-07T17:33:02.029Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Failed
Logon
PatternId=5582D942F02EFE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=6287 sev=7
MinResultTimestamp=2017-06-07T16:33:01.0
00Z
MaxResultTimestamp=2017-06-07T17:32:59.0
00Z Text=Measurement 39193 exceeded
threshold 3 for ('Event (Semantic)' =
'User, Logon, Failure' / 'System ID,
Actor' = '<username>' / 'User
Pseudonym, Targeted' = '<username>')
Measurement=39193 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id> EventSemantic=User,
Logon, Failure
SystemIdActor=<username>
UserPseudonymTargeted=<username>
|
Generic access to critical database tables |
Database Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Generic access
to critical database tables (http://
sap.com/secmon/basis)|
devTime=2017-03-29T15:50:10.291Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Data
Manipulation
PatternId=DF3F93F156DAAA408C1512168E16F2
B0 PatternType=FLAB
AlertId=2558 sev=7
MinResultTimestamp=2017-03-29T15:48:12.0
00Z
MaxResultTimestamp=2017-03-29T15:48:12.0
00Z Text=Measurement 1 reached
threshold 1 for ('Generic, Action' =
'03' / 'Resource Name' = '<computer
name>' / 'System ID, Actor' =
'<computer name>' / 'User Pseudonym,
Acting' = '<username>')
Measurement=1 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id> GenericAction=03
ResourceName=<computer name>
SystemIdActor=<computer name>
UserPseudonymActing=<username>
usrName=<username>
|
Log Volume by System Group |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Log Volume by
System Group (http://sap.com/secmon/
basis)|
devTime=2016-12-27T13:02:32.321Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX
cat=System,Test
PatternId=7A8D37B77AF8CF4096B9EB49BA932A
CD PatternType=ANOMALY
AlertId=196 sev=10
MinResultTimestamp=2016-12-27T11:00:00.0
00Z
MaxResultTimestamp=2016-12-27T12:00:00.0
00Z Text=Anomaly score is 100 for
('System Group, ID, Actor' = 'null' /
'System Group, Type, Actor' =
'null') Measurement=100
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemGroupIdActor=null
SystemGroupTypeActor=null
|
Logon and Communication by System ID |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon and
Communication by System Id (http://
sap.com/secmon/basis)|
devTime=2017-06-08T14:03:13.156Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=System
PatternId=B09BED65105D4D4C9EE82FBCCFAD66
47 PatternType=ANOMALY
AlertId=6634 sev=7
MinResultTimestamp=2017-06-08T12:00:00.0
00Z
MaxResultTimestamp=2017-06-08T13:00:00.0
00Z Text=Anomaly score is 70 for
('System ID, Actor' = '<computer
name>' / 'System Type, Actor' =
'ABAP') Measurement=70
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<computer name>
SystemTypeActor=ABAP
|
Logon success same user from different Terminal IDs |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon success
same user from different Terminal IDs
(http://sap.com/secmon/basis)|
devTime=2016-10-24T11:13:04.589Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Suspicious
Logon
PatternId=5582A320E1B0FE2BE10000000A4CF1
09 PatternType=FLAB AlertId=2
sev=7
MinResultTimestamp=2016-10-24T07:17:36.0
00Z
MaxResultTimestamp=2016-10-24T08:40:34.0
00Z Text=Measurement 2 reached
threshold 2 for ('System ID, Actor' =
'<username>' / 'User Pseudonym,
Targeted' = 'null') Measurement=2
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<username>
UserPseudonymTargeted=null
|
Logon with SAP standard users |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon with SAP
standard users (http://sap.com/secmon/
basis)|
devTime=2017-03-13T21:05:01.494Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Suspicious
Logon
PatternId=5582A31CE1B0FE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=1000 sev=4
MinResultTimestamp=2017-03-13T13:32:04.0
00Z
MaxResultTimestamp=2017-03-13T21:02:10.0
00Z Text=Measurement 1 reached
threshold 1 for ('Event (Semantic)' =
'User, Logon' / 'Network, Hostname,
Initiator' = 'null' / 'System ID,
Actor' = '<computer name>' / 'User
Pseudonym, Targeted' = '<username>')
Measurement=1 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id> EventSemantic=User,
Logon
NetworkHostnameInitiator=null
SystemIdActor=<computer name>
UserPseudonymTargeted=<username>
|
New Service Calls by Technical Users |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|New Service
Calls by Technical Users (http://
sap.com/secmon/basis)|
devTime=2017-02-16T23:02:22.157Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Technical
Users,Users
PatternId=5F852070B8645C42907C90C27864E2
0D PatternType=ANOMALY
AlertId=251 sev=7
MinResultTimestamp=2017-02-16T21:00:00.0
00Z
MaxResultTimestamp=2017-02-16T22:00:00.0
00Z Text=Anomaly score is 74 for
('System ID, Actor' = '<computer
name>' / 'System Type, Actor' =
'ABAP' / 'User Pseudonym, Acting' =
'<computer name>') Measurement=74
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<computer name>
SystemTypeActor=ABAP
UserPseudonymActing=<computer name>
usrName=<computer name>
|
Security relevant configuration changes |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Security
relevant configuration changes (http://
sap.com/secmon/basis)|
devTime=2017-06-30T19:28:56.835Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX
cat=Configuration
PatternId=558292A9E1B0FE2BE10000000A4CF1
09 PatternType=FLAB
AlertId=9273 sev=7
MinResultTimestamp=2017-06-30T19:26:34.0
00Z
MaxResultTimestamp=2017-06-30T19:26:34.0
00Z Text=Measurement 1 reached
threshold 1 for ('Event (Semantic)' =
'System Admin, Audit Policy, Alter' /
'Network, Hostname, Initiator' =
'null' / 'System ID, Actor' =
'<username>' / 'System Type, Actor' =
'ABAP' / 'User Pseudonym, Acting' =
'null') Measurement=1
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id> EventSemantic=System
Admin, Audit Policy, Alter
NetworkHostnameInitiator=null
SystemIdActor=<username>
SystemTypeActor=ABAP
UserPseudonymActing=null usrName=null
|
Service Calls by System ID |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Service Calls
by System Id (http://sap.com/secmon/
basis)|
devTime=2017-03-22T13:03:40.160Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=System
PatternId=8CF6323786DE674691BB716CAEA111
1D PatternType=ANOMALY
AlertId=1892 sev=10
MinResultTimestamp=2017-03-22T11:00:00.0
00Z
MaxResultTimestamp=2017-03-22T12:00:00.0
00Z Text=Anomaly score is 99 for
('System ID, Actor' = '<computer
name>' / 'System Type, Actor' =
'ABAP') Measurement=99
UiLink=http://192.0.2.*/sap/hana/uis/
clients/ushell-app/shells/fiori/
FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
SystemIdActor=<computer name>
SystemTypeActor=ABAP
|
User acts under created user |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|User acts
under created user (http://sap.com/
secmon/basis)|
devTime=2017-04-03T08:17:03.529Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=User
Maintenance
PatternId=76560A14DBEC9C4A9EA502EFD6EA3B
CC PatternType=FLAB
AlertId=2893 sev=7
MinResultTimestamp=2017-04-03T08:07:34.0
00Z
MaxResultTimestamp=2017-04-03T08:10:05.0
00Z Text=Measurement 2 exceeded
threshold 1 for ('Network, Hostname,
Initiator' = '<hostname>' / 'System ID,
Actor' = '<computer name>' / 'User
Pseudonym, Targeted' = '<username>')
Measurement=2 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id>
NetworkHostnameInitiator=<hostname>
SystemIdActor=<computer name>
UserPseudonymTargeted=<username>
|
User role changed |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|User role
changed (http://sap.com/secmon/basis)|
devTime=2017-04-06T12:40:42.056Z
devTimeFormat=YYYY-MMdd'T'HH:
mm:ss.SSSX cat=Authorization
Critical Assignment
PatternId=305166E4E6C11B4593B31CFBB6BABD
44 PatternType=FLAB
AlertId=3390 sev=4
MinResultTimestamp=2017-04-06T12:40:22.0
00Z
MaxResultTimestamp=2017-04-06T12:40:22.0
00Z Text=Measurement 3 exceeded
threshold 1 for ('Event (Semantic)' =
'User Admin, Role, Create' / 'Network,
Hostname, Initiator' = 'null' / 'System
ID, Actor' = '<computer name>' / 'User
Pseudonym, Acting' = '<username>')
Measurement=3 UiLink=http://
192.0.2.*/sap/hana/uis/clients/ushellapp/
shells/fiori/FioriLaunchpad.html?
siteId=sap.secmon.ui.mobile.launchpad|
ETDLaunchpad#AlertDetails-show\?
alert=<Alert Id> EventSemantic=User
Admin, Role, Create
NetworkHostnameInitiator=null
SystemIdActor=<computer name>
UserPseudonymActing=<username>
usrName=<username>
|