Page Comparison

Initial or WellKnown PW

Alerts

RSUSR003

Detects when an account password is too common or has not yet been reset from its initial state.

Dialog User PW Expiration Violation

N/A

RSUSR200

Detects when an SAP Dialog user is violating the password expiration policy.

PW Reset NonDialog

N/A

RSUSR200

Detects password reset on a non-dialog user in SAP.

Static Profile Parameter Change

Change

RZ10_LOG

Detects changes to static profile parameters in SAP systems.

Client Open for Change

N/A

SCC4

Detects when an SAP client has been opened for a change.

New Client Created

N/A

SCC4

Detects a new client in SAP.

Namespace Open for Change

N/A

SE06

Detects when an SAP namespace is open for change.

Manual Function Module Execution

Data_Access

SE37_LOG

Indicates function modules that have been executed manually by users in an SAP system.

Many Accounts One Terminal

Network_Sessions

SM04

Detects multiples accounts logging in from a single terminal.

One Account Many Geos

N/A

SM04

Detects one account logging in from multiple geographies.

One Account Many Terminals

Network_Sessions

SM04

Detects one account logging in from multiple terminals.

Account High Transaction Failure

Authentication

SM20

Detects a high number of transaction failures in the set timeframe.

Account Multiple Login Failures

Authentication

SM20

Detects multiple login failures from a user account on an SAP system.

Audit Log Deletion

Authentication

SM20

Detects an audit log deletion.

File Downloads

Authentication

SM20

Detects

data downloads from SAP systems, indicating potential data theft.

Logical Path Access Failure

Authentication

SM20

Detects logical path access failure in an SAP system.

Privileged Account Login

Authentication

SM20

Detects login events for privileged SAP accounts SAP* and DDIC.

SM59 Destination Deletion

Alerts

SM21_LOG

Detects

deletion of SM59 destinations in SAP systems.

Dynamic Profile Parameter Change

Alerts

SM21_LOG

Detects changes in dynamic profile parameters.

IDOC Removal

Alerts

SM21_LOG

Detects removal of IDocs in SAP systems.

SM59 Destination Change

Alerts

SM21_LOG

Detects deletion of RFC destinations in SAP systems.

Debug Mode Execution

Alerts

SM21_LOG

Detects execution of debug mode on SAP systems.

OS Command Change

Change

SM69

Detects execution of an OS command.

Sensitive Transaction Execution

N/A

STAD

Detects execution of a set of predefined sensitive transactions. Uses the PowerConnect app's "sensitive_tcodes" lookup to define sensitive transactions.

Transport Added to Import Queue

Change

STMS_TPLOG

Detects when a user adds a transport to the import queue on an SAP system.

Transport Removed from Import Queue

Change

STMS_TPLOG

Detects when a user removes a transport to the import queue on an SAP system.

Certificate Expired

Certificates

STRUST

Detects expired SSL certificates.

Certificate Changes

Change

STRUST_HISTORY

Detects changes in SSL certificates.

Profile Change

Change

SUIM

Detects profile change in SAP systems.

User Change

Change

SUIM

Detects user changes in SAP. Does not conflict with correlation searches for admin profile assignments.

Admin Profile Assigned

Change

SUIM

Detects assignment of admin profile in SAP.

New User Created

Change

SUIM

Detects creation of a new user in SAP.

Sensitive Role Assigned

N/A

SUIM

Detects assignment of a sensitive user role in SAP. Uses the PowerConnect app's "sensitive_user_roles" lookup to define sensitive roles.

User Type Changed

Change

SUIM

Detects change in user type in SAP.

User Unlocked

Change

SUIM

Detects user unlocks in SAP.

Connectivity Object Change

Change

UCON_LOG

Detects connectivity object changes in SAP.