Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Data Description

The RUSR200 event is used in SAP to view the list of users by log-in date and password change information.

Potential Use Cases

This event could be used for the following scenarios:

  • Determine if there is abnormal log-in activity in the system.

  • Correlate the log-in data with other SAP Security system data to identify potential security threats.

  • Visualize inactive users in the system.

  • Understand if someone is attempting do a brute force log-in.

  • Identify which users need to change their passwords based on password aging.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Navigate to this data by using the RSUSR200 transaction code. Then enter the desired selection parameters and the Execute button.

The data displayed below will match with what you see in Splunk.

Field Mapping

The field mapping between the data from SAP and values in Splunk can be seen in the table below:

Field

Description

Unit of Measure

ANAME

Creator of the User Master Record

String

BCDA1

Date of Last Password Change

YYYYMMDD

BNAME

User Name in User Master Record

String

CLASS

User group in user master maintenance

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

ERDAT

Creation Date of the User Master Record

YYYYMMDD

EVENT_SUBTYPE

String

EVENT_TYPE

RSUSR200

String

GLTGB

User valid to

YYYYMMDD

GLTGV

User valid from

YYYYMMDD

LOCK_REASON

Reason for the user lock

String

LOCK_STATE

Whether the user is locked

String

LOCNT

Number of failed logon attempts

Number (Count)

LTIME

Last Logon Time

HHMMSS

MANDT

Client

String

PWD_STATE

Password Change: Required / Allowed / Not Possible

String

TRDAT

Last Logon Date

YYYYMMDD

USTYP

User Type

String

USTYP_TEXT

User Type Description

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

  • No labels