Data Description
The SECPOL_LOG event is used to determine and log all changes made to user and authorization management entity i.e. security policies.
Potential Use Cases
This event could be used in the following scenarios:
Determine which security policies with attributes are created in the SAP system/s, for which you explicitly do not want to use the default value
Monitor to determine if critical security policies and attributes are being changed
Identify and alert on security policies changes, which could create compliance concerns
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Log in to the SAP system and execute the transaction SECPOL_CHANGES. Select the display option “Show Raw Change Documents” along with required inputs in selection fields.
Change Documents/Logs for the policies are displayed in the output screen as below.
Field Mapping
Field | Description | Unit of Measure |
---|---|---|
EVENT_TYPE | SECPOL_LOG | String |
EVENT_SUBTYPE | Not Applicable for this Event Type (always blank) | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
CHANGENUMBER_HEADER | Change Document Number | Numerical |
POLICY_NAME_HEADER | Security Policy Name | String |
POLICY_TEXT_HEADER | Security Policy Text | String |
ATTRIBUTE_KEY | Security Policy Attribute Name | String |
ATTRIBUTE_TEXT | Security Policy Attribute Text | |
CHNGIND_HEADER | Policy Header (Name) Change Indicator | 1 Character Value: I for Insert, C for Change, D for Delete |
CHNGIND | Policy Attribute Change Indicator | 1 Character Value: I for Insert, C for Change, D for Delete |
CHANGEDATE_HEADER | Change Document Date (UTC) | YYYYMMDD |
CHANGETIME_HEADER | Change Document Time (UTC) | HHMMSS |
CHANGEUSER_HEADER | User ID | String |
CHANGETCODE_HEADER | Transaction code | String |
VALUE_OLD | Old Value | String |
VALUE_NEW | New Value | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |