SM04 (Draft)

Data Description

The SM04 event is used in SAP to view users logged in.

Potential Use Cases

This event could be used in the following scenarios:

Identify potential security threats from user log-in events.
Trend user log-ins over time.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Log into the managed system and execute the SM04 transaction code. The data that is displayed will match the data that is extracted and sent to Splunk.

Field Mapping

Field	Description	Unit of Measure
ACT_PROGRAM	Name of Main Program	String
APPLICATION	Application	String
APPL_INFO	Application information	String
BNAME	User Name	String
CURRENT_TIMESTAMP	The date time stamp when the information was collected	YYYYMMDDHHMMSS
EVENT_SUBTYPE		String
EVENT_TYPE	SM04	String
EXTMODI	Task Handler: Number of External or Internal Modes	Number
EXT_STYPE		String
EXT_TIME		DD.MM.YYYY HH:MM:DD
EXT_TRACE		Boolean
EXT_TYPE		String
GUIVERSION	Version of SAPGUI	Number
HOSTADDR	IP Address	IP Address
INSTANCE_NAME	Application Server Instance	String
INTMODI	Task Handler: Number of External or Internal Modes	Number
LOCATION_INFO	Location information (terminal)	String
LOGON_HDL		Number
LOGON_ID	Logon ID	Number
LOGON_PRIVILEGE
MANDT	Client	Number
MASTER	Master
OPEN_TASKS	Open tasks	Number (Count)
PRIORITY	Priority	String
PROTOCOL	Logon Protocol of Plugin	Number
RFC_HDL		Number
RFC_TYPE	Type of RFC Logon	String
RFC_TYPE_LONG	Type of RFC Logon	String
SECURITY_CONTEXT	Security context index	YYYY-MM-DD HH:MM:SS
SERVER_NAME	Server name	String
SESSIONS	Number of sessions	Number (Count)
SESSION_HDL		Number
SESSION_KEY	Session key	String
SESSION_TYPE	Session Type	String
STAT	Status of System Logon	Number
TCODE	TCODE	String
TENANT	Client	Number
TERM	Terminal ID	String
TID	Terminal ID	Number
TOTAL_MEM_ABAP_KB	ABAP Memory	Number (kilobytes)
TOTAL_MEM_BRUTTO_KB		Number (kilobytes)
TOTAL_MEM_HEAP_KB	Heap Memory	Number (kilobytes)
TOTAL_MEM_HYPER_KB	Hyper Memory	Number (kilobytes)
TOTAL_MEM_KB	Total Memory	Number (kilobytes)
TRACE	User trace	Boolean
TYPE	Type of Logon	Number
USER_NAME	User Name	String
UTCDIFF	The UTC OFFSSET in HHMMSS that the data was collected in	HHMMSS
UTCSIGN	The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.	+ \| -
WEBSOCKET_HANDLE	Websocket Handle	String
ZEIT	Dialog time in SM04	HHMMSS