Data Description
The USH02 event is used in SAP to view change history for log-on data.
Potential Use Cases
This event could be used for the following scenarios:
Determine if user passwords are set to the initial value.
Understand modification to user accounts.
Correlate the data with other system activity to identify potential security threats.
Determine how user accounts are being modified.
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Navigate to this data by using the SE16 transaction code. Then enter USH02 in the Table Name field and hit the Enter key on your keyboard.
Then enter the desired selection parameters, and the Execute button.
The data displayed below will match with what you see in Splunk.
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
Field | Description | Unit of Measure |
|---|---|---|
ACCNT | Account ID | String |
BNAME | User Name in User Master Record | String |
CLASS | User group in user master maintenance | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | USH02 | String |
GLTGB | User valid to | YYYYMMDD |
GLTGV | User valid from | YYYYMMDD |
MODBE | Last changed by | String |
MODDA | Modification date | HHMMSS |
MODTI | Modification time | YYYYMMDD |
PWDINITIAL | Indicator: Password Is Initial | 0 | 1 |
REPID | ABAP Program Name | String |
TCODE | Transaction code used to modify account | String |
UFLAG | User Lock Status | String |
USTYP | User type | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |