SAP Enterprise Threat Detection V1.0 SP6 sample event messages

LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted function modules (http://sap.com/secmon/basis)|devTime=2017-04-03T08:12:01.931Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Access to Critical Resource    PatternId=55824E7FE1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=2888    sev=7    MinResultTimestamp=2017-04-03T08:10:05.000Z    MaxResultTimestamp=2017-04-03T08:10:05.000Z    Text=Measurement 1 reached threshold 1 for ('Event, Scenario Role Of Actor' = 'Server' / 'Network, Hostname, Initiator' = '<hostname>' / 'Network, IP Address, Initiator' = '<IP_address>' / 'Service, Function Name' = 'RFC_READ_TABLE' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>')    Measurement=1    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   EventScenarioRoleOfActor=Server    NetworkHostnameInitiator=<hostname>    NetworkIPAddressInitiator=192.0.2.*    ServiceFunctionName=RFC_READ_TABLE    SystemIdActor=<computer name>    UserPseudonymActing=<username>    usrName=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted transactions (http://sap.com/secmon/basis)|devTime=2017-04-06T12:39:01.834Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Access to Critical Resource    PatternId=55824E81E1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=3387    sev=7    MinResultTimestamp=2017-04-06T12:38:04.000Z    MaxResultTimestamp=2017-04-06T12:38:25.000Z    Text=Measurement 4 exceeded threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>')    Measurement=4    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   NetworkHostnameInitiator=<hostname>    SystemIdActor=<computer name>    UserPseudonymActing=<username>    usrName=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Brute force attack (http://sap.com/secmon/basis)|devTime=2017-03-16T00:10:01.891Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Brute Force Attack    PatternId=55827776E1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=1303    sev=4    MinResultTimestamp=2017-03-15T23:24:38.000Z    MaxResultTimestamp=2017-03-16T00:08:47.000Z    Text=Measurement 16 exceeded threshold 12 for 'Network, Hostname, Initiator' = 'null'    Measurement=16    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   NetworkHostnameInitiator=null

LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by System Id with Third Party Systems (http://sap.com/secmon/basis)|devTime=2017-08-22T15:03:12.158Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=System    PatternId=22610959E8B5F1499E4CFCCB1422C3D3    PatternType=ANOMALY    AlertId=12279    sev=7    MinResultTimestamp=2017-08-22T13:00:00.000Z    MaxResultTimestamp=2017-08-22T14:00:00.000Z    Text=Anomaly score is 73 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'https://www.expedia.ca/Kenoza-Lake-Hotels-Kenoza-Lake-View-Manor.h19660605.Hotel-Information?chkin=15%2F06%2F2018&chkout=16%2F06%2F2018&rm1=a2&regionId=0&hwrqCacheKey=557055a7-9bd8-4191-8044-1a9072ac2b76HWRQ1522171541587&vip=false&c=e6079ffc-cd41-477f-aaed-c2d9e1df2fa9&mctc=10&exp_dp=218.48&exp_ts=1522171542334&exp_curr=CAD&swpToggleOn=false&exp_pg=HSR')    Measurement=73    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<computer name>    SystemTypeActor=ABAP

LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by Technical User (http://sap.com/secmon/basis)|devTime=2017-03-28T14:02:26.154Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Technical Users,Users    PatternId=7CCB9FFD5249FC4AA2B83D4BC5C8EA06    PatternType=ANOMALY    AlertId=2490    sev=10    MinResultTimestamp=2017-03-28T12:00:00.000Z    MaxResultTimestamp=2017-03-28T13:00:00.000Z    Text=Anomaly score is 100 for 'User Pseudonym, Acting' = '<username>'    Measurement=100    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   UserPseudonymActing=<username>    usrName=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Debugging in systems assigned to critical roles (http://sap.com/secmon/basis)|devTime=2017-04-03T08:06:06.370Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Debugging    PatternId=937627F31E37524F837F9374804DE234    PatternType=FLAB    AlertId=2880    sev=7    MinResultTimestamp=2017-04-03T08:06:04.752Z    MaxResultTimestamp=2017-04-03T08:06:04.752Z    Text=Measurement 1 reached threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = '<username>')    Measurement=1    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   NetworkHostnameInitiator=<hostname>    SystemIdActor=<computer name>    SystemTypeActor=ABAP    UserPseudonymActing=<username>    usrName=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon by RFC/CPIC call (http://sap.com/secmon/basis)|devTime=2016-12-27T11:58:24.588Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Failed Logon    PatternId=5582D941F02EFE2BE10000000A4CF109    PatternType=FLAB    AlertId=177    sev=7    MinResultTimestamp=2016-12-27T11:54:42.000Z    MaxResultTimestamp=2016-12-27T11:55:01.000Z    Text=Measurement 3 reached threshold 3 for ('System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = 'null')    Measurement=3    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<computer name>    UserPseudonymTargeted=null

LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon with too many attempts (http://sap.com/secmon/basis)|devTime=2017-06-07T17:33:02.029Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Failed Logon    PatternId=5582D942F02EFE2BE10000000A4CF109    PatternType=FLAB    AlertId=6287    sev=7    MinResultTimestamp=2017-06-07T16:33:01.000Z    MaxResultTimestamp=2017-06-07T17:32:59.000Z    Text=Measurement 39193 exceeded threshold 3 for ('Event (Semantic)' = 'User, Logon, Failure' / 'System ID, Actor' = '<username>' / 'User Pseudonym, Targeted' = '<username>')    Measurement=39193    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   EventSemantic=User, Logon, Failure    SystemIdActor=<username>    UserPseudonymTargeted=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Generic access to critical database tables (http://sap.com/secmon/basis)|devTime=2017-03-29T15:50:10.291Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Data Manipulation    PatternId=DF3F93F156DAAA408C1512168E16F2B0    PatternType=FLAB    AlertId=2558    sev=7    MinResultTimestamp=2017-03-29T15:48:12.000Z    MaxResultTimestamp=2017-03-29T15:48:12.000Z    Text=Measurement 1 reached threshold 1 for ('Generic, Action' = '03' / 'Resource Name' = '<computer name>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>')    Measurement=1    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   GenericAction=03    ResourceName=<computer name>    SystemIdActor=<computer name>    UserPseudonymActing=<username>    usrName=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|Log Volume by System Group (http://sap.com/secmon/basis)|devTime=2016-12-27T13:02:32.321Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=System,Test    PatternId=7A8D37B77AF8CF4096B9EB49BA932ACD    PatternType=ANOMALY    AlertId=196    sev=10    MinResultTimestamp=2016-12-27T11:00:00.000Z    MaxResultTimestamp=2016-12-27T12:00:00.000Z    Text=Anomaly score is 100 for ('System Group, ID, Actor' = 'null' / 'System Group, Type, Actor' = 'null')    Measurement=100    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemGroupIdActor=null    SystemGroupTypeActor=null

LEEF:1.0|SAP|ETD|1.0 SP5|Logon and Communication by System Id (http://sap.com/secmon/basis)|devTime=2017-06-08T14:03:13.156Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=System    PatternId=B09BED65105D4D4C9EE82FBCCFAD6647    PatternType=ANOMALY    AlertId=6634    sev=7    MinResultTimestamp=2017-06-08T12:00:00.000Z    MaxResultTimestamp=2017-06-08T13:00:00.000Z    Text=Anomaly score is 70 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP')    Measurement=70    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<computer name>    SystemTypeActor=ABAP

LEEF:1.0|SAP|ETD|1.0 SP5|Logon success same user from different Terminal IDs (http://sap.com/secmon/basis)|devTime=2016-10-24T11:13:04.589Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Suspicious Logon    PatternId=5582A320E1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=2    sev=7    MinResultTimestamp=2016-10-24T07:17:36.000Z    MaxResultTimestamp=2016-10-24T08:40:34.000Z    Text=Measurement 2 reached threshold 2 for ('System ID, Actor' = '<username>' / 'User Pseudonym, Targeted' = 'null')    Measurement=2    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<username>    UserPseudonymTargeted=null

LEEF:1.0|SAP|ETD|1.0 SP5|Logon with SAP standard users (http://sap.com/secmon/basis)|devTime=2017-03-13T21:05:01.494Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Suspicious Logon    PatternId=5582A31CE1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=1000    sev=4    MinResultTimestamp=2017-03-13T13:32:04.000Z    MaxResultTimestamp=2017-03-13T21:02:10.000Z    Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'User, Logon' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = '<username>')    Measurement=1    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   EventSemantic=User, Logon    NetworkHostnameInitiator=null    SystemIdActor=<computer name>    UserPseudonymTargeted=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|New Service Calls by Technical Users (http://sap.com/secmon/basis)|devTime=2017-02-16T23:02:22.157Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Technical Users,Users    PatternId=5F852070B8645C42907C90C27864E20D    PatternType=ANOMALY    AlertId=251    sev=7    MinResultTimestamp=2017-02-16T21:00:00.000Z    MaxResultTimestamp=2017-02-16T22:00:00.000Z    Text=Anomaly score is 74 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = '<computer name>')    Measurement=74    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<computer name>    SystemTypeActor=ABAP    UserPseudonymActing=<computer name>    usrName=<computer name>

LEEF:1.0|SAP|ETD|1.0 SP5|Security relevant configuration changes (http://sap.com/secmon/basis)|devTime=2017-06-30T19:28:56.835Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Configuration    PatternId=558292A9E1B0FE2BE10000000A4CF109    PatternType=FLAB    AlertId=9273    sev=7    MinResultTimestamp=2017-06-30T19:26:34.000Z    MaxResultTimestamp=2017-06-30T19:26:34.000Z    Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'System Admin, Audit Policy, Alter' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<username>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = 'null')    Measurement=1    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   EventSemantic=System Admin, Audit Policy, Alter    NetworkHostnameInitiator=null    SystemIdActor=<username>    SystemTypeActor=ABAP    UserPseudonymActing=null    usrName=null

LEEF:1.0|SAP|ETD|1.0 SP5|Service Calls by System Id (http://sap.com/secmon/basis)|devTime=2017-03-22T13:03:40.160Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=System    PatternId=8CF6323786DE674691BB716CAEA1111D    PatternType=ANOMALY    AlertId=1892    sev=10    MinResultTimestamp=2017-03-22T11:00:00.000Z    MaxResultTimestamp=2017-03-22T12:00:00.000Z    Text=Anomaly score is 99 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP')    Measurement=99    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   SystemIdActor=<computer name>    SystemTypeActor=ABAP

LEEF:1.0|SAP|ETD|1.0 SP5|User acts under created user (http://sap.com/secmon/basis)|devTime=2017-04-03T08:17:03.529Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=User Maintenance    PatternId=76560A14DBEC9C4A9EA502EFD6EA3BCC    PatternType=FLAB    AlertId=2893    sev=7    MinResultTimestamp=2017-04-03T08:07:34.000Z    MaxResultTimestamp=2017-04-03T08:10:05.000Z    Text=Measurement 2 exceeded threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = '<username>')    Measurement=2    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   NetworkHostnameInitiator=<hostname>    SystemIdActor=<computer name>    UserPseudonymTargeted=<username>

LEEF:1.0|SAP|ETD|1.0 SP5|User role changed (http://sap.com/secmon/basis)|devTime=2017-04-06T12:40:42.056Z    devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX    cat=Authorization Critical Assignment    PatternId=305166E4E6C11B4593B31CFBB6BABD44    PatternType=FLAB    AlertId=3390    sev=4    MinResultTimestamp=2017-04-06T12:40:22.000Z    MaxResultTimestamp=2017-04-06T12:40:22.000Z    Text=Measurement 3 exceeded threshold 1 for ('Event (Semantic)' = 'User Admin, Role, Create' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>')    Measurement=3    UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id>   EventSemantic=User Admin, Role, Create    NetworkHostnameInitiator=null    SystemIdActor=<computer name>    UserPseudonymActing=<username>    usrName=<username>