Blacklisted function modules |
Potential Misc. Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted function modules (http://sap.com/secmon/basis)|devTime=2017-04-03T08:12:01.931Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Access to Critical Resource PatternId=55824E7FE1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=2888 sev=7 MinResultTimestamp=2017-04-03T08:10:05.000Z MaxResultTimestamp=2017-04-03T08:10:05.000Z Text=Measurement 1 reached threshold 1 for ('Event, Scenario Role Of Actor' = 'Server' / 'Network, Hostname, Initiator' = '<hostname>' / 'Network, IP Address, Initiator' = '<IP_address>' / 'Service, Function Name' = 'RFC_READ_TABLE' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>') Measurement=1 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> EventScenarioRoleOfActor=Server NetworkHostnameInitiator=<hostname> NetworkIPAddressInitiator=192.0.2.* ServiceFunctionName=RFC_READ_TABLE SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|
Blacklisted transactions |
Potential Misc. Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Blacklisted transactions (http://sap.com/secmon/basis)|devTime=2017-04-06T12:39:01.834Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Access to Critical Resource PatternId=55824E81E1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=3387 sev=7 MinResultTimestamp=2017-04-06T12:38:04.000Z MaxResultTimestamp=2017-04-06T12:38:25.000Z Text=Measurement 4 exceeded threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>') Measurement=4 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|
Brute force attack |
Brute force attack |
LEEF:1.0|SAP|ETD|1.0 SP5|Brute force attack (http://sap.com/secmon/basis)|devTime=2017-03-16T00:10:01.891Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Brute Force Attack PatternId=55827776E1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=1303 sev=4 MinResultTimestamp=2017-03-15T23:24:38.000Z MaxResultTimestamp=2017-03-16T00:08:47.000Z Text=Measurement 16 exceeded threshold 12 for 'Network, Hostname, Initiator' = 'null' Measurement=16 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=null
|
Data Exchange by System ID with Third-Party Systems |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by System Id with Third Party Systems (http://sap.com/secmon/basis)|devTime=2017-08-22T15:03:12.158Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=System PatternId=22610959E8B5F1499E4CFCCB1422C3D3 PatternType=ANOMALY AlertId=12279 sev=7 MinResultTimestamp=2017-08-22T13:00:00.000Z MaxResultTimestamp=2017-08-22T14:00:00.000Z Text=Anomaly score is 73 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'https://www.expedia.ca/Kenoza-Lake-Hotels-Kenoza-Lake-View-Manor.h19660605.Hotel-Information?chkin=15%2F06%2F2018&chkout=16%2F06%2F2018&rm1=a2®ionId=0&hwrqCacheKey=557055a7-9bd8-4191-8044-1a9072ac2b76HWRQ1522171541587&vip=false&c=e6079ffc-cd41-477f-aaed-c2d9e1df2fa9&mctc=10&exp_dp=218.48&exp_ts=1522171542334&exp_curr=CAD&swpToggleOn=false&exp_pg=HSR') Measurement=73 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<computer name> SystemTypeActor=ABAP
|
Data Exchange by Technical User |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Data Exchange by Technical User (http://sap.com/secmon/basis)|devTime=2017-03-28T14:02:26.154Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Technical Users,Users PatternId=7CCB9FFD5249FC4AA2B83D4BC5C8EA06 PatternType=ANOMALY AlertId=2490 sev=10 MinResultTimestamp=2017-03-28T12:00:00.000Z MaxResultTimestamp=2017-03-28T13:00:00.000Z Text=Anomaly score is 100 for 'User Pseudonym, Acting' = '<username>' Measurement=100 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> UserPseudonymActing=<username> usrName=<username>
|
Debugging in systems assigned to critical roles |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Debugging in systems assigned to critical roles (http://sap.com/secmon/basis)|devTime=2017-04-03T08:06:06.370Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Debugging PatternId=937627F31E37524F837F9374804DE234 PatternType=FLAB AlertId=2880 sev=7 MinResultTimestamp=2017-04-03T08:06:04.752Z MaxResultTimestamp=2017-04-03T08:06:04.752Z Text=Measurement 1 reached threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = '<username>') Measurement=1 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> SystemTypeActor=ABAP UserPseudonymActing=<username> usrName=<username>
|
Failed logon by RFC/CPIC call |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon by RFC/CPIC call (http://sap.com/secmon/basis)|devTime=2016-12-27T11:58:24.588Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Failed Logon PatternId=5582D941F02EFE2BE10000000A4CF109 PatternType=FLAB AlertId=177 sev=7 MinResultTimestamp=2016-12-27T11:54:42.000Z MaxResultTimestamp=2016-12-27T11:55:01.000Z Text=Measurement 3 reached threshold 3 for ('System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = 'null') Measurement=3 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<computer name> UserPseudonymTargeted=null
|
Failed logon with too many attempts |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Failed logon with too many attempts (http://sap.com/secmon/basis)|devTime=2017-06-07T17:33:02.029Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Failed Logon PatternId=5582D942F02EFE2BE10000000A4CF109 PatternType=FLAB AlertId=6287 sev=7 MinResultTimestamp=2017-06-07T16:33:01.000Z MaxResultTimestamp=2017-06-07T17:32:59.000Z Text=Measurement 39193 exceeded threshold 3 for ('Event (Semantic)' = 'User, Logon, Failure' / 'System ID, Actor' = '<username>' / 'User Pseudonym, Targeted' = '<username>') Measurement=39193 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> EventSemantic=User, Logon, Failure SystemIdActor=<username> UserPseudonymTargeted=<username>
|
Generic access to critical database tables |
Database Exploit |
LEEF:1.0|SAP|ETD|1.0 SP5|Generic access to critical database tables (http://sap.com/secmon/basis)|devTime=2017-03-29T15:50:10.291Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Data Manipulation PatternId=DF3F93F156DAAA408C1512168E16F2B0 PatternType=FLAB AlertId=2558 sev=7 MinResultTimestamp=2017-03-29T15:48:12.000Z MaxResultTimestamp=2017-03-29T15:48:12.000Z Text=Measurement 1 reached threshold 1 for ('Generic, Action' = '03' / 'Resource Name' = '<computer name>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>') Measurement=1 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> GenericAction=03 ResourceName=<computer name> SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|
Log Volume by System Group |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Log Volume by System Group (http://sap.com/secmon/basis)|devTime=2016-12-27T13:02:32.321Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=System,Test PatternId=7A8D37B77AF8CF4096B9EB49BA932ACD PatternType=ANOMALY AlertId=196 sev=10 MinResultTimestamp=2016-12-27T11:00:00.000Z MaxResultTimestamp=2016-12-27T12:00:00.000Z Text=Anomaly score is 100 for ('System Group, ID, Actor' = 'null' / 'System Group, Type, Actor' = 'null') Measurement=100 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemGroupIdActor=null SystemGroupTypeActor=null
|
Logon and Communication by System ID |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon and Communication by System Id (http://sap.com/secmon/basis)|devTime=2017-06-08T14:03:13.156Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=System PatternId=B09BED65105D4D4C9EE82FBCCFAD6647 PatternType=ANOMALY AlertId=6634 sev=7 MinResultTimestamp=2017-06-08T12:00:00.000Z MaxResultTimestamp=2017-06-08T13:00:00.000Z Text=Anomaly score is 70 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP') Measurement=70 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<computer name> SystemTypeActor=ABAP
|
Logon success same user from different Terminal IDs |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon success same user from different Terminal IDs (http://sap.com/secmon/basis)|devTime=2016-10-24T11:13:04.589Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Suspicious Logon PatternId=5582A320E1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=2 sev=7 MinResultTimestamp=2016-10-24T07:17:36.000Z MaxResultTimestamp=2016-10-24T08:40:34.000Z Text=Measurement 2 reached threshold 2 for ('System ID, Actor' = '<username>' / 'User Pseudonym, Targeted' = 'null') Measurement=2 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<username> UserPseudonymTargeted=null
|
Logon with SAP standard users |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Logon with SAP standard users (http://sap.com/secmon/basis)|devTime=2017-03-13T21:05:01.494Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Suspicious Logon PatternId=5582A31CE1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=1000 sev=4 MinResultTimestamp=2017-03-13T13:32:04.000Z MaxResultTimestamp=2017-03-13T21:02:10.000Z Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'User, Logon' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = '<username>') Measurement=1 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> EventSemantic=User, Logon NetworkHostnameInitiator=null SystemIdActor=<computer name> UserPseudonymTargeted=<username>
|
New Service Calls by Technical Users |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|New Service Calls by Technical Users (http://sap.com/secmon/basis)|devTime=2017-02-16T23:02:22.157Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Technical Users,Users PatternId=5F852070B8645C42907C90C27864E20D PatternType=ANOMALY AlertId=251 sev=7 MinResultTimestamp=2017-02-16T21:00:00.000Z MaxResultTimestamp=2017-02-16T22:00:00.000Z Text=Anomaly score is 74 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = '<computer name>') Measurement=74 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<computer name> SystemTypeActor=ABAP UserPseudonymActing=<computer name> usrName=<computer name>
|
Security relevant configuration changes |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Security relevant configuration changes (http://sap.com/secmon/basis)|devTime=2017-06-30T19:28:56.835Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Configuration PatternId=558292A9E1B0FE2BE10000000A4CF109 PatternType=FLAB AlertId=9273 sev=7 MinResultTimestamp=2017-06-30T19:26:34.000Z MaxResultTimestamp=2017-06-30T19:26:34.000Z Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'System Admin, Audit Policy, Alter' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<username>' / 'System Type, Actor' = 'ABAP' / 'User Pseudonym, Acting' = 'null') Measurement=1 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> EventSemantic=System Admin, Audit Policy, Alter NetworkHostnameInitiator=null SystemIdActor=<username> SystemTypeActor=ABAP UserPseudonymActing=null usrName=null
|
Service Calls by System ID |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|Service Calls by System Id (http://sap.com/secmon/basis)|devTime=2017-03-22T13:03:40.160Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=System PatternId=8CF6323786DE674691BB716CAEA1111D PatternType=ANOMALY AlertId=1892 sev=10 MinResultTimestamp=2017-03-22T11:00:00.000Z MaxResultTimestamp=2017-03-22T12:00:00.000Z Text=Anomaly score is 99 for ('System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABAP') Measurement=99 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> SystemIdActor=<computer name> SystemTypeActor=ABAP
|
User acts under created user |
User Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|User acts under created user (http://sap.com/secmon/basis)|devTime=2017-04-03T08:17:03.529Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=User Maintenance PatternId=76560A14DBEC9C4A9EA502EFD6EA3BCC PatternType=FLAB AlertId=2893 sev=7 MinResultTimestamp=2017-04-03T08:07:34.000Z MaxResultTimestamp=2017-04-03T08:10:05.000Z Text=Measurement 2 exceeded threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Targeted' = '<username>') Measurement=2 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> UserPseudonymTargeted=<username>
|
User role changed |
Suspicious Activity |
LEEF:1.0|SAP|ETD|1.0 SP5|User role changed (http://sap.com/secmon/basis)|devTime=2017-04-06T12:40:42.056Z devTimeFormat=YYYY-MM-dd'T'HH:mm:ss.SSSX cat=Authorization Critical Assignment PatternId=305166E4E6C11B4593B31CFBB6BABD44 PatternType=FLAB AlertId=3390 sev=4 MinResultTimestamp=2017-04-06T12:40:22.000Z MaxResultTimestamp=2017-04-06T12:40:22.000Z Text=Measurement 3 exceeded threshold 1 for ('Event (Semantic)' = 'User Admin, Role, Create' / 'Network, Hostname, Initiator' = 'null' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Acting' = '<username>') Measurement=3 UiLink=http://192.0.2.*/sap/hana/uis/clients/ushell-app/shells/fiori/FioriLaunchpad.html?siteId=sap.secmon.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show\?alert=<Alert Id> EventSemantic=User Admin, Role, Create NetworkHostnameInitiator=null SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|