SAP Enterprise Threat Detection V2.0 SP5 sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar. Replace the sample IP addresses, and so on with your own content.

The following table provides sample event messages for the SAP Enterprise Threat Detection DSM.

Table 1. SAP Enterprise Threat Detection V2.0 SP5 sample message supported by the SAP Enterprise Threat Detection DSM
Event name Low-level category Sample log message
Logon success same user from different Terminal IDs Suspicious Logon
LEEF:1.0|SAP|ETD|2.0 SP5|Logon success same user from different Terminal IDs (http://example.com/qradar/basis)|devTime=2023-06-01T13:10:15.119Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Suspicious Logon	PatternId=10000000000000000123456789123456	PatternType=FLAB	AlertId=2382283	sev=7	MinResultTimestamp=2023-06-01T13:01:50.980Z	MaxResultTimestamp=2023-06-01T13:01:51.378Z	Text=Measurement 2 reached threshold 2 for ('System ID, Actor' = '<computer name>' / 'User Pseudonym, Target' = '<username>')	Measurement=2	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	SystemIdActor=<computer name>	UserPseudonymTargeted=<username>
Calls between a non-productive and a productive system Cross Communication
LEEF:1.0|SAP|ETD|2.0 SP5|Calls between a non-productive and a productive system (http://example.com/qradar/basis)|devTime=2023-06-01T13:25:29.714Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Cross Communication	PatternId=200000000000000001234567891234567	PatternType=FLAB	AlertId=2382291	sev=4	MinResultTimestamp=2023-06-01T13:16:08.000Z	MaxResultTimestamp=2023-06-01T13:25:08.120Z	Text=Measurement 228 exceeded threshold 1 for ('Correlation ID' = '<correlation Id>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Actor' = '<username>')	Measurement=228	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	CorrelationId=<correlation Id>	SystemIdActor=<computer name>	UserPseudonymActing=<username>	usrName=<username>
Logon success same Terminal ID with different users Suspicious Logon V1
LEEF:1.0|SAP|ETD|2.0 SP5|Logon success same Terminal ID with different users (http://demo)|devTime=2023-06-01T13:20:12.146Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Suspicious Logon V1	PatternId=700000000000000001234567891234567	PatternType=FLAB	AlertId=2382287	sev=4	MinResultTimestamp=2023-06-01T12:51:06.000Z	MaxResultTimestamp=2023-06-01T13:20:06.941Z	Text=Measurement 2 reached threshold 2 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>')	Measurement=2	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	NetworkHostnameInitiator=<hostname>	SystemIdActor=<computer name>
SAP HANA Partitioning unsuccessful Heath Check Health Checks
LEEF:1.0|SAP|ETD|2.0 SP5|SAP HANA Partitioning unsuccessful Health Check (http://exm.com/qradar)|devTime=2023-05-30T12:05:50.176Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Health Checks	PatternId=500000000000000001234567891234567	PatternType=FLAB	AlertId=2381877	sev=7	MinResultTimestamp=2023-05-30T12:05:28.000Z	MaxResultTimestamp=2023-05-30T12:05:28.000Z	Text=Measurement 5 exceeded threshold 1 for 'System ID' = 'ABC'	Measurement=5	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	systemId=ABC
Security relevant policy changes Security relevant policy changes
LEEF:1.0|SAP|ETD|2.0 SP5|Security relevant policy changes (http://example.com/qradar/basis)|devTime=2023-05-30T12:11:30.015Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Configuration	PatternId=300000000000000001234567891234567	PatternType=FLAB	AlertId=2381879	sev=7	MinResultTimestamp=2023-05-30T12:07:05.000Z	MaxResultTimestamp=2023-05-30T12:07:05.000Z	Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'System Admin, Audit Policy, Alter' / 'Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABCD')	Measurement=1	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	EventSemantic=System Admin, Audit Policy, Alter	NetworkHostnameInitiator=<hostname>	SystemIdActor=<computer name>	SystemTypeActor=<computer name>
Audit Slot deactivated in critical system Roles Audit Configuration Changes
LEEF:1.0|SAP|ETD|2.0 SP5|Audit Slot deactivated in critical system Roles (http://demo)|devTime=2023-05-30T12:12:06.402Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Audit Configuration Changes	PatternId=400000000000000001234567891234567	PatternType=FLAB	AlertId=2381889	sev=10	MinResultTimestamp=2023-05-30T12:07:05.000Z	MaxResultTimestamp=2023-05-30T12:07:05.000Z	Text=Measurement 1 reached threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'Network, IP Address, Initiator' = 'null' / 'Parameter Name' = 'Audit Slot' / 'Parameter Value, String' = '4' / 'System Group, Role, Actor' = 'Production' / 'System ID, Actor' = '<computer name>')	Measurement=1	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	NetworkHostnameInitiator=<hostname>	NetworkIPAddressInitiator=null	ParameterName=Audit Slot	ParameterValueString=4	SystemGroupRoleActor=Production	SystemIdActor=<computer name>
Low Log Amount per system Log Failure
LEEF:1.0|SAP|ETD|2.0 SP5|Low Log Amount per system (http://demo)|devTime=2023-05-30T12:20:15.280Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Log Failure	PatternId=92408893B4EED249A21219D645F55C77	PatternType=FLAB	AlertId=2381894	sev=4	MinResultTimestamp=2023-05-30T12:11:26.546Z	MaxResultTimestamp=2023-05-30T12:15:52.530Z	Text=Measurement 9 exceeded threshold 50 for ('Event, Log Type' = 'Indicator' / 'System ID, Actor' = '<computer name>')	Measurement=9	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	EventLogType=Indicator	SystemIdActor=<computer name>
RFC calls from non-productive systems Cross Communication
LEEF:1.0|SAP|ETD|2.0 SP5|RFC calls from non-productive to productive systems (http://exm.com/qradar/basis)|devTime=2023-06-01T13:25:12.896Z	devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX	cat=Cross Communication	PatternId=10000000000000000123456789123456	PatternType=FLAB	AlertId=2382290	sev=4	MinResultTimestamp=2023-06-01T13:16:08.000Z	MaxResultTimestamp=2023-06-01T13:23:08.000Z	Text=Measurement 8 exceeded threshold 1 for ('Service, Function Name' = 'SUSR_SUIM_API_NAME' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Actor' = '<username>')	Measurement=8	UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id>	ServiceFunctionName=SUSR_SUIM_API_NAME	SystemIdActor=<computer name>	UserPseudonymActing=<username>	usrName=<username>