Logon success same user from different Terminal IDs |
Suspicious Logon |
LEEF:1.0|SAP|ETD|2.0 SP5|Logon success same user from different Terminal IDs (http://example.com/qradar/basis)|devTime=2023-06-01T13:10:15.119Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Suspicious Logon PatternId=10000000000000000123456789123456 PatternType=FLAB AlertId=2382283 sev=7 MinResultTimestamp=2023-06-01T13:01:50.980Z MaxResultTimestamp=2023-06-01T13:01:51.378Z Text=Measurement 2 reached threshold 2 for ('System ID, Actor' = '<computer name>' / 'User Pseudonym, Target' = '<username>') Measurement=2 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> SystemIdActor=<computer name> UserPseudonymTargeted=<username>
|
Calls between a non-productive and a productive system |
Cross Communication |
LEEF:1.0|SAP|ETD|2.0 SP5|Calls between a non-productive and a productive system (http://example.com/qradar/basis)|devTime=2023-06-01T13:25:29.714Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Cross Communication PatternId=200000000000000001234567891234567 PatternType=FLAB AlertId=2382291 sev=4 MinResultTimestamp=2023-06-01T13:16:08.000Z MaxResultTimestamp=2023-06-01T13:25:08.120Z Text=Measurement 228 exceeded threshold 1 for ('Correlation ID' = '<correlation Id>' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Actor' = '<username>') Measurement=228 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> CorrelationId=<correlation Id> SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|
Logon success same Terminal ID with different users |
Suspicious Logon V1 |
LEEF:1.0|SAP|ETD|2.0 SP5|Logon success same Terminal ID with different users (http://demo)|devTime=2023-06-01T13:20:12.146Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Suspicious Logon V1 PatternId=700000000000000001234567891234567 PatternType=FLAB AlertId=2382287 sev=4 MinResultTimestamp=2023-06-01T12:51:06.000Z MaxResultTimestamp=2023-06-01T13:20:06.941Z Text=Measurement 2 reached threshold 2 for ('Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>') Measurement=2 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name>
|
SAP HANA Partitioning unsuccessful Heath Check |
Health Checks |
LEEF:1.0|SAP|ETD|2.0 SP5|SAP HANA Partitioning unsuccessful Health Check (http://exm.com/qradar)|devTime=2023-05-30T12:05:50.176Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Health Checks PatternId=500000000000000001234567891234567 PatternType=FLAB AlertId=2381877 sev=7 MinResultTimestamp=2023-05-30T12:05:28.000Z MaxResultTimestamp=2023-05-30T12:05:28.000Z Text=Measurement 5 exceeded threshold 1 for 'System ID' = 'ABC' Measurement=5 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> systemId=ABC
|
Security relevant policy changes |
Security relevant policy changes |
LEEF:1.0|SAP|ETD|2.0 SP5|Security relevant policy changes (http://example.com/qradar/basis)|devTime=2023-05-30T12:11:30.015Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Configuration PatternId=300000000000000001234567891234567 PatternType=FLAB AlertId=2381879 sev=7 MinResultTimestamp=2023-05-30T12:07:05.000Z MaxResultTimestamp=2023-05-30T12:07:05.000Z Text=Measurement 1 reached threshold 1 for ('Event (Semantic)' = 'System Admin, Audit Policy, Alter' / 'Network, Hostname, Initiator' = '<hostname>' / 'System ID, Actor' = '<computer name>' / 'System Type, Actor' = 'ABCD') Measurement=1 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> EventSemantic=System Admin, Audit Policy, Alter NetworkHostnameInitiator=<hostname> SystemIdActor=<computer name> SystemTypeActor=<computer name>
|
Audit Slot deactivated in critical system Roles |
Audit Configuration Changes |
LEEF:1.0|SAP|ETD|2.0 SP5|Audit Slot deactivated in critical system Roles (http://demo)|devTime=2023-05-30T12:12:06.402Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Audit Configuration Changes PatternId=400000000000000001234567891234567 PatternType=FLAB AlertId=2381889 sev=10 MinResultTimestamp=2023-05-30T12:07:05.000Z MaxResultTimestamp=2023-05-30T12:07:05.000Z Text=Measurement 1 reached threshold 1 for ('Network, Hostname, Initiator' = '<hostname>' / 'Network, IP Address, Initiator' = 'null' / 'Parameter Name' = 'Audit Slot' / 'Parameter Value, String' = '4' / 'System Group, Role, Actor' = 'Production' / 'System ID, Actor' = '<computer name>') Measurement=1 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> NetworkHostnameInitiator=<hostname> NetworkIPAddressInitiator=null ParameterName=Audit Slot ParameterValueString=4 SystemGroupRoleActor=Production SystemIdActor=<computer name>
|
Low Log Amount per system |
Log Failure |
LEEF:1.0|SAP|ETD|2.0 SP5|Low Log Amount per system (http://demo)|devTime=2023-05-30T12:20:15.280Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Log Failure PatternId=92408893B4EED249A21219D645F55C77 PatternType=FLAB AlertId=2381894 sev=4 MinResultTimestamp=2023-05-30T12:11:26.546Z MaxResultTimestamp=2023-05-30T12:15:52.530Z Text=Measurement 9 exceeded threshold 50 for ('Event, Log Type' = 'Indicator' / 'System ID, Actor' = '<computer name>') Measurement=9 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> EventLogType=Indicator SystemIdActor=<computer name>
|
RFC calls from non-productive systems |
Cross Communication |
LEEF:1.0|SAP|ETD|2.0 SP5|RFC calls from non-productive to productive systems (http://exm.com/qradar/basis)|devTime=2023-06-01T13:25:12.896Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSX cat=Cross Communication PatternId=10000000000000000123456789123456 PatternType=FLAB AlertId=2382290 sev=4 MinResultTimestamp=2023-06-01T13:16:08.000Z MaxResultTimestamp=2023-06-01T13:23:08.000Z Text=Measurement 8 exceeded threshold 1 for ('Service, Function Name' = 'SUSR_SUIM_API_NAME' / 'System ID, Actor' = '<computer name>' / 'User Pseudonym, Actor' = '<username>') Measurement=8 UiLink=null/sap/hana/uis/clients/ushell-app/shells/xxxx/xxxxLaunchpad.html?siteId=exp.com.ui.mobile.launchpad|ETDLaunchpad#AlertDetails-show?alert=<Alert Id> ServiceFunctionName=SUSR_SUIM_API_NAME SystemIdActor=<computer name> UserPseudonymActing=<username> usrName=<username>
|