Data Description

The RSUSR003 event is used in SAP to check the passwords of standard users in all clients.

Potential Use Cases

This event could be used for the following scenarios:

  • Do determine if the standard users still have their default passwords.

  • If the standard users have well-known passwords.

  • To determine if of the standard users is locked.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Navigate to this data by using the RSUSR003 t-code. THen enter the user selection parameters, and select the Execute button.

The data below will match the data that is sent to Splunk.

Field Mapping

The field mapping between the data from SAP and values in Splunk can be seen in the table below:

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

RSUSR003

String

LOCKED

Whether or not the user is locked

String

LOCKREASON

The reason why the user is locked

String

MANDT

Client

String

PWSTATUS

The user’s password status

String

UNSUCESSLOGINS

The number of unsuccessful logins for the user

Number (count)

USERNAME

User Name

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

VALIDFRM

The date the user is valid from

YYYYMMDD

VALIDTO

The date the user is valid until

YYYYMMDD