The RSUSR200 event is used in SAP to view the list of users by log-in date and password change information.
Potential Use Cases
This event could be used for the following scenarios:
Determine if there is abnormal log-in activity in the system.
Correlate the log-in data with other SAP Security system data to identify potential security threats.
Visualize inactive users in the system.
Understand if someone is attempting do a brute force log-in.
Identify which users need to change their passwords based on password aging.
The event will look like this in Splunk:
Navigate to this data by using the RSUSR200 transaction code. Then enter the desired selection parameters and the Execute button.
The data displayed below will match with what you see in Splunk.
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
Unit of Measure
Creator of the User Master Record
Date of Last Password Change
User Name in User Master Record
User group in user master maintenance
The date time stamp when the information was collected
Creation Date of the User Master Record
User valid to
User valid from
Reason for the user lock
Whether the user is locked
Number of failed logon attempts
Last Logon Time
Password Change: Required / Allowed / Not Possible
Last Logon Date
User Type Description
The UTC OFFSSET in HHMMSS that the data was collected in
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
+ | -