Data Description

The SM04 event is used in SAP to view users logged in.

Potential Use Cases

This event could be used in the following scenarios:

  • Identify potential security threats from user log-in events.

  • Trend user log-ins over time.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Log into the managed system and execute the SM04 transaction code. The data that is displayed will match the data that is extracted and sent to Splunk.

Field Mapping

Field

Description

Unit of Measure

 ACT_PROGRAM

Name of Main Program

String

APPLICATION

Application

String

APPL_INFO

Application information

String

BNAME

User Name

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

SM04

String

EXTMODI

Task Handler: Number of External or Internal Modes

Number

EXT_STYPE

Session subtype

String

EXT_TIME

Last request time

DD.MM.YYYY HH:MM:DD

EXT_TRACE

Session trace state flag

Boolean

EXT_TYPE

Logon type description

String

GUIVERSION

Version of SAPGUI

Number

HOSTADDR

IP Address

IP Address

INSTANCE_NAME

Application Server Instance

String

INTMODI

Task Handler: Number of External or Internal Modes

Number

LOCATION_INFO

Location information (terminal)

String

LOGON_HDL

Logon Handle

Number

LOGON_ID

Logon ID

Number

LOGON_PRIVILEGE

Logon Privilege

String

MANDT

Client

Number

MASTER

Obsolete

String

OPEN_TASKS

Open tasks

Number (Count)

PRIORITY

Priority

String

PROTOCOL

Logon Protocol of Plugin

Number

RFC_HDL

RFC Handle

Number

RFC_TYPE

Type of RFC Logon

String

RFC_TYPE_LONG

Type of RFC Logon

String

SECURITY_CONTEXT

Security context index

YYYY-MM-DD HH:MM:SS

SERVER_NAME

Server name

String

SESSIONS

Number of sessions

Number (Count)

SESSION_HDL

RFC Handle

Number

SESSION_KEY

Session key

String

SESSION_TYPE

Session Type

String

STAT

Status of System Logon

Number

TCODE

TCODE

String

TENANT

Client

Number

TERM

Terminal ID

String

TID

Terminal ID

Number

TOTAL_MEM_ABAP_KB

ABAP Memory

Number (kilobytes)

TOTAL_MEM_BRUTTO_KB

Total amount of session memory

Number (kilobytes)

TOTAL_MEM_HEAP_KB

Heap Memory

Number (kilobytes)

TOTAL_MEM_HYPER_KB

Hyper Memory

Number (kilobytes)

TOTAL_MEM_KB

Total Memory

Number (kilobytes)

TRACE

User trace

Boolean

TYPE

Type of Logon

Number

USER_NAME

User Name

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

WEBSOCKET_HANDLE

Websocket Handle

String

ZEIT

Dialog time in SM04

HHMMSS