Data Description

The USH02 event is used in SAP to view change history for log-on data.

Potential Use Cases

This event could be used for the following scenarios:

  • Determine if user passwords are set to the initial value.

  • Understand modification to user accounts.

  • Correlate the data with other system activity to identify potential security threats.

  • Determine how user accounts are being modified.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Navigate to this data by using the SE16 transaction code. Then enter USH02 in the Table Name field and hit the Enter key on your keyboard.

Then enter the desired selection parameters, and the Execute button.

The data displayed below will match with what you see in Splunk.

Field Mapping

The field mapping between the data from SAP and values in Splunk can be seen in the table below:

Field

Description

Unit of Measure

ACCNT

Account ID

String

BNAME

User Name in User Master Record

String

CLASS

User group in user master maintenance

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

USH02

String

GLTGB

User valid to

YYYYMMDD

GLTGV

User valid from

YYYYMMDD

MODBE

Last changed by

String

MODDA

Modification date

HHMMSS

MODTI

Modification time

YYYYMMDD

PWDINITIAL

Indicator: Password Is Initial

0 | 1

REPID

ABAP Program Name

String

TCODE

Transaction code used to modify account

String

UFLAG

User Lock Status

String

USTYP

User type

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -