Skip to main content
Skip table of contents

Release Notes : SAP PowerConnect Content Pack for Splunk Enterprise Security

1.3.0

Companion PowerConnect Splunk App Version

  • 8.3.0

New Correlation Searches

  • User with multiple composite roles

    • (SU01) Scans user security config to determine when a user has been assigned multiple composite roles.

  • Potential Duplicate Users

    • (SU01) Scans user security configuration data to detect accounts with identical first and last names.

Updates

  • All searches have now been provided with additional information to assist investigation of security incidents. This includes the saved search object’s description and the Next Steps prompt in notable events.

Known Issues

  • Please leave SM59 Destination Change and Deletion searches disabled. These correlation searches need to be re-validated.

1.2.0

This is a bugfix for the SAP PowerConnect Content Pack for Splunk Enterprise Security. Default settings are provided for all content, and it is encouraged that each customer adapt this content to their implementation of Enterprise Security.

Companion PowerConnect Splunk App Version

  • 8.0.0

New Correlation Searches

  • Certificate Changes

    • (STRUST_HISTORY) Detects certificate object changes in SAP

1.1.1

This is a bugfix for the SAP PowerConnect Content Pack for Splunk Enterprise Security. Default settings are provided for all content, and it is encouraged that each customer adapt this content to their implementation of Enterprise Security.

Companion PowerConnect Splunk App Version

  • 7.3.0

Fixes

  • User Change correlation search corrected to intended default configuration.

1.1.0

Companion PowerConnect Splunk App Version

  • 7.3.0

New

  • Connectivity Object Change

    • (UCON_LOG) Detects connectivity object changes in SAP.

  • Dynamic Profile Parameter Change

    • (SM21_LOG) Detects changes in dynamic profile parameters.

  • IDOC Removal

    • (SM21_LOG) Detects removal of IDocs in SAP systems.

  • Manual Function Module Execution

    • (SE37_LOG) Indicates function modules that have been executed manually by users in an SAP system.

  • OS Command Change

    • (SM69) Detects execution of an OS command.

  • Profile Change

    • (SUIM) Detects profile change in SAP systems.

  • SM59 Destination Change

    • (SM21_LOG) Detects deletion of SM59 destinations in SAP systems.

  • SM59 Destination Deletion

    • (SM21_LOG) Detects deletion of SM59 destinations in SAP systems.

  • Static Profile Parameter Change

    • (RZ10_LOG) Detects changes to static profile parameters in SAP systems.

  • Transport Added to import Queue

    • (STMS_TPLOG) Detects when a user adds a transport to the import queue on an SAP system.

  • Transport Removed from Import Queue

    • (STMS_TPLOG) Detects when a user removes a transport to the import queue on an SAP system.

  • User Change

    • (SUIM) Detects user changes in SAP. Does not conflict with correlation searches for admin profile assignments.

Fixes        

  • CIM Mapping removed from this app. Mapping in core app modified to share globally.

1.0.1

This is a bugfix for the SAP PowerConnect Content Pack for Splunk Enterprise Security. Default settings are provided for all content, and it is encouraged that each customer adapt this content to their implementation of Enterprise Security.

Companion PowerConnect Splunk App Version

  • 7.1.0

Fixes

  • Resolved the orphaned correlation searches that prevented them from running and generating Notable Events. A workaround for this has been published for version 1.0.0

  • Added EULA and README.

1.0.0

This is the original content release for the SAP PowerConnect Content Pack for Splunk Enterprise Security. Default settings are provided for all content, and it is encouraged that each customer adapt this content to their implementation of Enterprise Security.

Companion PowerConnect Splunk App Version

  • 7.1.0

New

  • Correlation Searches

    • Account High Transaction Failure

      • (SM20) Detects a high number of transaction failures in the set timeframe.

    • Account Multiple Login Failures

      • (SM20) Detects multiple login failures from a user account on an SAP system.

    • Admin Profile Assigned

      • (SUIM) Detects assignment of admin profile in SAP.

    • Audit Log Deletion

      • (SM20) Detects an audit log deletion.

    • Certificate Expired

      • (STRUST) Detects expired SSL certificates.

    • Client Open for Change

      • (SCC4) Detects when an SAP client has been opened for a change.

    • Debug Mode Execution

      • (SM21_LOG) Detects execution of debug mode on SAP systems.

    • Dialog User Password Expiration Violation

      • (RSUSR200) Detects when an SAP Dialog user is violating the password expiration policy.

    • File Downloads

      • (SM20) Detects data downloads from SAP systems, indicating potential data theft.

    • Initial or Well-Known Password

      • (RSUSR003) Detects when an account password is too common or has not yet been reset from its initial state.

    • Logical Path Access Failure

      • (SM20) Detects logical path access failure in an SAP system.

    • Many Accounts One Terminal

      • (SM04) Detects multiples accounts logging in from a single terminal.

    • Namespace Open for Change

      • (SE06) Detects when an SAP namespace is open for change.

    • New Client Created

      • (SCC4) Detects a new client in SAP.

    • New User Created

      • (SUIM) Detects creation of a new user in SAP.

    • One Account Many Geos

      • (SM04) Detects one account logging in from multiple geographies.

    • One Account Many Terminals

      • (SM04) Detects one account logging in from multiple terminals.

    • Privileged Account Login

      • (SM20) Detects login events for privileged SAP accounts SAP* and DDIC.

    • Password Reset for Non-Dialog Users

      • (RSUSR200) Detects password reset on a non-dialog user in SAP.

    • Sensitive Role Assigned

      • (SUIM) Detects assignment of a sensitive user role in SAP. Uses the PowerConnect app's "sensitive_user_roles" lookup to define sensitive roles.

    • Sensitive Transaction Execution

      • (STAD) Detects execution of a set of predefined sensitive transactions. Uses the PowerConnect app's "sensitive_tcodes" lookup to define sensitive transactions.

    • User Type Changed

      • (SUIM) Detects change in user type in SAP.

    • User Unlocked

      • (SUIM) Detects user unlocks in SAP.

  • CIM Mapping

Known Issues

  • A misconfiguration in the release has caused all correlation searches to be treated as orphaned searches. They will not run without being assigned to an owner. For more information on resolving this issue, see KB 174 - Orphaned Correlation Searches in ES Content Pack Not Generating Notable Events.

  • This is considered an in-development product. We have done our best to adhere to Splunk ES best practices, but we hope our PowerConnect customers will make use of this content in their Enterprise Security installations. We welcome customer feedback to optimize or improve the content pack.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close