The SICFCHK event is used to get SICF Public Services as well as Services with Logon Data.
Potential Use Cases
This event could be used in the following scenarios:
To determine what Services are activated and what are deactivated services
To identify ICF Security Risks and What Services should be deactivated
Correlate ADS connection failures to other system activities
Review the ICF services which do not require authentication
ICF Services vs SAP Security Baseline (SAP Security Notes that recommends the services that should be deactivated)
Extraction of inactive services as well snapshot data can be activated/deactivated using the Metric Configuration. To do this, log into the managed system and execute the /n/BNWVS/MAIN transaction. Then, go to Administrator → Setup Metric → Metric Configuration.
Activate/Deactivate the inactive services and snapshot data extraction in the below screen. If Snapshot is deactivated(blank), then only the delta services will be extracted that got added/changed within the extraction time range.
The event will look like this in Splunk:
Log into the managed system and execute the report RSICFCHK to check the SICF Services details.