The USH02 event is used in SAP to view change history for log-on data.
Potential Use Cases
This event could be used for the following scenarios:
Determine if user passwords are set to the initial value.
Understand modification to user accounts.
Correlate the data with other system activity to identify potential security threats.
Determine how user accounts are being modified.
The event will look like this in Splunk:
Navigate to this data by using the SE16 transaction code. Then enter USH02 in the Table Name field and hit the Enter key on your keyboard.
Then enter the desired selection parameters, and the Execute button.
The data displayed below will match with what you see in Splunk.