The USH02 event is used in SAP to view change history for log-on data.
Potential Use Cases
This event could be used for the following scenarios:
Determine if user passwords are set to the initial value.
Understand modification to user accounts.
Correlate the data with other system activity to identify potential security threats.
Determine how user accounts are being modified.
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Navigate to this data by using the SE16 transaction code. Then enter USH02 in the Table Name field and hit the Enter key on your keyboard.
Then enter the desired selection parameters, and the Execute button.
The data displayed below will match with what you see in Splunk.
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
Field
Description
Unit of Measure
ACCNT
Account ID
String
BNAME
User Name in User Master Record
String
CLASS
User group in user master maintenance
String
CURRENT_TIMESTAMP
The date time stamp when the information was collected
YYYYMMDDHHMMSS
EVENT_SUBTYPE
String
EVENT_TYPE
USH02
String
GLTGB
User valid to
YYYYMMDD
GLTGV
User valid from
YYYYMMDD
MODBE
Last changed by
String
MODDA
Modification date
HHMMSS
MODTI
Modification time
YYYYMMDD
PWDINITIAL
Indicator: Password Is Initial
0 | 1
REPID
ABAP Program Name
String
TCODE
Transaction code used to modify account
String
UFLAG
User Lock Status
String
USTYP
User type
String
UTCDIFF
The UTC OFFSSET in HHMMSS that the data was collected in
HHMMSS
UTCSIGN
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
+ | -
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
