This is the original content release for the SAP PowerConnect Content Pack for Splunk Enterprise Security. Default settings are provided for all content, and it is encouraged that each customer adapt this content to their implementation of Enterprise Security.
Companion PowerConnect Splunk App Version
Account High Transaction Failure
(SM20) Detects a high number of transaction failures in the set timeframe.
Account Multiple Login Failures
(SM20) Detects multiple login failures from a user account on an SAP system.
Admin Profile Assigned
(SUIM) Detects assignment of admin profile in SAP.
Audit Log Deletion
(SM20) Detects an audit log deletion.
(STRUST) Detects expired SSL certificates.
Client Open for Change
(SCC4) Detects when an SAP client has been opened for a change.
Debug Mode Execution
(SM21_LOG) Detects execution of debug mode on SAP systems.
Dialog User Password Expiration Violation
(RSUSR200) Detects when an SAP Dialog user is violating the password expiration policy.
(SM20) Detects data downloads from SAP systems, indicating potential data theft.
Initial or Well-Known Password
(RSUSR003) Detects when an account password is too common or has not yet been reset from its initial state.
Logical Path Access Failure
(SM20) Detects logical path access failure in an SAP system.
Many Accounts One Terminal
(SM04) Detects multiples accounts logging in from a single terminal.
Namespace Open for Change
(SE06) Detects when an SAP namespace is open for change.
New Client Created
(SCC4) Detects a new client in SAP.
New User Created
(SUIM) Detects creation of a new user in SAP.
One Account Many Geos
(SM04) Detects one account logging in from multiple geographies.
One Account Many Terminals
(SM04) Detects one account logging in from multiple terminals.
Privileged Account Login
(SM20) Detects login events for privileged SAP accounts SAP* and DDIC.
Password Reset for Non-Dialog Users
(RSUSR200) Detects password reset on a non-dialog user in SAP.
Sensitive Role Assigned
(SUIM) Detects assignment of a sensitive user role in SAP. Uses the PowerConnect app's "sensitive_user_roles" lookup to define sensitive roles.
Sensitive Transaction Execution
(STAD) Detects execution of a set of predefined sensitive transactions. Uses the PowerConnect app's "sensitive_tcodes" lookup to define sensitive transactions.
User Type Changed
(SUIM) Detects change in user type in SAP.
(SUIM) Detects user unlocks in SAP.
A misconfiguration in the release has caused all correlation searches to be treated as orphaned searches. They will not run without being assigned to an owner. For more information on resolving this issue, see KB 174 (Splunk): Orphaned Correlation Searches in ES Content Pack Not Generating Notable Events.
This is considered an in-development product. We have done our best to adhere to Splunk ES best practices, but we hope our PowerConnect customers will make use of this content in their Enterprise Security installations. We welcome customer feedback to optimize or improve the content pack.