// Author:          Onapsis
// Version:         1.0
// Last Updated:    11/18/2020
//
// DESCRIPTION:
// This lookup table enriches incidents detected by the Onapsis platform by giving them a description and solution. This is used in the Onapsis Alarms Workbook to help Security Analysts understand what they need to do in response to an incident.
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
//    Set the function alias to incident_lookup so this function can be used in the workbook.
//
// REFERENCES: 
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions

let IncidentLookup = datatable(IncidentName:string, RootCause:string, Solution:string)
[
"Access to authenticated URL without credentials","This incident triggered because a vulnerable authenticated HANA URL was accessed without credentials. \n\nThe URI is vulnerable because it allows the corresponding (backend) SAP software component to be accessed without providing any credentials. This unauthenticated access provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Code Injection vulnerability in Visual Composer 04s iViews","This incident triggered because a URI vulnerable to code injection was accessed with malicious looking parameters. \n\nThe vulnerability allows attackers to inject malicious code into the back-end application by sending a web request by means of a specially crafted URL. By fooling end users to access this URL, unwanted applications could potentially be started on the client machine by an attacker, resulting in remote code execution.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Cross-Site Scripting (XSS) vulnerability in backup function of SAP HANA cockpit","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Dangerous Report Execution","This incident triggered because a vulnerable report was executed. \n\nAn SAP report is an executable program that reads data from the database and generates output based on the filter criteria selected by the end user. \n\nThe fact that a vulnerable report was run may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Dangerous RFC Execution","This incident triggered because a vulnerable Remote Function Call (RFC) was executed. \n\nA Remote Function Call (RFC) is the call or remote execution of a Remote Function Module in an external system. In the SAP system, these functions are provided by the RFC interface system. The RFC interface system enables function calls between two SAP systems. Communication between applications of different systems in the SAP environment includes connections between SAP systems as well as between SAP systems and non-SAP systems. \n\nThe fact that a vulnerable RFC was performed may indicate, but not necessarily confirm, that an attacker is abusing a vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Dangerous Transaction Execution","This incident triggered because a vulnerable transaction code was executed. \n\nEach function in the SAP system has a transaction code (t-code) associated with it. A transaction code consists of letters, numbers, or both. A transaction code is used to access functions or running programs in the SAP application more rapidly. By entering a t-code instead of using the menu, navigation and execution are combined into a single step. \n\nThe fact that a vulnerable transaction code was run may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Hardcoded Credential in Report","This incident triggered because a vulnerable report was called with a suspicious username. \n\nA report is a presentation of data in an organized structure. The report interface allows users to call reports from other SAP application components. \n\nIn this case the called report's program code contains a hard-coded credential. By calling the report with the hard-coded username, malicious users can be successfully authenticated and access parts of the systems not intended for them. \n\nThe fact that the report was called with a hard-coded username may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Host Header injection in SAP HANA","This incident triggered because an URI vulnerable to SQL injection was accessed. \n\nThe vulnerability concerns one of several vulnerabilities in the HANA User Self Service (USS) functionality. Through successful exploitation of these vulnerabilities, an unauthenticated attacker would be able to impersonate other users, even those of high privileged accounts. If exploited, these vulnerabilities allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password. This level of access allows an attacker to take over business information and processes supported by HANA. This included creating, stealing, altering, and/or deleting sensitive information. If this risk is exploited, organizations may face severe business consequences. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Information disclosure using the 'Download Snapshot' service of HANA cockpit for offline administration","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can discover information relating to the system. This information may be used by an attacker to specialize their attack and target security-relevant data. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"J2EE Invoker Servlet","This incident triggered because the Invoker Servlet was accessed. \n\nThe SAP Java 2 Platform Enterprise Edition (J2EE) Application Server has a wide set of built-in functionality, providing a comprehensive framework of libraries and services to support the development and deployment of Java applications. One of these functionalities is the Invoker Servlet, which is part of the standard J2EE specification of Sun (now Oracle). It was conceived as a rapid development instrument, allowing developers to test their custom Java applications very quickly. \n\nWhen enabled, this feature allows anyone to call specific applications without requiring authentication, which implies a security risk. The Invoker Servlet attack (sometimes referred to as the Invoker Servlet Detour) is the vulnerability caused by the previously mentioned feature and allows remote malicious hackers to bypass authentication mechanisms and perform unauthorized business activities via the vulnerable SAP applications. The potential impact of its exploitation is the complete compromise of the SAP system.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Missing XML Validation in Composite Application Framework Authorization Tool","This incident triggered because a vulnerable URI was accessed. \n\nThe vulnerable component which is accessed through the URI does not sufficiently validate an XML document coming from a possibly untrusted source. This programming error allows malicious users to submit XML files containing content that can cause harm to the system, for instance by disrupting service(s) or disclosing information that is is intended to remain private. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Missing XML Validation vulnerability in TranslationSupport application","This incident triggered because a vulnerable URI was accessed. \n\nThe vulnerable component which is accessed through the URI does not sufficiently validate an XML document coming from a possibly untrusted source. This programming error allows malicious users to submit XML files containing content that can cause harm to the system, for instance by disrupting service(s) or disclosing information that is is intended to remain private. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"OS Command Injection vulnerability in Report for Terminology Export","This incident triggered because a report vulnerable to OS command injection was accessed. \n\nThe system contains code that permits the execution of (possibly arbitrary) operating system commands of the user's choice. An attacker can therefore control the behavior of the system, or can potentially escalate privileges by executing malicious code, without having their own legitimate credentials.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Path traversal using the 'Download Snapshot' service of HANA cockpit for offline administration", "This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential Directory Traversal in a UserAdmin Application","This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential Directory Traversal or XML Validation vulnerability in Log Viewer","This incident triggered because a URI was accessed which is vulnerable to directory traversal. \n\nThe vulnerability allows an attacker to exploit the insufficient validation of path information provided by users, thus characters representing 'traverse to parent directory' are passed through to the file access APIs. This allows a malicious user to potentially read, write and delete arbitrary files on the remote server, possibly disclosing confidential information, corrupting data or altering system behavior. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential execution of buffer overflow attack in EXECUTE_SEARCH_RULESET stored procedure","This incident triggered because a stored procedure containing a buffer overflow vulnerability was called. \n\nA stored procedure is prepared SQL code that can be called and therefore reused repeatedly on the system. A remote authenticated attacker could exploit a vulnerability existing in a stored procedure by overwriting the memory buffer out of its bounds, thereby rendering the SAP HANA Platform unavailable to other users until the next process restart.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential exploitation of Buffer overflow vulnerability with a long username to SAP HANA","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can overwrite the memory buffer of the system. By doing this, the attacker can access and/or manipulate parts of system that should be restricted. This can allow the attacker to execute malicious code or cause the system to crash. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential information disclosure relating to Real Time Collaboration Chat","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential information disclosure relating to Transaction SCI (Code Inspector)","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can discover information relating to the system. This information may be used by an attacker to specialize their attack and target security-relevant data. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential log injection in SAP HANA","This incident triggered because an attempt to exploit a log injection vulnerability was detected. \n\nDuring an attempted user login an attacker can inject information into the system log. Inserting events into the log could disrupt (forensic) analysis of the log or otherwise cause confusion.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential Log injection in SAP HANA XS","This incident triggered because a vulnerable URI was accessed. \n\nBy accessing the URI in a specialized way, an attacker can inject information into the system log. Inserting events into the log could disrupt (forensic) analysis of the log or otherwise cause confusion. \n\nThe fact that a vulnerable URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential modif./disclosure of persisted data in BC-ESI-UDDI","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential XSRF attack","This incident triggered because a URI vulnerable to Cross-site Request Forgery (XSRF) was accessed. \n\nEnd users may be fooled by an attacker to access a specially crafted URL, consisting of the vulnerable URL with certain added parameters. If they do, certain system functions may be executed with the executing user's rights. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential XSS attack","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Potential XSS attack in PI Message Display Tool","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"PotentialXXE vulnerability in SAP UDDI","This incident triggered because a URI with an XML eXternal Entity type vulnerability was accessed. \n\nUntrusted XML input parsing is possible in SAP UDDI (Universal Description, Discovery and Integration). The vulnerability allows a malicious user to send specially crafted XML content to perform a Denial of Service or retrieve data from the affected SAP System..","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Reflected File Download attempt in AFPServlet","This incident triggered because a URI vulnerable to Reflected File Download attacks was accessed with malicious looking parameters. \n\nThe vulnerability allows attackers to inject malicious code into a specially crafted URL. By fooling end users to access this URL, a seemingly trusted file is offered for download coming from a trusted domain. Once downloaded and opened by the client, unwanted applications could potentially be started on the client machine by an attacker, resulting in remote code execution.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"SAP HANA Daemon Execution of Administrative Method","This incident triggered because a vulnerable HANA daemon administrative method was executed. \n\nThe daemon service in a SAP HANA landscape is used to start, stop and restart all SAP HANA services. It was reported by SAP that communication encryption was not being enabled for the daemon service on unpatched systems. This means potential attackers could cause denial of service by stopping/restarting the instance if they either gain access to the operating system of the SAP HANA system with an authorized user or can access the network configured for SAP HANA internal network configuration. \n\nThe fact that a vulnerable HANA daemon administrative method was executed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"SAP HANA global.ini settings SQL Injection","This incident triggered because a URI was accessed which is vulnerable to an SQL-injection attack. \n\nThe vulnerability allows an attacker to execute crafted database queries, giving him the ability to execute admin level operations on database and thereby exposing the backend database. Some well-known effects of an SQL injection vulnerability are the ability to read, modify or delete sensitive data from the database. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"SAP HANA User Self Service SQL Injection in ACTIVATE USER query","This incident triggered because an URI vulnerable to SQL injection was accessed. \n\nThe vulnerability concerns one of several vulnerabilities in the HANA User Self Service (USS) functionality. Through successful exploitation of these vulnerabilities, an unauthenticated attacker would be able to impersonate other users, even those of high privileged accounts. If exploited, these vulnerabilities allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password. This level of access allows an attacker to take over business information and processes supported by HANA. This included creating, stealing, altering, and/or deleting sensitive information. If this risk is exploited, organizations may face severe business consequences. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"SAP HANA User Self Service SQL Injection in SET PASSWORD query","This incident triggered because a URI was accessed which is vulnerable to an SQL-injection attack. \n\nThe vulnerability allows an attacker to execute crafted database queries, giving him the ability to execute admin level operations on database and thereby exposing the backend database. Some well-known effects of an SQL injection vulnerability are the ability to read, modify or delete sensitive data from the database. \n","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"SAP J2EE Verb tampering","This incident triggered because a vulnerable URI was accessed with an unexpected HTTP method. \n\nThe HTTP specification includes request methods other than the standard GET and POST requests. A standards compliant web server may respond to these alternative methods (verbs) in ways not anticipated by developers. An attacker may subsequently leverage these methods for malicious objectives, for example by obtaining unauthorized access to restricted resources from arbitrary network locations. \n\nCertain URI's have been found to be vulnerable to these verb tampering attacks.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Security vulnerabilities in an ICF service belonging to SAP ITS Mobile","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Successful login of EARLYWATCH user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Successful login with DDIC user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Successful login with SAPCPIC user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Successful login, via RFC, with TMSADM user using default password","This incident triggered because a successful login of a privileged user with a default password was detected. \n\nCertain users in the system may be configured with a default well-known password. This situation allows a remote unauthorized party to access the SAP system with high privileges and perform sensitive business and technical operations.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"System Landscape Directory Information Disclosure","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"TrexNet Method Execution From Untrusted Host","This incident triggered because a TrexNet method was executed from a possibly untrusted host \n\nUsing the multiple methods available in the TrexNet protocol, a remote unauthenticated attacker could execute arbitrary operating system commands, python modules, read, write and delete files and directories, read environment information and also completely shut down the SAP HANA instance. Furthermore, the attacker could send TMS queries to the NameSever component, which could allow him to retrieve technical information about the remote system such as configuration files. \n\nAlthough OSP cannot determine if the host is malicious or not, it is important to validate its origin and purpose.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Web Dynpro JAVA Guided Procedures Information Disclosure","This incident triggered because a vulnerable Web Dynpro URI was accessed. \n\nWeb Dynpro is the SAP standard UI technology for developing web applications in the ABAP environment. Certain components of Web Dynpro have been found to be vulnerable. By approaching Web Dynpro through certain URI's attackers can access information which should otherwise be restricted. \n\nThe fact that a vulnerable Web Dynpro URI was accessed may indicate, but not necessarily confirm, that an attacker is abusing the vulnerability.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in Enterprise Portal - GenericSemanticTest component","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in LogPortalComponent","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in NavigationRequestSniffer","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in NavigationURLTester","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in Notification Topic Creation","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in PI Message Display Tool","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP Java Web Application saml2_sp","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP NetWeaver Central Technical Configuration","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP NetWeaver Composite Application Framework and Business Warehouse Test Integration","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP NetWeaver Java Archiving Framework","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP Netweaver Portal Error section","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in UpdateVersionPortalComponent","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack. \n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Access to SOAP RFC service","This incident gets triggered when OSP detects users attempting to access the SOAP RFC service. The SOAP RFC service has been marked as dangerous by SAP and should be deactivated.","Disable the SOAP RFC service in transaction SICM if not required.",
"Assignment of S_DEVELOP authorization object to single role","This incident gets triggered when OSP detects the assignment of S_DEVELOP authorization object. Using this object, you can assign access authorizations for all the workbench components. This should never occur on production systems","1. Remove the S_DEVELOP privilege from the user. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate. 3. Investigate who assigned that privilege to the user and why.",
"Assignment of SAP_ALL profile to user","This incident gets triggered when OSP detects the assignment of SAP_ALL profile to a user. This should happen only under extraordinary circumstances.","1. Remove the SAP_ALL privilege from the user. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate. 3. Investigate who assigned that privilege to the user and why.",
"Dangerous execution of j2ee CTC servlet administrative method","This incident gets triggered when OSP detects potentially dangerous administrative requests being made to Central Technical Configuration servlet.","Work with the BASIS team to prioritize applying the applicable note.",
"Potential exploitation of Buffer overflow vulnerability with a long username","This incident gets triggered when OSP detects an attacker using HTTP buffer overrun authentication request that attempts to exploit a vulnerability in SAP HANA.","Work with the BASIS team to prioritize applying the applicable note.",
"Potential information disclosure trough SQL command IMPORT FROM","This incident gets triggered when OSP detects a SQL IMPORT FROM command that could result in being able to gain unauthorized access to data.","Work with the BASIS team to prioritize applying the applicable note.",
"Potential untrusted application server registered in the SAP Message Server","This incident gets triggered when OSP detects the registration of an unknown application server in the SAP Message Server. This should happen only under extraordinary circumstances.","Make sure your Message Server ACL is properly configured. The path of the ACL file can be found in profile parameter ms/acl info. Make sure the SAP Message Server internal port is only accessible from the corresponding sources.",
"Registering of Potential Dangerous RFC Server","This incident gets triggered when OSP detects the registration of sensitive programs in the SAP Gateway. These programs should never be accessed over RFC.","Make sure your reg info ACL is properly configured. The path of the ACL file can be found in profile parameter gw/reg_info. Make sure the registered server is only accessible from the corresponding sources.",
"Starting of Potentially dangerous RFCEXEC server from untrusted host","This incident gets triggered when OSP detects execution of RFCEXEC from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.",
"Starting of Potentially dangerous SAPXPG server from untrusted host","This incident gets triggered when OSP detects execution of SAPXGP from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info Make sure the program can only be executed from the corresponding sources.",
"Successful login via RFC with SAP* user and default password","This incident gets triggered when OSP detects an RFClogin by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.",
"Successful login with (SAP*:PASS) in a client with users already configured","This incident gets triggered when OSP detects a login by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.",
"Successful login with (SAP*:PASS) in a client without users configured","This incident gets triggered when OSP detects a login by the SAP* user using the default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.",
"Successful login with SAP* user and a non-default password","This incident gets triggered when OSP detects a login by the SAP* user using a non-default password. SAP* is a default user with SAP_ALL authorizations.","1. Create a super user with SAP_ALL and make sure it has a secret strong password 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.",
"Unlocking of User DDIC","This incident gets triggered when OSP detects the DDIC user account being unlocked. DDIC is a default user with high privilege authorizations.","1. Lock the DDIC user account. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate.",
"Unlocking of User EARLYWATCH","This incident gets triggered when OSP detects the EARLYWATCH user account being unlocked. EARLYWATCH is a default user with high privileges.","1. Lock the EARLYWATCH user account. 2. Analyze SAP logs to verify that any actions performed by that user are legitimate.",
"Unlocking of User SAP*","This incident gets triggered when OSP detects the SAP* user account being unlocked. SAP* is a default user with SAP_ALL authorizations.","Block the SAP* user. If necessary, use the corresponding emergency super user.",
"User SAP* deleted and profile parameter login/no_automatic_sap_star set to 0","This incident gets triggered when OSP detects the SAP* deleted while a profile parameter preventing login with the default password is disabled. In this case, if the user master record of the user SAP* is deleted, it is possible to log on with SAP* using the default password.","1. Create an emergency super user with SAP_ALL and make sure it has a secret strong password. 2. Create user SAP* without any privileges, assign it to group SUPER. 3. Block the user SAP*. 4. Change parameter login/no_automatic_user_sapstar to 1.",
"10KBLAZE Public Exploit Used to Started SAPXPG server","This incident gets triggered when OSP detects execution of SAPXGP from a remote machine.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info Make sure the program can only be executed from the corresponding sources.",
"Assignment of high privilege profile to user","This incident gets triggered when OSP detects the addition of high privileges to an SAP users. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Assignment of SAP_NEW profile to user","This incident gets triggered when OSP detects the addition of high privileges to an SAP users. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Attempt to disable authorization objects globally","This incident gets triggered when OSP detects an attempt to change a critical SAP parameter that could be used to elevate privileges. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Attempt to set insecure configuration blocked","This incident gets triggered when OSP detects a user trying to change a critical configuration that the organization is protecting using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change",
"Deactivation of Security Audit Log (SAL) in SAP system","This incident gets triggered when OSP detects an attempt to change a critical SAP parameter that could be used by an attacker to evade detection. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Debugging in non-production system by a non-developer user","This incident gets triggered when OSP detects a non developer SAP user activating debug - this could be used by an attacker as reconaissance for an attack. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Field content changed in debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Jump to ABAP debugging in production system","This incident gets triggered when OSP detects an SAP user activating debug in a production system - this could be used by an attacker as reconaissance for an attack. This is an unusual developer activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Non existing users login failed","This inincdent gets triggered when OSP detects a new SAP user failing t logon to the system. This could be indicative of an attacker trying to take advantage of administrative process failures","Follow up with the triggering user to understand the business intent of the activity",
"OSP Unauthenticated Scan or Audit Started RFCEXEC server","This incident gets triggered when OSP detects execution of RFCEXEC as part of an Onapsis Security Platform unauthenticated scan","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.",
"OSP Unauthenticated Scan or Audit Started SAPXPG server","This incident gets triggered when OSP detects execution of SAPXPG from as part of an Onapsis Security Platform unauthenticated scan.","Make sure your sec_info ACL is properly configured. The path of the ACL file can be found in parameter gw/sec_info. Make sure the program can only be executed from the corresponding sources.",
"Parameter set to an insecure configuration","This incident gets triggered when OSP detects a user changing a critical configuration that the organization is monitoring using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change",
"Parameter set to an insecure configuration approved by OSP User","This incident gets triggered when OSP detects an approved user changing a critical configuration that the organization is monitoring using Onapsis Enforce and Protect","Follow up with the triggering user to understand the business intent of the change",
"Removed standard user from SUPER group","This incident gets triggered when OSP detects the removal of a user from a highly privileged group. This is an unusual administrative activity that needs follow up","Follow up with the triggering user to understand the business intent of the change",
"Successful login of a Solution Manager default user with standard password","This incident gets triggered when OSP login to a crtiical SAP administrative function using a default user with a default password. This is an unusual administrative activity that needs follow up. Also review processes around disabling and changing default users and passwords","Follow up with the triggering user to understand the business intent of the activity",
"Successful login of a user with SAP_ALL profile in production client","This incident gets triggered when OSP login to an SAP production system by a highly privileged user. This is an unusual administrative activity that needs follow up. Also review processes around disabling and changing default users and passwords","Follow up with the triggering user to understand the business intent of the activity",
"XSS in Java Web Application tc~sec~saml~ssodemoapp","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack.\n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"XSS in SAP Netweaver Portal Download section","This incident triggered because a URI was accessed which is vulnerable to a Cross-Site Scripting (XSS) attack.\n\nCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. \n\nAn attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.","To protect the system, please refer to the SAP note(s) referenced. The note(s) will contain the prerequisites and instructions necessary to patch the system.",
"Onapsis OSP_Test for ACD (Authorization Change Documents) extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for HANA - Audit Trail extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for HANA - HTTP Access Log extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for ICM Access Log extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for JAVA_HTTP extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for login extraction from SAL","This is a test rule."," Take no action.",
"Onapsis OSP_Test for Message Server (MsgServer) extractor validation","This is a test rule."," Take no action.",
"Onapsis OSP_Test for STAD extractor validation","This is a test rule."," Take no action.",
"Onapsis Zero Day Incident test rule","This is a test rule."," Take no action.",
"OP_Shipped_Sec_SAP_ALL / SAP_NEW assigned","This alarm, provided by Onapsis, alerts when SAP_ALL or SAP_NEW user is assigned. SAP_ALL/SAP_NEW are highly privileged roles within an SAP System and should be managed with the utmost care.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_ABAP T-Code Permission Denied","This alarm, provided by Onapsis, alerts when transaction SU01 has been denied. SU01 is an SAP transaction for managing users and profiles. Someone trying and failing to use this transaction could be indicative of an attacker trying to gain high privilege within the system.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_Attempt to Open Client","This alarm, provided by Onapsis, alerts when there was an attempt to open client. A client is an independent logical database that stores all the business database separately. Any major system change needs to be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_Attempt to Close Client","This alarm, provided by Onapsis, alerts when there was an attempt to close client. A client is an independent logical database that stores all the business database separately. Any major system change needs to be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_RFC Destination Deleted","This alarm, provided by Onapsis, alerts when an RFC Destination is deleted. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_RFC Destination Created","This alarm, provided by Onapsis, alerts when an RFC Destination is created. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_RFC Destination Changed","This alarm, provided by Onapsis, alerts when an RFC Destination is changed. RFC Destination is connectivity between SAP and an internal/external system. These systems are often sources of attacks, and changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_Sec_Deletion of a T-Code","This alarm, provided by Onapsis, alerts when a transaction code is deleted. Transaction code is a command, and each function in SAP has an associated transaction code. By cloning transaction codes, you can evade detection. These changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action.",
"OP_Shipped_ Sec_Changes/Creation_of_T-Code","This alarm, provided by Onapsis, alerts when a transaction code is changed. Transaction code is a command, and each function in SAP has an associated transaction code. By cloning transaction codes, you can evade detection. These changes should be monitored carefully.","Follow up with the user specified in the alarm to understand the business intent behind this action."
];
IncidentLookup