limkedin Skip to main content

Detect SAP default user logons 

By 21 February 2023March 30th, 2023No Comments

Highlighting an SAP Threat Detection use case    


Our recently launched SAP Threat Detection solution helps organisations protect their sensitive data from external and internal threats. SAP systems are widely used to manage critical business processes and data. However, these systems are also vulnerable to data breaches, as external attackers or internal actors can gain access to sensitive data by exploiting vulnerabilities, abuse too wide privileges or by stealing login credentials. To protect against these threats, organisations can use Protect4S Threat Detection to monitor and detect many types of behaviour and actions that poses a risk to the organisation. For example, logon (attempts) of SAP default users that exist in your SAP system. 


SAP systems contain many default SAP users, for example the well-known users DDIC and SAP*, but also many others. For example the lesser-known default users that exist in the SAP solution manager as discovered by the Protect4S research team. Their existence raises the risk of unauthorised  logon (attempts), hence the need for real-time detection. Typically, these users should not be used for day-to-day business operations for several reasons: 

  • SAP default accounts are not named accounts, leading to compliance risks (who did what in the system?) 
  • SAP default accounts often have high privileges, like SAP_ALL, completely bypassing the authorisation concept 
  • SAP Default accounts can have default passwords, leading to unauthorised access 

Without active monitoring, SAP customers are sailing blind and won’t know about logon attempts to their systems. Existing monitoring solutions typically operate on network level and don’t detect these activities. That is why there is a need for specific solutions on SAP application level, like the Protect4S Threat Detection solution.  

To monitor such activity, one of the use cases within the Protect4S Threat Detection solution actively monitors for logon (attempts) of default users. The use case is shipped with many default SAP users and can be modified and extended with custom users that customers create themselves. Exceptions can be made for specific clients, systems or hosts, to prevent false positives:  

image - Detect SAP default user logons 

If one of the monitored users were to logon, the Protect4S Threat Detection solution will create a threat that can be sent to a SIEM solution for further processing. This will help the organisation to act quickly and respond to suspicious activities without going through too many irrelevant alerts. A threat alert contains all relevant information for further containment; details about the involved user, hostname and the original event that triggered the threat and references for more information. For example:


image - Detect SAP default user logons 



To summarise, logon attempts of default users are no longer a blind spot and detecting them at an early stage will prevent further risk to your SAP systems. Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access. By using default best-practice values and additionally setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage. 

Interested to learn more? We are happy to tell you more about our SAP Vulnerability Management and Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!