Alerting on a rapid user count increase
Yesterday, we saw the user count on our production ecc system jump from 500 to over 2,000 within three minutes.
As the logons were via "/sap/bc/gui/sap/its/webgui", and from a single workstation, we're assuming browser-based
malware. Until we perform some forensic studies on the box we will not know for sure.
I am looking for a way, in real time, to get alerted to a rapid increase in user logons.
Does anyone know if this can be done, through CCMS or other methods?
Something like "alert on user count if rate of user-logon > 10% / minute" would be a good starting point.
Any tips, tricks, advice, will be greatly appreciated. I have started looking at CCMS but...nothing obvious as yet.
Best Regards to all,