BROADCOM¶
About¶
Compliance Event Manager continuously monitors your mainframe environment for a wide range of security-related events. When Compliance Event Manager detects these events, it can take one or multiple actions, including real-time alerting and logging, to notify stakeholders of potential security threats. Compliance Event Manager processes and collects information about events from your External Security Manager (ESM) and seamlessly monitors security records, security configuration points, system data sets, and z/OS configuration controls. The product provides immediate notifications of pertinent violations, access, and change activities to critical resources. Compliance Event Manager’s monitoring also spans Partitioned Data Set (PDS) monitoring, which alerts to changes in critical mainframe configuration files that would otherwise be undetectable, thus alerting to potential insider–threat behaviors. The product also generates advanced audit and compliance information that is not available in standard security reports.
Product Details¶
Vendor URL: BROADCOM
Product Type: Compliance Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog, KV
Expected Normalization Rate: 95%
Data Label: BROADCOM_CEM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| datetime | metadata.collected_timestamp |
| access | security_result.summary |
| account | principal.user.user_display_name |
| class | principal.asset.labels.CLASS |
| code1 | principal.asset.labels.CODE1 |
| code2 | principal.asset.labels.CODE2 |
| command | principal.process.command_line |
| dataclass | principal.asset.labels.DATACLASS |
| field | principal.asset.labels.FIELD |
| entity | principal.asset.labels.ENTITY |
| eventname | metadata.product_event_type |
| objlabel | principal.asset.labels.OBJLABEL |
| operation | security_result.summary |
| permacid | principal.asset.attribute.roles |
| permit | src.resource.attribute.permissions |
| permtype | principal.asset.category |
| privilege | principal.asset.attribute.roles |
| program | principal.resource.name |
| reason | security_result.summary |
| sysid | principal.asset.labels.SYSID |
| stsplex | principal.asset.labels.SYSPLEX |
| use_case | security_result.summary |
| userid | principal.user.userid |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| src/destIp | NETWORK_CONNECTION | |
| Default | All other events | GENERIC_EVENT |
Log Sample¶
Dec 2 12:47:36 myco.com 1 DATE=02-Dec-2022 TIME=12:47:35 SYSID=CC36 SYSPLEX=PLEX33 CEMMSG [EVENT=OBJECTVIO USERID=IWUR JOBNAME=CICSP6TG SOURCE= CLASS=OTRAN ENTITY=RRNN ACCESS=EXECUTE DATACLASS= FACILITY=CICPPPSP OBJLABEL= PERMACID= PERMIT= PERMTYPE= PRIVILEGE=%PRIVILEGE% PROGRAM=DFHP--N1 REASON=%REASON% RULEKEY= RULELINE= RULENUM=0 RULETOD= {USE_CASE = Object Access Violation]
Sample Parsing¶
metadata.event_timestamp"2022-12-02T18:00:09.576182Z"
metadata.event_type"GENERIC_EVENT"
metadata.vendor_name"Broadcom"
metadata.product_name"CEM"
metadata.product_event_type"OBJECTVIO"
metadata.ingested_timestamp"2022-12-02T18:00:09.576182Z"
principal.user.userid"IWUR"
principal.resource.name"DFHP--N1"
principal.asset.category" "
principal.asset.labels[0].key"CLASS"
principal.asset.labels[0].value"OTRAN"
principal.asset.labels[1].key"FACILITY"
principal.asset.labels[1].value"CICPPPSP"
principal.asset.labels[2].key"ENTITY"
principal.asset.labels[2].value"RRNN"
principal.asset.labels[3].key"OBJLABEL"
principal.asset.labels[3].value" "
principal.asset.labels[4].key"SYSID"
principal.asset.labels[4].value"CC36"
principal.asset.labels[5].key"SYSPLEX"
principal.asset.labels[5].value"PLEX33"
principal.asset.attribute.roles[0].name" "
principal.asset.attribute.roles[1].name"%PRIVILEGE%"
security_result[0].summary"EXECUTE"
security_result[1].summary"%REASON%"
security_result[2].summary"Object Access Violation"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon