Skip to content

IBM z/OS

IBM z/OS

About

IBM® z/OS® brings the computing power and resources of the IBM Z® platform to help you drive business transformation and accelerate innovation. Get the stable, secure environment your organization requires to improve performance for mission-critical workloads and meet future challenges.

Product Details

Vendor URL: IBM z/OS

Product Type: Mainframe

Product Tier: Tier III

Integration Method: Syslog

Log Guide: IBM Guardium - Log collector language

Parser Details

Log Format: SYSLOG CEF

Expected Normalization Rate: 90-95%

Data Label: IBM_ZOS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
about.group.product_object_id ALU_UTK_GRP_ID / CON_UTK_GRP_ID / ALG_UTK_GRP_ID / DELG_UTK_GRP_ID / PERM_UTK_GRP_ID / REM_UTK_GRP_ID / SETR_UTK_GRP_ID / RACD_UTK_GRP_ID
about.resource_ancestors
about.resource.name DELG_UTK_EXECNODE / PERM_UTK_EXECNODE / REM_UTK_EXECNODE / SETR_UTK_EXECNODE / RACD_UTK_EXECNODE / ALU_UTK_EXECNODE / CON_UTK_EXECNODE / ALG_UTK_EXECNODE / AG_UTK_EXECNODE
about.resource.resource_subtype ALU_UTK_SPCLASS / CON_UTK_SPCLASS / ALG_UTK_SPCLASS / AG_UTK_SPCLASS / DELG_UTK_SPCLASS / PERM_UTK_SPCLASS / REM_UTK_SPCLASS / SETR_UTK_SPCLASS / RACD_UTK_SPCLASS
about.user.userid ALU_OWN_ID / CON_OWN_ID / ALG_OWN_ID / AG_OWN_ID / DELG_OWN_ID / PERM_OWN_ID / REM_OWN_ID / ALU_UTK_USER_ID / CON_UTK_USER_ID
about.user.user_display_name ALU_USER_NAME / CON_USER_NAME / ALG_USER_NAME / AG_USER_NAME / DELG_USER_NAME / PERM_USER_NAME / REM_USER_NAME / SETR_USER_NAME / RACD_USER_NAME
extensions.auth.auth_details AUTH_NORMAL / AUTH_SPECIAL / AUTH_OPER / AUTH_AUDIT / AUTH_EXIT / AUTH_FAILSFT / AUTH_BYPASS / AUTH_TRUSTED
metadata.description desc_trx / ALU_UTK_SESSTYPE / CON_UTK_SESSTYPE / ALG_UTK_SESSTYPE / AG_UTK_SESSTYPE / DELG_UTK_SESSTYPE / PERM_UTK_SESSTYPE / REM_UTK_SESSTYPE / SETR_UTK_SESSTYPE / RACD_UTK_SESSTYPE / description / sum
metadata.event_type statically assigned
metadata.product_event_type dvchost / hm.sc_violation / ACCESS / mot / EVENT_TYPES / product_event_types / event_id / statically assigned
metadata.product_name z/OS
network.ip_protocol ip_protocol_out / statically assigned
observer.application accessor
principal.asset.platform_software.platform_version hm.version
principal.group.group_display_name EVT_GRP_ID
principal.ip host_ip / sipaddr / src
principal.namespace hm.module
principal.port DELG_UTK_SPOE / PERM_UTK_SPOE / REM_UTK_SPOE / SETR_UTK_SPOE / RACD_UTK_SPOE / sport / srcPort / ALU_UTK_SPOE / CON_UTK_SPOE / ALG_UTK_SPOE / AG_UTK_SPOE
principal.resource_ancestors statically assigned
principal.resource.attribute.creation_time TIMESTAMP_READ
principal.resource.attribute.permissions statically assigned
principal.resource.name hm.appliance / JOB_NAME
principal.resource.resource_subtype ALU_UTK_REMOTE / CON_UTK_REMOTE / ALG_UTK_REMOTE / AG_UTK_REMOTE / DELG_UTK_REMOTE / PERM_UTK_REMOTE / REM_UTK_REMOTE / SETR_UTK_REMOTE / RACD_UTK_REMOTE
principal.user.attribute.labels usr_secl
principal.user.user_authentication_status USER_NDFND
principal.user.user_display_name name / username
principal.user.userid UserID / SS_SAUserID / EVT_USER_ID / username / usrName
security_result.about.process.pid JobID
security_result.action_details Allow / sr_action / n_ex_fail
security_result.description access / backup / data1 / int_message
security_result.detection_fields statically assigned
security_result.outcomes log_omvsnprv / log_class / log_user / log_special / log_access / auth_omvssu /alu_utk_encr / alu_utk_pre19 / alu_utk_verprof / alu_utk_default / alu_utk_error / alu_noauth_clauth / alu_noauth_group / alu_noauth_prof / con_utk_encr / con_utk_pre19 / con_utk_verprof / con_utk_default / con_utk_error / alg_utk_encr / alg_utk_pre19 / alg_utk_verprof / alg_utk_default / alg_utk_error / ag_utk_encr / ag_utk_pre19 / ag_utk_verprof / ag_utk_default / ag_utk_error / delg_utk_encr / delg_utk_pre19 / delg_utk_verprof / delg_utk_default / delg_utk_error / perm_utk_encr / perm_utk_pre19 / perm_utk_verprof / perm_utk_default / perm_utk_error / rem_utk_encr / rem_utk_pre19 / rem_utk_verprof / rem_utk_default / rem_utk_error / setr_utk_encr / setr_utk_pre19 / setr_utk_verprof / setr_utk_default / setr_utk_error / racd_utk_encr / racd_utk_pre19 / setr_utk_verprof / racd_utk_default / racd_utk_error
security_result.priority_details priority
security_result.rule_version RACF_VERSION
security_result.severity hm.severity
security_result.summary ACCESS / dvchost / sr_summary / message2 / status
src.resource.attribute.permissions statically assigned
src.resource.name SETR_UTK_SNODE / RACD_UTK_SNODE / ALU_UTK_SNODE / CON_UTK_SNODE / ALG_UTK_SNODE /AG_UTK_SNODE / DELG_UTK_SNODE / PERM_UTK_SNODE / REM_UTK_SNODE
src.user.department department_in
src.user.employee_id perf_in
src.user.group_identifiers AG_UTK_SGRP_ID / DELG_UTK_SGRP_ID / PERM_UTK_SGRP_ID / REM_UTK_SGRP_ID / SETR_UTK_SGRP_ID / RACD_UTK_SGRP_ID / ALU_UTK_SGRP_ID / CON_UTK_SGRP_ID / ALG_UTK_SGRP_ID
src.user.termination_date timestamp_end
src.user.userid user_in / ALU_UTK_SUSER_ID / CON_UTK_SUSER_ID / ALG_UTK_SUSER_ID / AG_UTK_SUSER_ID / DELG_UTK_SUSER_ID / PERM_UTK_SUSER_ID / REM_UTK_SUSER_ID / SETR_UTK_SUSER_ID / RACD_UTK_SUSER_ID
target.resource.name type_trx / res / resource
target.resource.resource_type statically assigned
target.user.attribute.role roles / roles2 / roles3 / roles4 / roles5 / roles6
target.user.user_display_name name / name_out
target.user.department department
target.user.employee_id perf_out
target.user.group_identifiers ALU_UTK_TRUSTED / CON_UTK_TRUSTED / ALG_UTK_TRUSTED / ALG_GRP_ID / AG_UTK_TRUSTED / DELG_UTK_TRUSTED / DELG_GRP_ID / PERM_UTK_TRUSTED / REM_UTK_TRUSTED / SETR_UTK_TRUSTED / RACD_UTK_TRUSTED / Group
target.user.groupid division
target.user.office_address.name ug_out
target.user.userid user_out / ALU_USER_ID / CON_USER_ID

Product Event Types

Event Type
GENERIC_EVENT
ADDGROUP
ADDSD
ADDUSER
ALTGROUP
ALTUSER
CONNECT
Defender
DEFINE
DELDSD
DELGROUP
DELUSER
GROUP_CREATION
GROUP_DELETION
GROUP_MODIFICATION
MF_PROD_TSUTIL
PASSWORD
PERMIT
RACDCERT
RALTER
RDEFINE
RDELETE
REMOVE
SETROPTS
STATUS_UPDATE
Telnet Login
USER_CHANGE_PERMISSIONS
USER_LOGIN
USER_RESOURCE_ACCESS
USER_RESOURCE_DELETION
USER_UNCATEGORIZED

Log Sample

CEF:0|MyCo|MainFrame|||mf_prod_tssutil|Low| dvchost=mf_prod_tssutil start=1665072000000 SYSID=CS06 ACCESSOR=DWLMR FACILITY=74 MODE=FAIL DSNX9WLS OK PGM S983617  {"additional":[{"label":"smb_host","value":"svm37bc"},{"label":"smb_stage1","value":"860786"},{"label":"smb_uid","value":"0mPLGlK+OEPYJvg9U3J3iw86078630740445"},{"label":"smb_timezone","value":"EDT"},{"label":"source_country","value":""},{"label":"source_country_name","value":""}]}

Sample Parsing

metadata.event_timestamp"2022-10-07T10:34:04.497799Z"
metadata.collected_timestamp"2022-10-06T16:00:00Z"
metadata.event_type"GENERIC_EVENT"
metadata.vendor_name"IBM"
metadata.product_name"z/OS"
metadata.product_event_type"mf_prod_tssutil"
metadata.id"AAAAAEaKBjCIfPRcqEuY5AxYxeMAAAAAFAAAAFwBAAA="
additional.smb_stage1"860786"
additional.smb_timezone"EDT"
additional.source_country""
additional.smb_host"svm37bc"
additional.source_country_name""
additional.smb_uid"0mPLGlK+OEPYJvg9U3J3iw166513786078630740445"
principal.resource.name"MainFrame"
observer.application"DWLMR"
security_result[0].summary"mf_prod_tssutil"
security_result[1].severity"LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon