Question & Answer
Question
New custom properties are available for IBM Resource Access Control Facility (RACF). This tech note outlines the changes and provides installation instructions for administrators who are installing the extension (zip) or the content pack (RPM).
Answer
Tab navigation
- The Content Pack RPM adds 1 custom event properties, on top of the existing custom event properties shipped with QRadar.
- The Extension installation adds all 31 custom event properties listed on this page.
Custom Event Properties Added by the IBM RACF - Custom Property Pack
Description | Regex for the custom event property | Version |
Authenticator | authenticator=([^\t]+) | 1.0.0 |
Access allowed | allow=([^\t]+) | 1.0.0 |
Access intent | intent=([^\t]+) | 1.0.0 |
Application name | appl=([^\t]+) | 1.0.0 |
Command | cmd=([^\t]+) | 1.0.0 |
Data set name | dsn=([^\t]+) | 1.0.0 |
Descriptor | desc=([^\t]+) | 1.0.0 |
Event summary | sum=([^\t]+) | 1.0.0 |
Identity context name | ICTXname=([^\t]+) | 1.0.0 |
Identity context registry | ICTXreg=([^\t]+) | 1.0.0 |
Job name | job=[^\t]{29}([^\t]{8}) | 1.0.0 |
Log string | logstr=([^\t]+) | 1.0.0 |
Person name | name=([^\t]+) | 1.0.0 |
Physical DASD box serial | box=([^\t]+) | 1.0.0 |
Port of entry | poe=([^\t]+) | 1.0.0 |
Private / owned data set | own=([^\t]+) | 1.0.0 |
RACF authority used | auth=([^\t]+) | 1.0.0 |
RACF profile | prof=([^\t]+) | 1.0.0 |
Resource sensitivity | sens=([^\t]+) | 1.0.0 |
SAF class | class=([^\t]+) | 1.0.0 |
SAF resource name | res=([^\t]+) | 1.0.0 |
SNA terminal name | terminal=([^\t]+) | 1.0.0 |
Sensitive groups | usrGroups=([^\t]+ | 1.0.0 |
Sensitive user privileges | usrPriv=([^\t]+) | 1.0.0 |
Submitted by | submitby=([^\t]+) | 1.0.0 |
System SMF id | job=([^\t]{4}) | 1.0.0 |
System / job | job=([^\t]+) | 1.0.0 |
UNIX path name | path=([^\t]+) | 1.0.0 |
UNIX access origin | used=([^\t]+) | 1.0.0 |
UNIX function | function=([^\t]+) | 1.0.0 |
Volume serial | vol=([^\t]+) | 1.0.0 |
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
- Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads are available on IBM Fix Central
- IBM Security Support videos - YouTube channel
Procedure
- Download the IBM z/OS custom property content pack from the IBM Fix Central website for your QRadar version:
- For QRadar 7.1: Link to all QRadar 7.1 Security Content Packs
- For QRadar 7.2: Link to all QRadar 7.2 Security Content Packs
- Using SSH, log in to your Console as the root user.
- Copy the security content pack to the /tmp directory on the QRadar Console.
- To install the security content pack, type one the following command:
- For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMResourceAccessControlFacility-7.1-1462297044.x86_64.rpm
- For QRadar 7.2, type: yum install ContentPackage-CustomProperties-IBMResourceAccessControlFacility-7.2-1462297044.x86_64.rpm
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click Advanced > Restart Web Server.
- Click OK to restart the QRadar user interface.
Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.
Results
After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
- Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads are available on IBM Fix Central
- IBM Security Support videos - YouTube channel
Installing a QRadar Extension
The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.
NOTE: Installing or updating an extension uses the same process in the extension management user interface. The new extension will prompt the administrator and overwrite an content that is in the enterprise template. Modified rules created by administrators are never touched during extension updates, only the core templates are updated.
Procedure
- Download the RACF custom property extension from the IBM X-Force App Exchange: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMResourceAccessControlFacilityCustomProperties
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click the Extension Management icon.
- To upload an extension, click Add and select the extension to upload.
Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance. - To install the extension immediately, select the Install immediately check box and then click Add. A preview of the application content is displayed. You can choose how existing content items are handled.
- To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data. - Online QRadar Customer Forums
- Submit and manage your support tickets online 24x7 using IBM Service Request
- QRadar Downloads are available on IBM Fix Central
- IBM Security Support videos - YouTube channel
Results
After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.
If you are installing an updated version of an extension, administrators should review the change list to determine if they need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar, instead the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, then administrators should consider updating or recreating their existing rule from the rule template. .
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg21983337