IBM Support

QRadar Security Content Pack: IBM RACF Custom Event Properties

Question & Answer


Question

New custom properties are available for IBM Resource Access Control Facility (RACF). This tech note outlines the changes and provides installation instructions for administrators who are installing the extension (zip) or the content pack (RPM).

Answer



Tab navigation

QRadar SIEM collects events from IBM RACF using IBM Security zSecure Audit for standard auditing, authorization, and security events. Events are provided to QRadar using Syslog in LEEF format. The installation of the extension for QRadar provides a number of default custom event properties, plus one new custom event property for 'Authenticator'. Custom event properties allow administrators to capture important fields from IBM RAFC event payloads using regex to make this data useable in searches and reports in QRadar. This security content pack builds on the existing default list of custom event properties to add new values to the default list.

  • The Content Pack RPM adds 1 custom event properties, on top of the existing custom event properties shipped with QRadar.
  • The Extension installation adds all 31 custom event properties listed on this page.

Custom Event Properties Added by the IBM RACF - Custom Property Pack
Description Regex for the custom event property Version
Authenticator authenticator=([^\t]+) 1.0.0
Access allowed allow=([^\t]+) 1.0.0
Access intent intent=([^\t]+) 1.0.0
Application name appl=([^\t]+) 1.0.0
Command cmd=([^\t]+) 1.0.0
Data set name dsn=([^\t]+) 1.0.0
Descriptor desc=([^\t]+) 1.0.0
Event summary sum=([^\t]+) 1.0.0
Identity context name ICTXname=([^\t]+) 1.0.0
Identity context registry ICTXreg=([^\t]+) 1.0.0
Job name job=[^\t]{29}([^\t]{8}) 1.0.0
Log string logstr=([^\t]+) 1.0.0
Person name name=([^\t]+) 1.0.0
Physical DASD box serial box=([^\t]+) 1.0.0
Port of entry poe=([^\t]+) 1.0.0
Private / owned data set own=([^\t]+) 1.0.0
RACF authority used auth=([^\t]+) 1.0.0
RACF profile prof=([^\t]+) 1.0.0
Resource sensitivity sens=([^\t]+) 1.0.0
SAF class class=([^\t]+) 1.0.0
SAF resource name res=([^\t]+) 1.0.0
SNA terminal name terminal=([^\t]+) 1.0.0
Sensitive groups usrGroups=([^\t]+ 1.0.0
Sensitive user privileges usrPriv=([^\t]+) 1.0.0
Submitted by submitby=([^\t]+) 1.0.0
System SMF id job=([^\t]{4}) 1.0.0
System / job job=([^\t]+) 1.0.0
UNIX path name path=([^\t]+) 1.0.0
UNIX access origin used=([^\t]+) 1.0.0
UNIX function function=([^\t]+) 1.0.0
Volume serial vol=([^\t]+) 1.0.0


Where do I find more information?

If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

To install a security content pack, an administrator must download the RPM from IBM Fix Central, then install the content pack on the Console appliance. The Console replicates the changes from the install of the content pack to all managed hosts in the deployment.

Procedure

  1. Download the IBM z/OS custom property content pack from the IBM Fix Central website for your QRadar version:
  2. Using SSH, log in to your Console as the root user.

  3. Copy the security content pack to the /tmp directory on the QRadar Console.

    4. Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.

  4. To install the security content pack, type one the following command:

    • For QRadar 7.1, type: rpm -Uvh ContentPackage-CustomProperties-IBMResourceAccessControlFacility-7.1-1462297044.x86_64.rpm
    • For QRadar 7.2, type: yum install ContentPackage-CustomProperties-IBMResourceAccessControlFacility-7.2-1462297044.x86_64.rpm

  5. Log in to the QRadar Console as an administrator.

  6. Click the Admin tab.

    7. Before you continue: Restarting the web server will restart the user interface and load the new custom event properties. This action will log out existing users, stop reports in progress, and halt event exports in process. It is recommended that administrators restart the user interface during a maintenance window for the appliance.

  7. Click Advanced > Restart Web Server.

  8. Click OK to restart the QRadar user interface.


Results After the user interface restarts, the installation is complete. The administrator should review the Bit9 Security Platform custom event properties to determine if any of the values need to be enabled, disabled, or optimized in the QRadar interface.


Where do I find more information?

If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

Installing a QRadar Extension

The Extension Management window in QRadar is used to add applications to your deployment to improve the functionality or add customize content to QRadar. Extensions can contain content, such as rules, reports, searches, reference sets, and dashboards or extensions can install applications that deliver specific new functionality to QRadar. The About tab of this article will outline the contents of the extension being added to QRadar.

NOTE: Installing or updating an extension uses the same process in the extension management user interface. The new extension will prompt the administrator and overwrite an content that is in the enterprise template. Modified rules created by administrators are never touched during extension updates, only the core templates are updated.

Procedure

  1. Download the RACF custom property extension from the IBM X-Force App Exchange: https://exchange.xforce.ibmcloud.com/hub/extension/IBMQRadar:IBMResourceAccessControlFacilityCustomProperties
  2. Log in to the QRadar Console as an administrator.
  3. Click the Admin tab.
  4. Click the Extension Management icon.
  5. To upload an extension, click Add and select the extension to upload.
    Note: The extension (zip) must be downloaded to your local computer before it can be uploaded to the Console appliance.

  6. To install the extension immediately, select the Install immediately check box and then click Add. A preview of the application content is displayed. You can choose how existing content items are handled.

  7. To preview the contents of an extension after it is added and before it is installed, select it from the list of extensions, and click More Details.
    Before the extension is installed, the content items are compared to content items that are already in the deployment. If the content items exist, you can choose to overwrite them or to keep the existing data.

    8. Results
    After the extension is added, a yellow caution icon in the Status column indicates potential issues with the digital signature. Hover the mouse over the triangle for more information. Extensions that are unsigned or are signed by the developer, but not validated by your vendor, might cause compatibility issues in your deployment.

    If you are installing an updated version of an extension, administrators should review the change list to determine if they need to update any rules. When the extension is applied to QRadar, administrator or user rules are not modified by QRadar, instead the base enterprise template is updated. If a rule change includes a new building block update, performance change, or new rule tests, then administrators should consider updating or recreating their existing rule from the rule template. .


    Where do I find more information?

    If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21983337

Page Feedback