IBM Security zSecure Adapters for QRadar SIEM
JeroenTiggelman 27000186A5 Visits (21861)
IBM QRadar SIEM consolidates log source event data from thousands of devices endpoints and applications distributed throughout a network. It normalizes information from many Log Sources through Device Support Modules (DSMs), which are pluggable components.
IBM Security zSecure Adapters for SIEM allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM enriched with information from the security database and system snapshot (CKFREEZE) information.
This integration is functionally equivalent with the inte
On the mainframe side, a job is provided to add to your job scheduling package. zSecure Adapters for SIEM is invoked to convert SMF (and other) data into Log Event Enhanced Format (LEEF). This is described in detail in section "Data preparation for QRadar SIEM" in the zSecure Installation and Deployment Guide.
The CARLa Auditing and Reporting Language (CARLa) is the common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM. The integration utilizes a CARLa script (CKQLEEF), which contains a number of exit points in the form of CARLa members that can specify global options, exclude certain events from being passed on, or add custom-defined events based on additional SMF records that the installation might write. This is parallel to the integration between zSecure Audit and QRadar SIEM, which uses a script C2ELEEF. Both scripts are available in the SCKRCARL sample library provided with any of the CARLa-based zSecure products.
QRadar SIEM provides 6 separate DSMs (z/OS, RACF, ACF2, Top Secret, DB2, and CICS). zSecure typically keeps enhancing the information sent each release. If you enable the autoupdate feature of QRadar SIEM, the DSMs will be updated to the latest levels to support additional events as soon as the QRadar SIEM support becomes available.
Like zSecure Audit, the new product has separate entitlement identifiers for RACF, ACF2, and Top Secret. The other types of events are included with any of these.
If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community and wiki. The current zSecure for z/VM release at the time of original publication was 1.11.1; a newer release has now been announced. The I
Edit: Instead of the batched method using FTP polling described in this article, it is now also possible to use a near real-time interface in this product as described for zSecure 2.2.1.