IBM Security zSecure Audit integration with QRadar SIEM
JeroenTiggelman 27000186A5 Comments (2) Visits (26901)
Integration between IBM Security zSecure Audit 1.13.0 and QRadar SIEM 7.0 has become generally available on July 31, 2012.
This integration allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM. zSecure Audit enriches the event data with information from the security database and system snapshot (CKFREEZE) information.
QRadar SIEM is a next-generation Security Information and Event Management solution by Q1 Labs. It normalizes information from many Log Sources through Device Support Modules (DSMs), which are pluggable components.
From the QRadar point of view the new Log Source Types are obtained through the Log File protocol in Log Event Enhanced Format (LEEF), meaning that additional properties are available beyond the standard normalized set. The "Con
On the mainframe side, a job is provided to add to your job scheduling package. zSecure Audit is invoked to convert SMF (and other) data into LEEF. This is described in detail in section "Data preparation for QRadar SIEM" in the zSecure Installation and Deployment Guide.
Adding custom events is supported in a way that is similar to sending events through Tivoli Compliance Insight Manager Enabler for z/OS to Tivoli Security Information and Event Manager (CARLa-based).
Custom event properties can be added to the QRadar SIEM reports as described in technical note "QRa
To benefit from this integration the following is required:
on the zSecure side:
on the QRadar side:
If you have any questions, please post them here or on the zSecure forum.
Edit: For the real-time integration between zSecure Alert and QRadar SIEM released in December 2012, look here.
Edit: For the real-time integration between zSecure Audit (or Adapters) and QRadar SIEM available in zSecure 2.2.1 (December 2016), look here.
Edit: Real-time integration can now be done without the need for SMF log streams, as announced here (May 2018).
 For some of these log sources prior (less extensive) support was already available in QRadar SIEM