How it works

Edit online

This topic describes the process of SMF data collection for IBM Threat Detection for z/OS (IBM TDz).

Figure 1 shows the architecture flow for the solution.

Figure 1. Flow of workload data to the IBM Threat Detection dashboard UI
This image shows the flow of workload data to IBM Threat Detection for z/OS dashboard UI.
In Figure 1, observe the following details:
  • Multiple systems of a sysplex are collecting SMF 98 subtype 5-8 records through DFSMS and IBM z/OS Workload Interaction Correlator. Hardware instrumentation services (HIS) writes this data (in raw format) to a shared zFS file system.
  • IBM TDz runs as a cron job that processes this data regularly. This processing creates signatures and issues notifications as anomalies are identified.
  • At any time, your staff can use the z/OSMF plug-in to view data access activities and any anomalies that might occur on the system. The plug-in includes a dashboard UI for viewing the context and details for any events that are detected. The plug-in usage is optional; anomaly detection and its associated console message and SMF log output run independently of the plug-in functions.
  • The z/OSMF plug-in also includes functions to manage an exclusion list. The plug-in assesses the historical data and identifies other events that can be added (as normal events) to the data through the exclusion list.