IBM z/OS
Use the IBM® QRadar® IBM z/OS® Custom Properties Content Extension to closely monitor your IBM z/OS deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar IBM z/OS Custom Properties Content Extension
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Catalog | Yes | 1 | catalog=([^\t]+) |
| Command | Yes | 1 | cmd=([^\t]+) |
| Completion Code | Yes | 1 | compCode=([^\t]+) |
| Completion status | Yes | 1 | compStat=([^\t]+) |
| Data set name | Yes | 1 | dsn=([^\t]+) |
| DD name | Yes | 1 | dd=([^\t]+) |
| Descriptor | Yes | 1 | desc=([^\t]+) |
| Event Summary | Yes | 1 | sum=([^\t]+) |
| Function code | Yes | 1 | function=([^\t]+) |
| JES line | Yes | 1 | line=([^\t]+) |
| JES remote terminal name | Yes | 1 | line rmt=([^\t]+) |
| Job name | Yes | 1 | job=[^\t]{29}([^\t]{8}) |
| Job number | Yes | 1 | jobid=([^\t]+) |
| Member name | Yes | 1 | member=([^\t]+) |
| NJE node name | Yes | 1 | node=([^\t]+) |
| Old data set name | Yes | 1 | oldda=([^\t]+) |
| Person name | Yes | 1 | name=([^\t]+)) |
| Physical DASD box serial | Yes | 1 | box=([^\t]+) |
| Port of entry | Yes | 1 | poe=([^\t]+) |
| Private/owned data set | Yes | 1 | own=([^\t]+) |
| Program | Yes | 1 | program=([^\t]+) |
| RACF Profile | Yes | 1 | prof=([^\t]+) |
| Resource Sensitivity | Yes | 1 | sens=([^\t]+) |
| SAF Class | Yes | 1 | class=([^\t]+) |
| SAF Resource name | Yes | 1 | res=([^\t]+) |
| Sensitive Groups | Yes | 1 | usrGroups=([^\t]+ |
| Sensitive user privileges | Yes | 1 | usrPriv=([^\t]+) |
| SNA terminal name | Yes | 1 | terminal=([^\t]+) |
| Step name | Yes | 1 | stepname=([^\t]+) |
| Submitted by | Yes | 1 | submitby=([^\t]+) |
| Subsystem name | Yes | 1 | subsys=([^\t]+) |
| System SMF id | Yes | 1 | job=([^\t]{4}) |
| System/job | Yes | 1 | job=([^\t]+) |
| UNIX path name | Yes | 1 | path=([^\t]+) |
| Volume serial | Yes | 1 | vol=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Data key label in ICSF | No | 1 | keypol=([^\t]+) |
| IKE Tunnel encryption chaining | No | 1 | ikechn=([^\t]+) |
| IKE Tunnel encryption family | No | 1 | ikealg=([^\t]+) |
| IKE Tunnel encryption key length | No | 1 | ikekeylen=([^\t]+) |
| IPSec Tunnel encryption chaining | No | 1 | ipsecchn=([^\t]+) |
| IPSec Tunnel encryption family | No | 1 | ipsecalg=([^\t]+) |
| IPSec Tunnel encryption key length | No | 1 | ipseckeylen=([^\t]+) |
| SA Active Connections Begin | No | 1 | activeBeg=([^\t]+) |
| SA Active Connections End | No | 1 | activeEnd=([^\t]+) |
| SA Connections Begin | No | 1 | connsBeg=([^\t]+) |
| SA Connections End | No | 1 | connsEnd=([^\t]+) |
| SA Partial Connections Begin | No | 1 | partialBeg=([^\t]+) |
| SA Partial Connections End | No | 1 | partialEnd=([^\t]+) |
| SA Short Connections Begin | No | 1 | shortBeg=([^\t]+) |
| SA Short Connections End | No | 1 | shortEnd=([^\t]+) |
| SMS Data Class | No | 1 | dataclas=([^\t]+) |
| SMS Management Class | No | 1 | mgmtclas=([^\t]+) |
| SMS Storage Class | No | 1 | storclas=([^\t]+) |
| SSH Inbound encryption chaining | No | 1 | sshIchn=([^\t]+) |
| SSH Inbound encryption family | No | 1 | sshIalg=([^\t]+) |
| SSH Inbound encryption key length | No | 1 | sshIkeylen=([^\t]+) |
| SSH Outbound encryption chaining | No | 1 | sshOchn=([^\t]+) |
| SSH Outbound encryption family | No | 1 | sshOalg=([^\t]+) |
| SSH Outbound encryption key length | No | 1 | sshOkeylen=([^\t]+) |
| TLS Client Cert | No | 1 | tlsCCertSig=([^\t]+) |
| TLS encryption chaining mode | No | 1 | tlschn=([^\t]+) |
| TLS encryption family | No | 1 | tlsalg=([^\t]+) |
| TLS encryption key length | No | 1 | tlskeylen=([^\t]+) |
| TLS key exchange method | No | 1 | tlsKexAlg=([^\t]+) |
| TLS message digest | No | 1 | tlsMsgAuth=([^\t]+) |
| TLS or SSL protocol level | No | 1 | tlsProtVer=([^\t]+) TLSproto=([^\t]+) |
| TLS Server Cert | No | 1 | tlsSCertSig=([^\t]+) |
| Transport Layer Connection ID | No | 1 | saConnId=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2
The Action custom property was assigned a new ID. Delete the Action custom property before you install V1.1.2.
The following table shows the custom properties that are updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2.
| Name | Optimized | Regex |
|---|---|---|
| Access Intent | Yes | intent=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1
The following table shows the custom properties that are removed in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1.
| Name | Regex |
|---|---|
| Subsystem name | subsys=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0.
| Name | Regex |
|---|---|
| Cipher Suite ID | tlsNegCipher=([^\t]+) |
| Data Set Key Algorithm | keyalg=([^\t]+) |
| Data Set Key Label | keylbl=([^\t]+) |
| Data Set Key Length | keylen=([^\t]+) |
| IP Connection ID | saConnId=([^\t]+) |
| IP Protocol | IPproto=([^\t]+) |
| Job name | jobname=([^\t]+) |
| SMF Record Type | LEEF:[^\|]+\|IBM\|z\/OS\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|RACF\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|DB2\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|CICS\|[^\|]+\|([^\|]+)\| |
| Stack | stack=([^\t]+) |
| Subsystem name | sysname=([^\t]+) |
| Sysplex Name | sysplex=([^\t]+) |
| SNA terminal name | LU\s([a-zA-Z0-9]\w+) terminal=([^\t]+) |
| TLS encryption family | tlsalg=([^\t]+) |
| TLS encryption chaining mode | tlschn=([^\t]+) |
| TLS encryption key length | tlskeylen=([^\t]+) |
| TLS message digest | tlsMsgAuth=([^\t]+) |
| TLS or SSL protocol level | tlsProtVer=([^\t]+) |
| TLS key exchange method | tlsKexAlg=([^\t]+) |
| TLS Client Cert | tlsCCertSig=([^\t]+) |
| Bypass request | bypass_req=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1.
| Name | Regex |
|---|---|
| Action | action=([ˆ\t]+) |
| Key label | keylabel=([ˆ\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0.
| Name | Regex |
|---|---|
| Event sum | sum=([^\t]+) |
| Access intent | intent=([^\t]+) |
| Catalog | catalog=([^\t]+) |
| Command | cmd=([^\t]+) |
| Completion code | compCode=([^\t]+) |
| Completion status | compStat=([^\t]+) |
| Data set name | dsn=([^\t]+) |
| DD name | dd=([^\t]+) |
| Descriptor | desc=([^\t]+) |
| Function code | function=([^\t]+) |
| JES line | line=([^\t]+) |
| JES remote terminal | line rmt=([^\t]+) |
| Job number | jobid=([^\t]+) |
| Member name | member=([^\t]+) |
| NJE node name | node=([^\t]+) |
| Old data set name | oldda=([^\t]+) |
| Person name | name=([^\t]+) |
| Physical DASD box serial | box=([^\t]+) |
| Port of entry | poe=([^\t]+) |
| Private / owned data set | own=([^\t]+) |
| Program | program=([^\t]+) |
| RACF profile | prof=([^\t]+) |
| SAF class | class=([^\t]+) |
| SAF resource name | res=([^\t]+) |
| SNA terminal name | terminal=([^\t]+) |
| Step name | stepname=([^\t]+) |
| Submitted by | submitby=([^\t]+) |
| System / job | job=([^\t]+) |
| UNIX path name | path=([^\t]+) |
| Volume serial | vol=([^\t]+) |
| System SMF id | job=([^\t]{4}) |
| Job name | job=[^\t]{29}([^\t]{8}) |
| Resource sensitivity | sens=([^\t]+) |
| Sensitive user privileges | usrPriv=([^\t]+) |
| Sensitive groups | usrGroups=([^\t]+ |
| Cipher | cipher=([ˆ\t\+) |
| Allowed cipher priority order | cipherSuite=([ˆ\t\+) |
| FIPS 140 compliance | FIPS140=([ˆ\t\+) |
| Job tag | job=([ˆ\t\+) |
| TLS RFC level | TLSlvl=([ˆ\t\+) |
| TLS or SSL protocol level | TLSproto=([ˆ\t\+) |