IBM z/OS
Use the IBM Security QRadar IBM z/OS® Custom Properties Content Extension to closely monitor your IBM® z/OS deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar IBM z/OS Custom Properties Content Extension
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1
- IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Catalog | Yes | 1 | catalog=([^\t]+) |
| Command | Yes | 1 | cmd=([^\t]+) |
| Completion Code | Yes | 1 | compCode=([^\t]+) |
| Completion status | Yes | 1 | compStat=([^\t]+) |
| Data set name | Yes | 1 | dsn=([^\t]+) |
| DD name | Yes | 1 | dd=([^\t]+) |
| Descriptor | Yes | 1 | desc=([^\t]+) |
| Event Summary | Yes | 1 | sum=([^\t]+) |
| Function code | Yes | 1 | function=([^\t]+) |
| JES line | Yes | 1 | line=([^\t]+) |
| JES remote terminal name | Yes | 1 | line rmt=([^\t]+) |
| Job name | Yes | 1 | job=[^\t]{29}([^\t]{8}) |
| Job number | Yes | 1 | jobid=([^\t]+) |
| Member name | Yes | 1 | member=([^\t]+) |
| NJE node name | Yes | 1 | node=([^\t]+) |
| Old data set name | Yes | 1 | oldda=([^\t]+) |
| Person name | Yes | 1 | name=([^\t]+)) |
| Physical DASD box serial | Yes | 1 | box=([^\t]+) |
| Port of entry | Yes | 1 | poe=([^\t]+) |
| Private/owned data set | Yes | 1 | own=([^\t]+) |
| Program | Yes | 1 | program=([^\t]+) |
| RACF Profile | Yes | 1 | prof=([^\t]+) |
| Resource Sensitivity | Yes | 1 | sens=([^\t]+) |
| SAF Class | Yes | 1 | class=([^\t]+) |
| SAF Resource name | Yes | 1 | res=([^\t]+) |
| Sensitive Groups | Yes | 1 | usrGroups=([^\t]+ |
| Sensitive user privileges | Yes | 1 | usrPriv=([^\t]+) |
| SNA terminal name | Yes | 1 | terminal=([^\t]+) |
| Step name | Yes | 1 | stepname=([^\t]+) |
| Submitted by | Yes | 1 | submitby=([^\t]+) |
| Subsystem name | Yes | 1 | subsys=([^\t]+) |
| System SMF id | Yes | 1 | job=([^\t]{4}) |
| System/job | Yes | 1 | job=([^\t]+) |
| UNIX path name | Yes | 1 | path=([^\t]+) |
| Volume serial | Yes | 1 | vol=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Data key label in ICSF | No | 1 | keypol=([^\t]+) |
| IKE Tunnel encryption chaining | No | 1 | ikechn=([^\t]+) |
| IKE Tunnel encryption family | No | 1 | ikealg=([^\t]+) |
| IKE Tunnel encryption key length | No | 1 | ikekeylen=([^\t]+) |
| IPSec Tunnel encryption chaining | No | 1 | ipsecchn=([^\t]+) |
| IPSec Tunnel encryption family | No | 1 | ipsecalg=([^\t]+) |
| IPSec Tunnel encryption key length | No | 1 | ipseckeylen=([^\t]+) |
| SA Active Connections Begin | No | 1 | activeBeg=([^\t]+) |
| SA Active Connections End | No | 1 | activeEnd=([^\t]+) |
| SA Connections Begin | No | 1 | connsBeg=([^\t]+) |
| SA Connections End | No | 1 | connsEnd=([^\t]+) |
| SA Partial Connections Begin | No | 1 | partialBeg=([^\t]+) |
| SA Partial Connections End | No | 1 | partialEnd=([^\t]+) |
| SA Short Connections Begin | No | 1 | shortBeg=([^\t]+) |
| SA Short Connections End | No | 1 | shortEnd=([^\t]+) |
| SMS Data Class | No | 1 | dataclas=([^\t]+) |
| SMS Management Class | No | 1 | mgmtclas=([^\t]+) |
| SMS Storage Class | No | 1 | storclas=([^\t]+) |
| SSH Inbound encryption chaining | No | 1 | sshIchn=([^\t]+) |
| SSH Inbound encryption family | No | 1 | sshIalg=([^\t]+) |
| SSH Inbound encryption key length | No | 1 | sshIkeylen=([^\t]+) |
| SSH Outbound encryption chaining | No | 1 | sshOchn=([^\t]+) |
| SSH Outbound encryption family | No | 1 | sshOalg=([^\t]+) |
| SSH Outbound encryption key length | No | 1 | sshOkeylen=([^\t]+) |
| TLS Client Cert | No | 1 | tlsCCertSig=([^\t]+) |
| TLS encryption chaining mode | No | 1 | tlschn=([^\t]+) |
| TLS encryption family | No | 1 | tlsalg=([^\t]+) |
| TLS encryption key length | No | 1 | tlskeylen=([^\t]+) |
| TLS key exchange method | No | 1 | tlsKexAlg=([^\t]+) |
| TLS message digest | No | 1 | tlsMsgAuth=([^\t]+) |
| TLS or SSL protocol level | No | 1 | tlsProtVer=([^\t]+) TLSproto=([^\t]+) |
| TLS Server Cert | No | 1 | tlsSCertSig=([^\t]+) |
| Transport Layer Connection ID | No | 1 | saConnId=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2
The Action custom property was assigned a new ID. Delete the Action custom property before you install V1.1.2.
The following table shows the custom properties that are updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2.
| Name | Optimized | Regex |
|---|---|---|
| Access Intent | Yes | intent=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1
The following table shows the custom properties that are removed in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1.
| Name | Regex |
|---|---|
| Subsystem name | subsys=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0.
| Name | Regex |
|---|---|
| Cipher Suite ID | tlsNegCipher=([^\t]+) |
| Data Set Key Algorithm | keyalg=([^\t]+) |
| Data Set Key Label | keylbl=([^\t]+) |
| Data Set Key Length | keylen=([^\t]+) |
| IP Connection ID | saConnId=([^\t]+) |
| IP Protocol | IPproto=([^\t]+) |
| Job name | jobname=([^\t]+) |
| SMF Record Type | LEEF:[^\|]+\|IBM\|z\/OS\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|RACF\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|DB2\|[^\|]+\|([^\|]+)\| LEEF:[^\|]+\|IBM\|CICS\|[^\|]+\|([^\|]+)\| |
| Stack | stack=([^\t]+) |
| Subsystem name | sysname=([^\t]+) |
| Sysplex Name | sysplex=([^\t]+) |
| SNA terminal name | LU\s([a-zA-Z0-9]\w+) terminal=([^\t]+) |
| TLS encryption family | tlsalg=([^\t]+) |
| TLS encryption chaining mode | tlschn=([^\t]+) |
| TLS encryption key length | tlskeylen=([^\t]+) |
| TLS message digest | tlsMsgAuth=([^\t]+) |
| TLS or SSL protocol level | tlsProtVer=([^\t]+) |
| TLS key exchange method | tlsKexAlg=([^\t]+) |
| TLS Client Cert | tlsCCertSig=([^\t]+) |
| Bypass request | bypass_req=([^\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1.
| Name | Regex |
|---|---|
| Action | action=([ˆ\t]+) |
| Key label | keylabel=([ˆ\t]+) |
IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0
The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0.
| Name | Regex |
|---|---|
| Event sum | sum=([^\t]+) |
| Access intent | intent=([^\t]+) |
| Catalog | catalog=([^\t]+) |
| Command | cmd=([^\t]+) |
| Completion code | compCode=([^\t]+) |
| Completion status | compStat=([^\t]+) |
| Data set name | dsn=([^\t]+) |
| DD name | dd=([^\t]+) |
| Descriptor | desc=([^\t]+) |
| Function code | function=([^\t]+) |
| JES line | line=([^\t]+) |
| JES remote terminal | line rmt=([^\t]+) |
| Job number | jobid=([^\t]+) |
| Member name | member=([^\t]+) |
| NJE node name | node=([^\t]+) |
| Old data set name | oldda=([^\t]+) |
| Person name | name=([^\t]+) |
| Physical DASD box serial | box=([^\t]+) |
| Port of entry | poe=([^\t]+) |
| Private / owned data set | own=([^\t]+) |
| Program | program=([^\t]+) |
| RACF profile | prof=([^\t]+) |
| SAF class | class=([^\t]+) |
| SAF resource name | res=([^\t]+) |
| SNA terminal name | terminal=([^\t]+) |
| Step name | stepname=([^\t]+) |
| Submitted by | submitby=([^\t]+) |
| System / job | job=([^\t]+) |
| UNIX path name | path=([^\t]+) |
| Volume serial | vol=([^\t]+) |
| System SMF id | job=([^\t]{4}) |
| Job name | job=[^\t]{29}([^\t]{8}) |
| Resource sensitivity | sens=([^\t]+) |
| Sensitive user privileges | usrPriv=([^\t]+) |
| Sensitive groups | usrGroups=([^\t]+ |
| Cipher | cipher=([ˆ\t\+) |
| Allowed cipher priority order | cipherSuite=([ˆ\t\+) |
| FIPS 140 compliance | FIPS140=([ˆ\t\+) |
| Job tag | job=([ˆ\t\+) |
| TLS RFC level | TLSlvl=([ˆ\t\+) |
| TLS or SSL protocol level | TLSproto=([ˆ\t\+) |