IBM z/OS

Use the IBM Security QRadar IBM z/OS® Custom Properties Content Extension to closely monitor your IBM® z/OS deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar IBM z/OS Custom Properties Content Extension

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4

The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4.

Table 1. Custom Properties updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.4
Name Optimized Capture Group Regex
Catalog Yes 1 catalog=([^\t]+)
Command Yes 1 cmd=([^\t]+)
Completion Code Yes 1 compCode=([^\t]+)
Completion status Yes 1 compStat=([^\t]+)
Data set name Yes 1 dsn=([^\t]+)
DD name Yes 1 dd=([^\t]+)
Descriptor Yes 1 desc=([^\t]+)
Event Summary Yes 1 sum=([^\t]+)
Function code Yes 1 function=([^\t]+)
JES line Yes 1 line=([^\t]+)
JES remote terminal name Yes 1 line rmt=([^\t]+)
Job name Yes 1 job=[^\t]{29}([^\t]{8})
Job number Yes 1 jobid=([^\t]+)
Member name Yes 1 member=([^\t]+)
NJE node name Yes 1 node=([^\t]+)
Old data set name Yes 1 oldda=([^\t]+)
Person name Yes 1 name=([^\t]+))
Physical DASD box serial Yes 1 box=([^\t]+)
Port of entry Yes 1 poe=([^\t]+)
Private/owned data set Yes 1 own=([^\t]+)
Program Yes 1 program=([^\t]+)
RACF Profile Yes 1 prof=([^\t]+)
Resource Sensitivity Yes 1 sens=([^\t]+)
SAF Class Yes 1 class=([^\t]+)
SAF Resource name Yes 1 res=([^\t]+)
Sensitive Groups Yes 1 usrGroups=([^\t]+
Sensitive user privileges Yes 1 usrPriv=([^\t]+)
SNA terminal name Yes 1 terminal=([^\t]+)
Step name Yes 1 stepname=([^\t]+)
Submitted by Yes 1 submitby=([^\t]+)
Subsystem name Yes 1 subsys=([^\t]+)
System SMF id Yes 1 job=([^\t]{4})
System/job Yes 1 job=([^\t]+)
UNIX path name Yes 1 path=([^\t]+)
Volume serial Yes 1 vol=([^\t]+)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3

The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3.

Table 2. Custom Properties updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.3
Name Optimized Capture Group Regex
Data key label in ICSF No 1 keypol=([^\t]+)
IKE Tunnel encryption chaining No 1 ikechn=([^\t]+)
IKE Tunnel encryption family No 1 ikealg=([^\t]+)
IKE Tunnel encryption key length No 1 ikekeylen=([^\t]+)
IPSec Tunnel encryption chaining No 1 ipsecchn=([^\t]+)
IPSec Tunnel encryption family No 1 ipsecalg=([^\t]+)
IPSec Tunnel encryption key length No 1 ipseckeylen=([^\t]+)
SA Active Connections Begin No 1 activeBeg=([^\t]+)
SA Active Connections End No 1 activeEnd=([^\t]+)
SA Connections Begin No 1 connsBeg=([^\t]+)
SA Connections End No 1 connsEnd=([^\t]+)
SA Partial Connections Begin No 1 partialBeg=([^\t]+)
SA Partial Connections End No 1 partialEnd=([^\t]+)
SA Short Connections Begin No 1 shortBeg=([^\t]+)
SA Short Connections End No 1 shortEnd=([^\t]+)
SMS Data Class No 1 dataclas=([^\t]+)
SMS Management Class No 1 mgmtclas=([^\t]+)
SMS Storage Class No 1 storclas=([^\t]+)
SSH Inbound encryption chaining No 1 sshIchn=([^\t]+)
SSH Inbound encryption family No 1 sshIalg=([^\t]+)
SSH Inbound encryption key length No 1 sshIkeylen=([^\t]+)
SSH Outbound encryption chaining No 1 sshOchn=([^\t]+)
SSH Outbound encryption family No 1 sshOalg=([^\t]+)
SSH Outbound encryption key length No 1 sshOkeylen=([^\t]+)
TLS Client Cert No 1 tlsCCertSig=([^\t]+)
TLS encryption chaining mode No 1 tlschn=([^\t]+)
TLS encryption family No 1 tlsalg=([^\t]+)
TLS encryption key length No 1 tlskeylen=([^\t]+)
TLS key exchange method No 1 tlsKexAlg=([^\t]+)
TLS message digest No 1 tlsMsgAuth=([^\t]+)
TLS or SSL protocol level No 1 tlsProtVer=([^\t]+) TLSproto=([^\t]+)
TLS Server Cert No 1 tlsSCertSig=([^\t]+)
Transport Layer Connection ID No 1 saConnId=([^\t]+)

(Back to top)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2

The Action custom property was assigned a new ID. Delete the Action custom property before you install V1.1.2.

The following table shows the custom properties that are updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2.

Table 3. Custom Properties updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.2
Name Optimized Regex
Access Intent Yes intent=([^\t]+)

(Back to top)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1

The following table shows the custom properties that are removed in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1.

Table 4. Custom Properties removed in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.1
Name Regex
Subsystem name subsys=([^\t]+)

(Back to top)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0.

Table 5. Custom Properties in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.1.0
Name Regex
Cipher Suite ID tlsNegCipher=([^\t]+)
Data Set Key Algorithm keyalg=([^\t]+)
Data Set Key Label keylbl=([^\t]+)
Data Set Key Length keylen=([^\t]+)
IP Connection ID saConnId=([^\t]+)
IP Protocol IPproto=([^\t]+)
Job name jobname=([^\t]+)
SMF Record Type LEEF:[^\|]+\|IBM\|z\/OS\|[^\|]+\|([^\|]+)\|

LEEF:[^\|]+\|IBM\|RACF\|[^\|]+\|([^\|]+)\|

LEEF:[^\|]+\|IBM\|DB2\|[^\|]+\|([^\|]+)\|

LEEF:[^\|]+\|IBM\|CICS\|[^\|]+\|([^\|]+)\|

Stack stack=([^\t]+)
Subsystem name sysname=([^\t]+)
Sysplex Name sysplex=([^\t]+)
SNA terminal name LU\s([a-zA-Z0-9]\w+)

terminal=([^\t]+)

TLS encryption family tlsalg=([^\t]+)
TLS encryption chaining mode tlschn=([^\t]+)
TLS encryption key length tlskeylen=([^\t]+)
TLS message digest tlsMsgAuth=([^\t]+)
TLS or SSL protocol level tlsProtVer=([^\t]+)
TLS key exchange method tlsKexAlg=([^\t]+)
TLS Client Cert tlsCCertSig=([^\t]+)
Bypass request bypass_req=([^\t]+)

(Back to top)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1.

Table 6. Custom Properties in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.1
Name Regex
Action action=([ˆ\t]+)
Key label keylabel=([ˆ\t]+)

(Back to top)

IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0.

Table 7. Custom Properties in IBM Security QRadar IBM z/OS Custom Properties Content Extension V1.0.0
Name Regex
Event sum sum=([^\t]+)
Access intent intent=([^\t]+)
Catalog catalog=([^\t]+)
Command cmd=([^\t]+)
Completion code compCode=([^\t]+)
Completion status compStat=([^\t]+)
Data set name dsn=([^\t]+)
DD name dd=([^\t]+)
Descriptor desc=([^\t]+)
Function code function=([^\t]+)
JES line line=([^\t]+)
JES remote terminal line rmt=([^\t]+)
Job number jobid=([^\t]+)
Member name member=([^\t]+)
NJE node name node=([^\t]+)
Old data set name oldda=([^\t]+)
Person name name=([^\t]+)
Physical DASD box serial box=([^\t]+)
Port of entry poe=([^\t]+)
Private / owned data set own=([^\t]+)
Program program=([^\t]+)
RACF profile prof=([^\t]+)
SAF class class=([^\t]+)
SAF resource name res=([^\t]+)
SNA terminal name terminal=([^\t]+)
Step name stepname=([^\t]+)
Submitted by submitby=([^\t]+)
System / job job=([^\t]+)
UNIX path name path=([^\t]+)
Volume serial vol=([^\t]+)
System SMF id job=([^\t]{4})
Job name job=[^\t]{29}([^\t]{8})
Resource sensitivity sens=([^\t]+)
Sensitive user privileges usrPriv=([^\t]+)
Sensitive groups usrGroups=([^\t]+
Cipher cipher=([ˆ\t\+)
Allowed cipher priority order cipherSuite=([ˆ\t\+)
FIPS 140 compliance FIPS140=([ˆ\t\+)
Job tag job=([ˆ\t\+)
TLS RFC level TLSlvl=([ˆ\t\+)
TLS or SSL protocol level TLSproto=([ˆ\t\+)

(Back to top)