zSecure Alert for RACF

Use the IBM Security QRadar zSecure Alert for RACF® Content Extension to closely monitor your zSecure Alert for RACF deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar zSecure Alert for RACF Content Extensions

IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.2

The Action custom property was assigned a new ID. Delete any existing Action custom properties before you upgrade to V1.3.2.

The following table shows the custom properties that are new or updated in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.2.

Table 1. Custom Properties in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.2
Name Optimized Capture Group Regex
Action Yes 1 whatACTION="([^"]+)"

(Back to top)

IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.1.

Table 2. Custom Properties in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.1
Name Optimized Regex
User ID Yes whoUSERID="([^"]+)"

(Back to top)

IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.0.

Table 3. Custom Properties in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.0
Name Regex
Action whatACTION="([^"]+)"
Alert Alert: ([^\t]+)
Alert ID C2P([^\t]{4})\s
Authority onWhatAUTHORITY="([^"]+)"
Job ID whatJOBID="([^"]+)"
Name whoNAME="([^"]+)"
System whereSYSTEM="([^"]+)"
User ID whoUSERID="([^"]+)"
User ID Change onWhatRACFCMD-NAME="([^"]+)"
WTO Message whatWTO-MESSAGE="([^"]+)"

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.0.

Table 4. Rules in IBM Security QRadar zSecure Alert for RACF Content Extension V1.0.0
Name Description
A Mainframe User Account got Privileged Access Detects zSecure alert 1109 and 1110, where a user account got privileged access.
Highly Authorized User Revoked for Password Violations Detects zSecure alert 1104, where a highly authorized user account is revoked due to password violations.
System Authority Was Granted Detects zSecure alert 1105, where a user was granted a system-level authority.
System Authority Was Removed Detects zSecure alert 1106, where a system-level authority right was removed from a user.
UACC Set to Read On a Data Set Profile Detects zSecure alert 1203, where UACC is set to read on a dataset profile.
UACC Set To Update On A Data Set Profile Detects zSecure alert 1202, where UACC is set to update on a dataset profile.
User Account Added To An Important Group Detects zSecure alert 1701, where an important group right was assigned to a user account.

(Back to top)