Home Z software Z security Threat Detection for z/OS
IBM Threat Detection for z/OS

Enhance cybersecurity with AI-driven anomaly detection for IBM Z

Product documentation

IBM® Threat Detection for z/OS® (IBM TDz) is an AI software product that identifies anomalies in data access that might indicate a potential cyberattack.

Designed to bolster an enterprise's overall security posture, IBM TDz is a tool that may assist clients in meeting emerging regulations such as the Digital Operational Resilience Act (DORA). It supports Chief Information Security Officers and other decision-makers in better safeguarding their IBM Z® systems with an added aspect for their defense-in-depth strategy.

Features AI-driven anomaly detection

IBM TDz detects and reports anomalous and potentially malicious data access across z/OS systems by using artificial intelligence. The system includes policy and exclusion lists to minimize false positives and provides tangible artifacts for diagnosis and remediation. The z/OS data access information is collected by DFSMS and the IBM z/OS Workload Interaction Correlator in the form of SMF type 98 subtypes 5–8 records.

Anomaly reporting

When IBM TDz identifies an anomalous data access event, a notification alert is sent through a console message. The event is also recorded in an SMF record (Type 83, new subtype 8) with relevant details about the anomaly event. More notifications can be readily automated from these outputs.

z/OSMF plug-in

Use the IBM z/OSMF plug-in to get AI-driven insights into anomalous data access events across the sysplex. View data access activities of significance with details like user IDs, job details, timelines and observed data sets.

Entitlements

There are two priced features of z/OS that are entitled with licensing IBM TDz.

IBM z/OS Authorized Code Scanner

The IBM z/OS Authorized Code Scanner (zACS) is not directly leveraged by IBM TDz, but comes entitled with its licensing. This feature provides powerful dynamic scanning and runtime monitoring designed to find potential vulnerabilities within APF load libraries.

IBM z/OS Workload Interaction Correlator

TDz leverages the IBM z/OS Workload Interaction Correlator functionality to generate an SMF type 98 record for the product's subtype every 5 seconds containing data about the product's activities in a standardized, synchronized, contextualized format.

Technical details

Before you install and run IBM Threat Detection for z/OS, your system must meet the hardware and software requirements.

Hardware requirements

IBM Threat Detection for z/OS is supported on hardware that runs IBM z/OS 2.5 or later. 

Security requirements

Using IBM TDz requires sufficient authority in z/OS. Your security administrator can create the necessary authorizations in your external security manager (ESM), such as z/OS Security Server (RACF).

Software for TDZ

For the z/OS system on which the IBM TDz application is installed, it requires z/OS V2.5 or later. In addition, other software prerequisites consist of IBM Semeru Runtime Certified Edition for z/OS, Version 11 (5655-DGJ) and IBM Open Enterprise SDK for Node.js 18.0 or later.

Software for z/OS

IBM TDz uses SMF98 data that DFSMS and IBM z/OS Workload Interaction Correlator collect on each participating z/OS system in the sysplex to perform analytics and identify anomalies. DFSMS must be enabled to collect the data set access activity data in SMF 98 subtype 5–8 records and the required service applied.

Take the next step

Discover how to enhance cybersecurity with AI-driven anomaly detection with IBM Threat Detection for z/OS.

Explore product documentation
More ways to explore Documentation Support Support and services