IBM QRadar

Hello,

one of our customer wants to integrate logs from his z/OS mainframe into our Qradar SIEM.

I followed the documentation and zSecure is required to do all the configurations to gather logs and send them in LEEF format to Qradar but customer told us he has not an active license for zSecure.

Is there a procedure to send z/OS logs to Qradar without using zSecure or is this feature mandatory?

Best Regards

Davide

Hello Davide,

zSecure Adapters for SIEM, or zSecure Audit, are required if you want to use the functionality provided by zSecure to enrich SMF audit events and send that enriched data to QRadar as LEEF records.

I don't know which logs your customer wants to send to QRadar, but zSecure can send both enriched SMF audit event data, or alert data to QRadar (for alerts, you would also need the zSecure Alert product suite component) out of the box.

Regards, Mike

Hello Mike,

thanks for your reply.

Are there some events that can be forwarded to QRadar without using zSecure? For example basic authentication events could be forwarded to Qradar without being enriched from zSecure? I do not have specific knowledge of zOS platform so I want to know which are the most meaningful events that can be collected and correlated in QRadar.

B Regards

Davide

Hello Davide,

Without zSecure I don't know how you would translate and transport the events to QRadar as I am not aware of any other tools that provide this functionality.

Regards, Mike