Whereas it is true, as Davide pointed out, the IP address of the end-user is known only to the front-end web site, and not passed into the mainframe Shadow Region or LDAP, you could set up a custom defined alert to be, at least, aware or increasing numbers of incorrect passwords.
zSecure Alert comes with a standard alert 1111 that identifies incorrect password attempts
for the same user ID, exceeding a hard-coded threshold of 5 per 6 minutes. Six minutes being the sum of the configurable collection interval (60 seconds) and averaging interval (600 seconds). Out of the box, this alert should help you spot the white/black/red hat hacker when they pounce on the same user ID over and over. A good hacker would evade this type of alert and return to the same user only after a a while.
You could copy alert 1111 into a Custom alert and change a few things:
- Change the SELECT command to look only for your Shadow authentication servers:
select event=racinit(1) jobname=(SDBF,GLDITDS)
- Change the summary fields to ignore the USERID and NAME value, adding the (max) modifier to all mentions of these field names:
/ ' User'(18) user(max) name(max),
- Change the alert description with text that makes sense to the SOC team:
)SETF C2PXNAME = &STR(Logon_Invalid_Password)
)SETF C2PXMSG = &STR('Invalid password attempts through' jobname(0) 'exceeds limit'
)
)SETF C2PXDES = &STR('Excessive number of password attempts through remote authentication')
------------------------------
Rob van Hoboken
------------------------------