IBM Security Z Security

 View Only

  • 1.  zSecure Alert to McAfee ESM

    Posted Sun June 07, 2020 09:09 AM
    Hi 
    Client is running zSecure Alert and having alerts generated and posted out to McAfee SIEM platform.

    Problem is that real time alerts to trigger when a Privileged UserId logs on are required, 
    BUT currently all alerts are driven to McAfee from zOS by jobs that run at 2 hourly intervals, 
    hence there is a 2 hour lag in the message being delivered to McAfee. 
    The Privileged UserId alerts are yet to be configured .... 

    Any pointers on how to set up real time posting of events / alerts to McAfee appreciated.
    Forgive me as this is not necessarily a zSecure Question, grateful for any sign posting 
    to relevant material, many thanks P

    ------------------------------
    peter leaper
    ------------------------------


  • 2.  RE: zSecure Alert to McAfee ESM

    IBM Champion
    Posted Mon June 08, 2020 03:17 AM
    Edited by Rob van Hoboken Mon June 08, 2020 03:22 AM
    Hi Peter
    zSecure Alert is (by definition) a real-time messaging tool, that is to say, SMF and WTO/SYSLOG messages are collected during a (configurable) interval of 60 seconds, processed to identity sequences during this (and an optional additional averaging) interval and, when specified thresholds are exceeded or selection criteria are met, a message is sent to the recipients.

    Converting (what looks like) your existing batch job based message generator, into a zSecure Alert message generator relies on:
    1. identifying the SMF records (or WTO messages) that indicate the event
    2. writing a CARLa SELECT command that spots these in the SMF stream
    3. writing the message generation code
    all within the (zSecure option SE.A.A) ISPF application that controls the alert configuration.

    Within these statements, you can refer to all the user's connect groups through the USER_GROUPS pseudo field, or to selected connect groups with the PRIV_USER_GROUPS field.  You can reference the RACF privileges of the user by means of look-ups like userid:special or userid:uid=0, or use whitelist members as I mentioned in a previous forum entry.

    The message format can be copied from existing alerts in an RFC 3164 syslog format or an (ArcSight) CEF format.  Or you can write your own message generator using SORTLIST commands to mimic the messages from your existing batch job solution.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: zSecure Alert to McAfee ESM

    Posted Tue June 16, 2020 12:19 PM
    Hi Rob 
    and thanks for the reply, the issue I have is that I work remotely from the Client and have little authorization to check 
    for example the zsecure config. This is further compounded by having limited sight of the mcafee platform .... 
    So planning to cater for Priv Userid logons is , well not easy ! 
                Anyway it is slowly getting there ... and it is a reminder that procedures get difficult when you are working for a Client
    who has also outsourced much of their I.T. to a 3rd party company  ... hint H.A.L. increment each letter by 1 !
    Thanks for your reply, appreciate it as it helps to fit it all together , cheers
    Peter

    ------------------------------
    peter leaper
    ------------------------------

    Original Message