IBM Security Z Security

Dears,

            my client has deployed zSecure alert in production one year ago. and they rolled out some of predefined alert rule and customized rule as well and it works fine.. now they would like to have more deeper customization. they like to know the guidance how to know what filed can be selected to add a filtering  rule. for example. for predefine rule 1402 which described Global write specified when altering file access. we could add some whitelist filtering rule to exclude some specific user and we have done.   so what other fields can be selected to do the similar filtering rule? is there any guidance how to check what fields can be identified for a specific predefine rule in the zSecure alert ? thanks!

Hi lian,

Alerts are CARLa queries, so you can select on just about any field available in the newlist you are using in that specific Alert. Alert 1402 uses the SMF newlist. You can use the primary command FIELDS SMF (just type it on the command line in zSecure) and you get a list of all fields available.

Are you trying a customization panel of your own or do you want to create a custom alert with extra selection of your own ?

cheers

rene

Customization of alerts through allow-list members is only supported in standard alerts defined in the manual:

PCI related alerts 1209, 1210, and 1211

Sensitive data sets, members and resources 1204, 1212, 1213, and 1214

and their equivalent ACF2 alerts.

Alerts are generated from SMF, system log, access monitor and configuration information using a CARLa script.  The script is generated by the V line command in ISPF option SE.A.A from skeleton members.  The select and exclude functions (filters, in your question) are semi-hardcoded in the skeletons.  You cannot add filters to standard alerts, unless you edit the corresponding skeleton members, and that would break support for these IBM-maintained members.

You can copy the concept of these alerts into your own installation defined alerts, of course, thus using the same allow-lists.

For other fields, as Rene described, you have the CARLa field reference for SMF types.  You can use these in the installation defined alerts that you build as a copy of standard alerts.  Filters on those other fields are not available in standard alerts.

------------------------------
Rob van Hoboken
------------------------------

Thank you so much Rene and Rob for your professional guidance. it looks perfect to address my question.