Hi! Excuse the horrible pun, but the SIEM world has intruded into my quiet COBOL / SQL world over the last month or two quite badly!
SIEM?
You hear it a lot but what exactly is it? It is Security Information and Event Management, hence SIEM. It is a field within computer security that combines Security Information Management (SIM) and Security Event Management (SEM) which enables real-time analysis of security alerts generated by applications and network hardware.
DORA
DORA kicked it all off for me with the EU bringing in brand new laws to make FinTech more resilient against cyber threats which in turn means doing more auditing and testing of the complete infrastructure.
WorkLoadExpert
Now SQL WorkloadExpert for Db2 z/OS (WLX) was designed many many moons ago for performance monitoring and tuning SQLs but over the last five to six years has slowly turned into an auditing tool. Naturally, we collect all the SQL on your machine to do the performance monitoring so this is a very good start for doing audit and test. Then we added more and more IFCID data to finally get the complete audit picture with our WLX Audit for Db2 z/OS.
A bit LEEFy on the Street…
This was all well and good but then of course came the time when the mainframe did not stand alone (At least from the auditor’s point of view!) which meant we had to create a method to transfer the data required for audit from the mainframe down to “the boxes you can carry”. The first way we developed was using the LEEF record format.
LEEF?
The Log Event Extended Format (LEEF) is a customized event format for IBM® Security QRadar®. QRadar can integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding. Looking at the EBCDIC native data:
This is OPUT down to USS and then looks like:
Which is then iconv’d into UTF-8 which (after a DISPLAY UTF in browse) looks nearly the same:
The final step, for LEEF processing, was then a GZIP call which dramatically shrinks the size of the file but, of course, is not human readable any more:
CEF?
SPLUNK then came along…I love these names! So, we added the Common Event Format (CEF) to make it work deep down in the caves… That is mentioned in the company profile by the way: From its founding in 2003, Splunk has helped organizations explore the vast depths of their data like spelunkers in a cave (hence, “Splunk”).
LOGger heads?
Then we had some customers who did not want LEEF/CEF format but wanted a “direct to analyze tool” solution using SYSLOGGER and JSON. We then created the SYSLOGGER API which TCP/IP connects directly with your system logger and directly sends the data. Which, in trace mode, looks like this:
A Bit of a Stretch?
What we now have is even more customers asking for a mix of both of these systems. So, a JSON payload but in a flat file that can be directly ingested by Elastic… The things I do!!!
Here’s how the Elastic Common Schema (ECS) data looks when looking at the EBCDIC native data:
Just like LEEF it is then OPUT down to USS and iconv’d to UNICODE so it eventually looks like:
Here with Browse you can see the data again:
JSON Format?
Naturally, you can then ingest it as a JSON file which looks a little like this:
All done?
Probably never! But what SIEM systems are you all using out there? Have you all been “hit by the Audit” bug? I would love to hear your war stories!
TTFN,
Roy Boxwell