Filtering in and filtering out events

The BMC AMI Defender for z/OS FILTER feature allows customers to limit the events forwarded by BMC AMI Defender from z/OS to their SIEM or MSSP by specifying logical event filter criteria. Customers might want to limit the events sent to their SIEM for a variety of reasons:

  • Because only certain events were relevant to their particular security and compliance needs.
  • To limit network bandwidth utilization
  • To accommodate a SIEM or MSSP solution that limited, or charged by, the number of megabytes received.

Reducing the number of events formatted and forwarded also reduces CPU utilization for BMC AMI Defender.

Note

BMC AMI Defender also implements an extensive ability to select or limit the specific types of events forwarded, independent of FILTER and MATCH. Customers might choose to format and forward, such as, TSO logons but not logoffs, RACF failures and warnings (or only certain RACF failures and warnings) but not successes, or Started Task ABENDs but not normal job completions.

The FILTER feature permits a much higher degree of selectivity by allowing a customer to specify event selection based on nearly any combination of comparison logic on many different event fields.

You should, wherever feasible, use facilities such as The Select Statement and the SEVERITY(SUPPRESS) operand of the EVENTsIFCIDs or SUBTypes parameter of SMF statements, because the overhead for these facilities is lower than for filtering, and because records suppressed in this fashion do not consume QUEUE (see Determining-the-QUEUE64-size).

Filter in and filter out?

Some users think of filter in the sense of filter out.

Examples
  • They might say we do not want to format and forward File Integrity events if the data set name begins with TEMP. Other users think of filter in the sense of filter in or select.
  • They might say we want to forward only TSO logons for user IDs that begin with SYS.

Accordingly, BMC AMI Defender FILTER feature supports the specification of either FILTER (filter out) or MATCH (filter in, or select) criteria. The syntax of the two keywords is identical, but of course they have opposite meanings. 

Note

FILTER and MATCH are usually functionally equivalent in that, such as, FILTER out every event for job names that begin with DEV is logically exactly equivalent to MATCH and select only events for job names that do not begin with DEV. They are not equivalent, however, in the case of missing fields (see Missing Fields).

FILTER and MATCH are mutually exclusive on a per statement basis and might not both be specified on any single statement.

This section provides information about the following topics: 

Related topic

FILTER-and-MATCH-parameters


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*