Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Invoking MQ SIEM data refinement

There are two types of refinement criteria: global and local. To specify global refinement criteria, add DD REFNMQ to the step running VTCSSRCH in the started task job associated with the Session Monitor PARMLIB parameter SWITCH_REPOSITORY_TASK. The DSN specified can be either a sequential dataset or a PDS member. The DCB information for the global refinement criteria dataset is DCB=(RECFM=FB,LRECL=80,BLKSIZE=0). The following is an example of a DD card added to the SWITCH_REPOSITORY_TASK task:

//REFNMQ DD DSN=MY.REFINE.CRITERIA(CRITMQ),DISP=SHR

To specify local refinement criteria, create member REFINE in:

<registry-dataset>.#0000000

for a SIEM archive record request and enter refinement parameters (where <registry-dataset> is the name of the registry dataset associated with the SIEM archive request). Only one type of refinement criteria may be used, and local refinement criteria take precedence over global refinement criteria.

ALTER Command

image2022-11-18_16-0-48.png

The ALTER command allows for the alteration, augmentation and/or skipping of data to be sent to the SIEM tool. Multiple ALTER commands are supported. This means that more than one ALTER command can refine a specific MQ message being sent to the SIEM tool.

The SUPPRESS statement allows for the reduction of data being sent to the SIEM tool. Either the entire message or just the MQ message content can be suppressed. Reducing data being sent to the SIEM tool can save storage space and associated costs. There may be MQ messages that are of no interest, and they can be easily eliminated. However, be careful with reducing data sent to the SIEM tool to ensure that any data that may be of value to an auditor is retained.

The TAG statement allows for augmenting the data being sent to the SIEM tool. Augmentation allows identifying specific positions within the MQ message content with a meaningful tag name that can be used by a SIEM tool. In conjunction with the SUPPRESS(CONTENT) parameter, data related to the MQ message content sent to the SIEM tool can be limited to just the relevant information. Be careful of creating too many tags without suppressing the content data because this will increase the amount of storage needed by the SIEM tool.

The MASK statement allows for the obfuscation of data being sent to the SIEM tool. Obfuscating data can help with privacy concerns by only showing partial values of a field. Be careful about completely obfuscating an entire field or obfuscating too much of a field because it may reduce the value of the data being sent to the SIEM tool. For example, if account numbers are completely obfuscated, finding when an account has been compromised may be almost impossible.

When specifying multiple statements, the effect of the refinement occurs in the order in which the parameters are specified.

Statements

WHEN (Required)

Specifies the criteria to determine the MQ messages on which the ALTER command will perform data refinement. The WHEN statement must be specified once on an ALTER command with at least one of the valid clauses, and multiple clauses must be separated by a comma. All WHEN statement clauses on an ALTER command must be true for data refinement statements to take effect. The WHEN statement must occur before all other statements.

The WHEN statement has the following clauses:

ALWAYS

All MQ messages are to be refined with the data refinements specified. Any subsequent clauses to the WHEN statement will be ignored.

CONTENT

Specifies that a position on the MQ message content is to be compared for a specified length. The format of a CONTENT clause is as follows:

CONTENT(positionlengthoperatorcompare-valuetype)

The following parameters are specified on the CONTENT clause:

  • position – The location of the data being compared. An asterisk (*) indicates all positions.
  • length – The length of the data being compared. An asterisk (*) indicates the length is the same as the length of the compare-value.
  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the specified message content position.
    • NE – Perform a character not equal comparison between the compare-value and the specified message content position.
    • CO – Check whether the compare-value appears within the specified message content area.
    • NC – Check whether the compare-value does not appear within the specified message content area.
  • compare-value – The value being compared to the specified message content position. A null value cannot be specified. This can be specified either as a character string or a hexadecimal string.
  • type – The type of data the compare-value represents. The compare-value will always be entered in EBCDIC, but this will indicate that it needs to be converted.
    • E – EBCDIC (default). The compare will be done as is.
    • – UTF-8. The compare-value will be converted from the EBCDIC codepage specified on the CODEPAGE parameter in the PARMLIB member for Performance Test to UTF-8 before doing the comparison.
    • X – Hexadecimal. The comparison will be done based on hexadecimal values to allow for comparison of binary data.
MQCALL

Specifies that the MQ call type associated with the MQ message is to be compared. The format of the MQCALL clause is as follows:

MQCALL(operator, "compare-value")

The following parameters are specified on the MQCALL clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the MQ call type associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the MQ call type associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the MQ call type associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the MQ call type associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the MQ call type associated with the MQ message. Valid values a "MQ_GET", "MQ_PUT", and "MQ_PUT1".
QUEUEMGR

Specifies that the queue manager associated with the MQ message is to be compared. The format of the QUEUEMGR clause is as follows:

QUEUEMGR(operator, "compare-value")

The following parameters are specified on the QUEUEMGR clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the queue manager associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the queue manager associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the queue manager associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the queue manager associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the queue manager associated with the MQ message.
QUEUENAME

Specifies that the queue name associated with the MQ message is to be compared. The format of the QUEUENAME clause is as follows:

QUEUENAME(operator, "compare-value")

The following parameters are specified on the QUEUENAME clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the queue name associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the queue name associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the queue name associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the queue name associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the queue name associated with the MQ message.
USERIDENTIFIER

Specifies that the user associated with the MQ message is to be compared. The format of the USERIDENTIFIER clause is as follows:

USERIDENTIFIER(operator "compare-value")

The following parameters are specified on the USERIDENTIFIER clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the user associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the user associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the user associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the user associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the user associated with the MQ message.
REPLYTOQ

Specifies that the reply to queue associated with the MQ message is to be compared. The format of the REPLYTOQ clause is as follows:

REPLYTOQ(operator, "compare-value")

The following parameters are specified on the REPLYTOQ clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the reply to queue associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the replay to queue associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the reply to queue associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the reply to queue associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the reply to queue associated with the MQ message.
REPLYTOQMGR

Specifies that the reply to queue manager associated with the MQ message is to be compared. The format of the REPLYTOQMGR clause is as follows:

REPLYTOQMGR(operator, "compare-value")

The following parameters are specified on the REPLYTOQMGR clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the reply to queue manager associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the reply to queue manager associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the reply to queue manager associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the reply to queue manager associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the reply to queue manager associated with the MQ message.
APPLIDENTITYDATA

Specifies that the application identity data associated with the MQ message is to be compared. The format of the APPLIDENTITYDATA clause is as follows:

APPLIDENTITYDATA(operator, "compare-value")

The following parameters are specified on the APPLIDENTITYDATA clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the application identity data associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the application identity data associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the application identity data associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the application identity data associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the application identity data associated with the MQ message.
PUTAPPLNAME

Specifies that the name of the application that put the message associated with the MQ message is to be compared. The format of the PUTAPPLNAME clause is as follows:

PUTAPPLNAME(operator, "compare-value")

The following parameters are specified on the PUTAPPLNAME clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the name of the application that put the message associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the name of the application that put the message associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the name of the application that put the message associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the name of the application that put the message associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the name of the application that put the message associated with the MQ message.
PUTAPPLTYPE

Specifies that the type of application that put the message associated with the MQ message is to be compared. The format of the QUEUEMGR clause is as follows:

PUTAPPLTYPE(operator, "compare-value")

The following parameters are specified on the PUTAPPLTYPE clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the type of application that put the message associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the type of application that put the message associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the type of application that put the message associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the type of application that put the message associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the type of application that put the message associated with the MQ message.
APPLORIGINDATA

Specifies that the application origin data associated with the MQ message is to be compared. The format of the APPLORIGINDATA clause is as follows:

APPLORIGINDATA(operator, "compare-value")

The following parameters are specified on the APPLORIGINDATA clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the application origin data associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the application origin data associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the application origin data associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the application origin data associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the application origin data associated with the MQ message.
RESOLVEDQNAME

Specifies that the local name of the queue associated with the MQ message is to be compared. The format of the RESOLVEDQNAME clause is as follows:

RESOLVEDQNAME(operator, "compare-value")

The following parameters are specified on the RESOLVEDQNAME clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the local name of the queue associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the local name of the queue associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the local name of the queue associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the local name of the queue associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the local name of the queue associated with the MQ message.
RESOLVEDQMGRNAME

Specifies that the resolved destination queue manager associated with the MQ message is to be compared. The format of the RESOLVEDQMGRNAME clause is as follows:

RESOLVEDQMGRNAME(operator, "compare-value")

The following parameters are specified on the RESOLVEDQMGRNAME clause:

  • operator – One of the following operators may be specified:
    • EQ – Perform a character equal comparison between the compare-value and the resolved destination queue manager associated with the MQ message. The compare-value may be wildcarded.
    • NE – Perform a character not equal comparison between the compare-value and the resolved destination queue manager associated with the MQ message. The compare-value may be wildcarded.
    • CO – Check whether the compare-value appears within the resolved destination queue manager associated with the MQ message. The compare-value may not be wildcarded.
    • NC – Check whether the compare-value does not appear within the resolved destination queue manager associated with the MQ message. The compare-value may not be wildcarded.
  • compare-value – The value being compared to the resolved destination queue manager associated with the MQ message.

MASK

Specifies positions in the message that will be obfuscated. This parameter is optional and may be specified many times on the ALTER command. The format of the MASK statement is as follows:

MASK(positionlength, "replace-value")

The following parameters are specified on the MASK statement:

  • position – The position in the data being masked.
  • length – The length of the data being masked.
  • replace-value – The value which will mask the field specified. This value will be truncated if its length is less than the length of the replace-value and will be repeated if its length is greater than the length of the replace-value. If the replace-value is the null string (that is, ""), the data will be masked with binary zeros.

TAG

Creates tags with data extracted from the screen. This parameter is optional and may be specified many times on the ALTER command. The format of the TAG statement is as follows:

TAG(positionlength, "tag-name", type)

The following parameters are specified on the TAG statement:

  • position – The position i the field being extracted.
  • length – The length of the field name being extracted.
  • tag-name – The name associated with data being extracted. The tag-name must be a unique valid XML tag name.
  • type – Indicates how the source data is to be considered when being tagged.
    • E – EBCDIC (default). No translation of the data is done.
    • U – UTF-8. The tag value will be converted from UTF-8 to the EBCDIC codepage specified on the CODEPAGE parameter in the PARMLIB member forPerformance Test.
    • X – Hexadecimal. The tag value will be converted to Hexadecimal.

SUPPRESS

Indicates whether to suppress the entire message or just the MQ message content. This parameter can only be specified once per ALTER command. The format of the SUPPRESS statement is as follows:

SUPPRESS(action)

The following parameter is specified on the SUPPRESS statement:

  • action – One of the following actions may be specified:
    • MESSAGE – Indicates the entire message (MQ content and all other data associated with the MQ message) will not be sent to the SIEM tool. No other parameters should be specified because an EXIT statement is implied.
    • CONTENT – Indicates the MQ message content will not be part of the data sent to the SIEM tool, but data associated with the MQ message will be sent to the SIEM tool.

Important

If SUPPRESS is not specified, the entire MQ message along with the associated data will be included in the data sent to the SIEM tool.

EXIT

Indicates whether subsequent ALTER commands are to be executed.

ALTER Command

A nested ALTER command can be specified to refine the data even further. This would serve to perform data refinement on a subset of the encompassing ALTER command.

BREAK

Terminates activity in the current ALTER, for inner alters.

Examples

  1. In this example, create data tags SOCIAL_SECURITY_NUMBER, CUSTOMER_LAST_NAME, and CUSTOMER_FIRST_NAME for MQ_GET call from queue manager HIPR and queue HS.CUSTOMER.INFO while suppressing the rest of the data content. The first five digits of the social security number should be obfuscated with "*". Social security number will be 9 characters starting in position 31, last name will be 20 characters starting in position 11, and first name will be 10 characters starting in position 1.

    Example

    ALTER
    (
    WHEN (MQCALL(EQ,"MQ_GET"),
    QUEUEMANAGER(EQ,"HIPR"),
    QUEUENAME(EQ,"HS.CUSTOMER.INFO"))
    TAG(1, 10, "CUSTOMER_FIRST_NAME")
    TAG(11, 20, "CUSTOMER_LAST_NAME")
    MASK(31, 5, "*")
    TAG(31, 9, "SOCIAL_SECURITY_NUMBER")
    SUPPRESS(CONTENT)
    )

    Important

    The order of statements is important. In this example, if the order of the MASK command and the final TAG statement are switched, the data on the TAG command will not get masked, meaning the MASK will have no effect because the data was already tagged and the entire message content is being dropped.

  2. In this example, content from system queues will not be sent to the SIEM tool.

    Example

    ALTER
    (
    WHEN (QUEUENAME(EQ,"SYSTEM.*"))
    SUPPRESS(MESSAGE)
    )

  3. In this example, a tag called ACCOUNT_NUMBER is created for record type X'05' on queue manager P900 and queue USER.DATA with the content not being sent to the SIEM tool. However, the first twelve digits of ACCOUNT_NUMBER will be masked for user USERIDENTIFIER except TESTUSR (which will contain the unaltered sixteen digit account number). 

    ALTER
    (
    WHEN (CONTENT(1, 1, EQ, X'05'),
    QUEUEMANAGER(EQ, "P900")
    QUEUENAME(EQ, "USER.DATA"))
    ALTER
    (
    WHEN (USERIDENTIFIER(EQ, "TESTUSR"))
    MASK(2, 12, "#")
    )
    TAG (2, 16, "ACCOUNT_NUMBER")
    SUPPRESS(CONTENT)
    )

    Important

    The order of statements is important. In this example, if the order of the inner ALTER command and the TAG statement are switched, the data on the TAG command will not get masked, meaning the inner ALTER command will have no effect because the message content is being suppressed.

Splunk considerations

When creating tags, add the new tags to the FIELDALIAS-mq property for hiperstation_mq in the /etc/system/default/props.conf in the Splunk directory. For each tag, add:
mqmessage.<tag_name> as <tag_name>
to the end of the FIELDALIAS-mq property. This will allow referencing by the tag name in Splunk, rather than having to specify the fully-qualified name.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*