Sending response requests to BMC AMI Datastream
Before you define an Automated Response alert or a Manual Response, you must first define the responses that you want the
BMC AMI Datastream
product to perform, as described in this topic.
Before you begin
You must log in with administrator credentials.
Configure the action codes, field values, and associated actions in the BMC AMI Datastream for z/OS product. For more information, see Automatic response process overview.
To view, add, and edit response requests
- Log in to the BMC Defender Server web interface as an administrator and select one of the following tabs:
- Alerts > Automated Response
- Messages > Manual Response
Click View Response Requests.
You can see the default response requests with predefined action codes, descriptions, and the field parameters to be passed with the request to BMC AMI Datastream.- To add a new request, click Add New Request and complete the following items. Make sure that they match the content defined in BMC AMI Datastream.
- Action Code—Add an action that has been defined in BMC AMI Datastream (for details, see AUTOALERT statement).
Numbering for user-defined action codes begins at ARR101 and is not editable. - Action Description—Add a description of the action request so that you can recognize what the request is for.
- Parameter List —Add a comma-separated list of field parameters. BMC AMI Datastream uses the values of these parameter to verify the request.
The smfid parameter is required for all response requests.
- Action Code—Add an action that has been defined in BMC AMI Datastream (for details, see AUTOALERT statement).
- Click Save.
- To edit a request, click the Edit button on the row of the request.
Reserved action codes
The following action codes are reserved by BMC. Although you can edit the descriptions and parameter lists, the changes might not be saved with future updates.
Every smfid parameter represents the target SMFID.
Action code | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
ARR000 | WTO message for Auto Ops products
| ||||||||
ARR001 | Cancel TSO user ID
| ||||||||
ARR002 | Revoke user ID
| ||||||||
ARR003 | Set UAUDIT to monitor everything that a user does
| ||||||||
ARR004 | Disconnect IP address
| ||||||||
ARR005 | Shut down IP port number
| ||||||||
ARR006 | Stop STC
| ||||||||
ARR007 | (SPE2010) Start trace of BMC AMI Security Session Monitor (3270) user Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID.
The user ID is used to start the trace. | ||||||||
ARR008 | (SPE2010) Start trace of Security Session Monitor (3270) application ID Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified application ID.
The application ID is used to start the trace. | ||||||||
ARR009 | (SPE2010) Start trace of Security Session Monitor (TCP) Create a TCP/IP Security Session Monitor archive request and start monitoring activity for the specified IP address and port number.
The client IP address is used to start the trace | ||||||||
ARR010 | (SPE2101) Start trace of Security Session Monitor (MQ)
| ||||||||
ARR012 | (SPE2101) Start dynamic trace of Security Session Monitor (3270) user Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID for the indicated duration.
For the duration parameter, N represents the number of weeks (w), days (d), hours (h), and minutes (m). The user ID is used to start the trace. After the trace starts, BMC Defender Server receives user activity information every minute. |
Where to go from here
See one of the following topics to define the conditions for a response: