Sending response requests to BMC AMI Datastream

This feature is not available for BMC Defender SIEM for Motorola.

A response request is a request sent to BMC AMI Datastream for z/OS, which validates the request and, if warranted, issues a defined response.

Response requests can be one of the following types:

  •  Automated Response alert—you request BMC AMI Datastream to perform specified actions automatically if a defined alert condition is triggered.
  • Manual Response —you request BMC AMI Datastream to perform specified actions from an individual message.

Related topic

Administering

Before you define an Automated Response alert or a Manual Response, you must first define the responses that you want the 

BMC AMI Datastream

 product to perform, as described in this topic.

Before you begin

You must log in with administrator credentials.

Configure the action codes, field values, and associated actions in the BMC AMI Datastream for z/OS product. For more information, see Automatic response process overview.

To view, add, and edit response requests

  1. Log in to the BMC Defender Server web interface as an administrator and select one of the following tabs:
    • Alerts > Automated Response
    • Messages > Manual Response

  2. Click View Response Requests.
    You can see the default response requests with predefined action codes, descriptions, and the field parameters to be passed with the request to BMC AMI Datastream.

    Notes

    • Action code ARR000 sends a write-to-operator (WTO) message on the Auto Ops console. You can implement your own routine with products that can trap and automate WTO messages.
    • Action codes ARR000–ARR100 are reserved by BMC. For more information, see Reserved action codeslater in this topic.
  3. To add a new request, click Add New Request and complete the following items. Make sure that they match the content defined in BMC AMI Datastream.
    • Action Code—Add an action that has been defined in BMC AMI Datastream (for details, see AUTOALERT statement).
      Numbering for user-defined action codes begins at ARR101 and is not editable.
    • Action Description—Add a description of the action request so that you can recognize what the request is for.
    • Parameter List —Add a comma-separated list of field parameters. BMC AMI Datastream uses the values of these parameter to verify the request.
      The smfid parameter is required for all response requests.
  4. Click Save.
  5. To edit a request, click the Edit button on the row of the request.

Reserved action codes

The following action codes are reserved by BMC. Although you can edit the descriptions and parameter lists, the changes might not be saved with future updates.

Every smfid parameter represents the target SMFID.

Action code

Description

ARR000

WTO message for Auto Ops products

Parm name

Default value

smfid

$4

message

No default

ARR001

Cancel TSO user ID

Parm name

Default value

smfid

$4

userid

$parse(userid: *)

ARR002

Revoke user ID submits a batch job that issues the ALTUSER REVOKE command to revoke the user ID.

Parm name

Default value

smfid

$4

userid

$parse(userid: *)

ARR003

Set UAUDIT to monitor everything that a user does

Parm name

Default value

smfid

$4

userid

$parse(userid: *)

ARR004

Disconnect IP address

Parm name

Default value

smfid

$4

ipaddress

$parse(LocIP: *)

ARR005

Shut down IP port number

Parm name

Default value

smfid

$4

port

$parse(LocPort: *)

ARR006

Stop STC

Parm name

Default value

smfid

$4

stcname

$parse(JobNm: *)

ARR007

Start trace of BMC AMI Security Session Monitor (3270) user

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID.

Parm name

Default value

smfid

$4

userid

$parse(userid: *)

The user ID is used to start the trace.

ARR008

Start trace of Security Session Monitor (3270) application ID

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified application ID.

Parm name

Default value

smfid

$4

appid

$parse(Appl: *)

The application ID is used to start the trace.

ARR009

Start trace of Security Session Monitor (TCP)

Create a TCP/IP Security Session Monitor archive request and start monitoring activity for the specified IP address and port number.

Parm name

Default value

smfid

$4

ipaddress

$parse(LocIP: *)

port

$parse(LocPort: *)

The client IP address is used to start the trace

ARR010

Start trace of Security Session Monitor (MQ)

Parm name

Default value

smfid

$4

qmgr

No default

object-name

No default

ARR012

Start dynamic trace of Security Session Monitor (3270) user

Create a VTAM 3270 Security Session Monitor archive request and start monitoring activity for the specified user ID for the indicated duration. 

Parm name

Default value

smfid

$4

userid

$parse(userid: *)

duration

NwNdNhNm

For the duration parameter, N represents the number of weeks (w), days (d), hours (h), and minutes (m).

The user ID is used to start the trace. After the trace starts, BMC Defender Server receives user activity information every minute.

ARR013

(SPE2404)

BMC Defender Server has detected a new USS file system mount and requests BMC AMI Datastream to submit a batch job to scan the newly mounted file system for any APF Authorized programs.

Parm name

Default value

smfid

$4

pathname

$parse(MountedDirPathName: *)

userid

$parse(userid: *)

Where to go from here

See one of the following topics to define the conditions for a response: 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*