Skip to content

IBM iSeries (AS/400)

Overview

IBM iSeries (AS/400) is a robust, scalable family of midrange business computers running the IBM i operating system, known for its integrated DB2 database and strong security features.

Warning

Important - This integration requires the installation of Syslog Reporting Manager on IBM i, for which a fee is charged.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Supported versions

This integration supports the following versions:

  • 7.3
  • 7.4
  • 7.5

Supported events

This integration supports the following events:

  • Audit journal (Command entry, Authority failure)
  • Integrated file system monitoring
  • Message queues monitoring
  • Database monitoring
  • History logs

The following Sekoia.io built-in rules match the intake IBM iSeries [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x IBM iSeries [BETA] on ATT&CK Navigator

Account Added To A Security Enabled Group

Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)

  • Effort: master
Account Removed From A Security Enabled Group

Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)

  • Effort: master
Active Directory Data Export Using Csvde

Detects the use of Csvde, a command-line tool from Windows Server that can be used to export Active Directory data to CSV files. This export doesn't include password hashes, but can be used as a discovery tool to enumerate users, machines and group memberships.

  • Effort: elementary
AdFind Usage

Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects

  • Effort: elementary
Adexplorer Usage

Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database.

  • Effort: advanced
Aspnet Compiler

Detects the starts of aspnet compiler.

  • Effort: advanced
CVE-2017-11882 Microsoft Office Equation Editor Vulnerability

Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events.

  • Effort: master
CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv

Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.

  • Effort: master
Certificate Authority Modification

Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations.

  • Effort: master
Cobalt Strike Default Beacons Names

Detects the default names of Cobalt Strike beacons / payloads.

  • Effort: intermediate
Computer Account Deleted

Detects computer account deletion.

  • Effort: master
Cookies Deletion

Detects when cookies are deleted by a suspicious process.

  • Effort: master
Cron Files Alteration

Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.

  • Effort: advanced
Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
DNS Query For Iplookup

Detects dns query of observables tagged as iplookup.

  • Effort: master
Domain Trust Created Or Removed

A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.

  • Effort: advanced
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration And Tunneling Tools Execution

Execution of well known tools for data exfiltration and tunneling

  • Effort: advanced
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Hijack Legit RDP Session To Move Laterally

Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.

  • Effort: intermediate
Kernel Module Alteration

Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

  • Effort: advanced
Microsoft Exchange Server Creating Unusual Files

Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability

  • Effort: intermediate
Microsoft Office Creating Suspicious File

Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11.

  • Effort: master
NTDS.dit File In Suspicious Directory

The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.

  • Effort: advanced
Network Scanning and Discovery

Tools and command lines used for network discovery from current system

  • Effort: advanced
Network Sniffing

List of common tools used for network packages sniffing

  • Effort: advanced
Network Sniffing Windows

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

  • Effort: intermediate
OneNote Embedded File

Detects creation or uses of OneNote embedded files with unusual extensions.

  • Effort: intermediate
Package Manager Alteration

Package manager (eg: apt, yum) can be altered to install malicious software

  • Effort: advanced
Password Change On Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

  • Effort: intermediate
PasswordDump SecurityXploded Tool

Detects the execution of the PasswordDump SecurityXploded Tool

  • Effort: elementary
Possible Replay Attack

This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.

  • Effort: intermediate
PsExec Process

Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators.

  • Effort: advanced
RDP Session Discovery

Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server.

  • Effort: advanced
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

  • Effort: master
Remote Monitoring and Management Software - Atera

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
SSH Authorized Key Alteration

The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.

  • Effort: advanced
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
SolarWinds Suspicious File Creation

Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is ".exe", ".ps1", ".jpg", ".png" or ".dll".

  • Effort: intermediate
Suspicious Double Extension

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns

  • Effort: advanced
System Info Discovery

System info discovery, attempt to detects basic command use to fingerprint a host.

  • Effort: master
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master
User Account Deleted

Detects local user deletion

  • Effort: master
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate
WMI Persistence Script Event Consumer File Write

Detects file writes through WMI script event consumer.

  • Effort: advanced
Webshell Creation

Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs Audit journal
File monitoring Integrated file system (IFS) log files
Process monitoring Message queues, database monitoring

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category authentication, database, file, network, process, session
Type change, end, info, start

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPC1126",
        "dataset": "QSYS-QHST",
        "reason": "The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYSOPR/UPSA_QHTTP",
        "pid": 86157
    },
    "related": {
        "user": [
            "QSYSOPR"
        ]
    },
    "user": {
        "name": "QSYSOPR"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPC1126",
        "dataset": "QSYS-QHST",
        "reason": "L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYSOPR/UPSA_QHTTP",
        "pid": 86157
    },
    "related": {
        "user": [
            "QSYSOPR"
        ]
    },
    "user": {
        "name": "QSYSOPR"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4",
    "event": {
        "category": [
            "process"
        ],
        "dataset": "MSGMON",
        "reason": "Serious storage condition may exist. Press HELP.",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2020-04-30T11:35:29.886549Z",
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "cat": "MSG Queue Messages",
        "pgmName": "QWCATARE"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "QSYS/QSYSARB5",
        "pid": 541034
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF0927",
        "dataset": "QSYS-QHST",
        "reason": "Subsystem QBATCH stopped",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYS/QSYSARB4",
        "pid": 80211
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1124",
        "dataset": "QSYS-QHST",
        "reason": "Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04.",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "QZRDSRMOWN/SLMSQMONS",
        "pid": 722506
    },
    "related": {
        "user": [
            "QZRDSRMOWN"
        ]
    },
    "user": {
        "name": "QZRDSRMOWN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1124",
        "dataset": "QSYS-QHST",
        "reason": "Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51.",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QZRDSRMOWN/SLMSQMONS",
        "pid": 86167
    },
    "related": {
        "user": [
            "QZRDSRMOWN"
        ]
    },
    "user": {
        "name": "QZRDSRMOWN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1164",
        "dataset": "QSYS-QHST",
        "reason": "Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 .",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "exit_code": 123,
        "name": "JDOE/JPRC",
        "pid": 111111
    },
    "related": {
        "user": [
            "JDOE"
        ]
    },
    "user": {
        "name": "JDOE"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3",
    "event": {
        "category": [
            "process"
        ],
        "code": "CPF1164",
        "dataset": "QSYS-QHST",
        "reason": "Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 .",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "exit_code": 50,
        "name": "QSPLJOB/RMTW000008",
        "pid": 80694
    },
    "related": {
        "user": [
            "QSPLJOB"
        ]
    },
    "user": {
        "name": "QSPLJOB"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
    "event": {
        "category": [
            "session"
        ],
        "code": "CPI3E34",
        "dataset": "QSYS-QHST",
        "reason": "User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22.",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-12-03T02:16:22Z",
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QUSER/QRWTSRVR",
        "pid": 86171
    },
    "related": {
        "ip": [
            "192.168.242.20"
        ],
        "user": [
            "QBRMS"
        ]
    },
    "source": {
        "address": "192.168.242.20",
        "ip": "192.168.242.20"
    },
    "user": {
        "name": "QBRMS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3",
    "event": {
        "category": [
            "session"
        ],
        "code": "CPI3E34",
        "dataset": "QSYS-QHST",
        "reason": "L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22.",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2024-12-03T02:16:22Z",
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QUSER/QRWTSRVR",
        "pid": 86171
    },
    "related": {
        "ip": [
            "192.168.242.20"
        ],
        "user": [
            "QBRMS"
        ]
    },
    "source": {
        "address": "192.168.242.20",
        "ip": "192.168.242.20"
    },
    "user": {
        "name": "QBRMS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\\=\"UB\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22145\" EVTUSER1\\=\"BARLEN\" EVTMSGID1\\=\"CPF1122\" EVTMSGID2\\=\"CPF9998\" EVTMSGID3\\=\"SLS0040\" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\\=\"UP\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22146\" EVTUSER1\\=\"BARLEN3\" EVTMSGID1\\=\"CPF1129\" EVTMSGID2\\=\"CPF9997\" EVTMSGID3\\=\"SLS0042\"",
    "event": {
        "action": "UPDATE",
        "category": [
            "database"
        ],
        "dataset": "DB2MON",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2020-04-30T12:11:52.265056Z",
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "pgmName": "CFGSLHSTP"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QPADEV000D",
        "pid": 551907
    },
    "related": {
        "user": [
            "BARLEN"
        ]
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN",
    "event": {
        "category": [
            "file"
        ],
        "dataset": "IFSMON",
        "reason": "Unauthorized access to Web resource accountInfo by user TBARLEN",
        "type": [
            "info"
        ]
    },
    "file": {
        "directory": "/home/barlen/ifsmon",
        "name": "weblog2.log",
        "path": "/home/barlen/ifsmon/weblog2.log"
    },
    "host": {
        "name": "CTCSECT5"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QZSHSH",
        "pid": 722496
    },
    "related": {
        "user": [
            "BARLEN"
        ]
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A",
    "event": {
        "category": [
            "authentication"
        ],
        "dataset": "QSYS-QAUDJRN",
        "reason": "Not authorized to object",
        "type": [
            "info"
        ]
    },
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "objName": "QZRDSECSRM/CFGJSCR"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "THOMAS/QPADEV000P",
        "pid": 722470
    },
    "related": {
        "ip": [
            "192.168.126.71"
        ],
        "user": [
            "THOMAS"
        ]
    },
    "source": {
        "address": "192.168.126.71",
        "ip": "192.168.126.71",
        "port": 36868
    },
    "user": {
        "name": "THOMAS"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C",
    "event": {
        "category": [
            "process"
        ],
        "dataset": "QSYS-QAUDJRN",
        "reason": "Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS)",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "I5OSP4"
    },
    "ibm_i": {
        "objName": "QSYS/CHGENVVAR"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.4"
    },
    "process": {
        "name": "BARLEN/QPADEV000Q",
        "pid": 721738
    },
    "related": {
        "ip": [
            "192.168.126.71"
        ],
        "user": [
            "BARLEN"
        ]
    },
    "source": {
        "address": "192.168.126.71",
        "ip": "192.168.126.71",
        "port": 36888
    },
    "user": {
        "name": "BARLEN"
    }
}
{
    "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3",
    "event": {
        "category": [
            "network"
        ],
        "code": "TCP2617",
        "dataset": "QSYS-QHST",
        "reason": "TCP/IP connection to remote system 10.1.43.58 closed, reason code 1.",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "EXPC3"
    },
    "observer": {
        "product": "IBM i",
        "vendor": "IBM",
        "version": "7.3"
    },
    "process": {
        "name": "QSYS/QTCPWRK",
        "pid": 80247
    },
    "related": {
        "user": [
            "QSYS"
        ]
    },
    "user": {
        "name": "QSYS"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.dataset keyword Name of the dataset.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.directory keyword Directory where the file is located.
file.name keyword Name of the file including the extension, without the directory.
file.path keyword Full path to the file, including the file name.
host.name keyword Name of the host.
ibm_i.cat keyword The category of the object
ibm_i.objName keyword The name of the object
ibm_i.pgmName keyword The name of the program
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
process.exit_code long The exit code of the process.
process.name keyword Process name.
process.pid long Process id.
source.ip ip IP address of the source.
source.port long Port of the source.
user.name keyword Short name or login of the user.

Configure

In this guide, you will configure the gateway to forward events to syslog.

Prerequisites

  1. An internal syslog concentrator is required to collect and forward events to Sekoia.io.
  2. Syslog Reporting Manager installed on the iSeries. See docs for more info.

Forward IBM iSeries events

  1. Ensure having Syslog Reporting Manager installed and configured
  2. On the SLMON menu, type CFGSRM
  3. On the Configure global settings, select Option 2
  4. Type the address and the port of the log concentrator
  5. Select RFC5424 as Syslog format
  6. Select CEF as SIEM message format
  7. Select the protocol for the log concentrator (TCP is recommended)
  8. At the bottom of the screen, press Enter to save the changes

Enable Audit logs (optional)

  1. On the SLMON menu, type CFGSRM
  2. On the Configure global settings, select Option 10
  3. Enable the following type:
    • AF: Authority failures
    • CD: Command string audit
  4. Press F3 to save the changes

Create the intake

Go to the intake page and create a new intake from the format IBM iSeries.

Send logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.