CorreLog, Inc.   Solutions   Products   Download   Partners   News   Support   About Login

Solutions >IND$Defender™ for IBM z/OS

IND$FILE for Time Sharing Option (TSO) is a file transfer program that allows a user on a Windows-/UNIX-based PC to upload or download datasets from IBM z/OS. The security vulnerability with providing users the IND$FILE facility in IBM z/OS is that RACF (Resource Access Control Facility), the mainframe’s security program, does not audit IND$FILE.


CorreLog IND$Defender™ fills a huge gap in mainframe security by monitoring IND$FILE, an unaudited file transfer program in IBM z/OS.

When one of your users uploads or downloads mainframe datasets – containing some of the most valuable intellectual property in an enterprise datacenter – RACF does not record the activity. Since there is no audit trail from RACF, your Security Information and Event Management or SIEM system does not receive a notification that anything was uploaded/downloaded by the user.


CorreLog’s closes this major auditing gap in mainframe security with IND$Defender™. IND$defender™ provides a systematized approach for monitoring mainframe dataset activity through a 3270 Emulator program, a PC application that delivers a mainframe user interface on Windows/UNIX devices. With IND$defender™, compliance managers now have an audit trail and real-time SIEM notifications for any IND$FILE transfer, which incidentally does not natively create an SMF record from the mainframe operating system. SMF (System Management Facility) records are used by RACF to notify your SIEM that a security event just occurred and potentially needs immediate (or automated) attention.

CorreLog’s IND$defender™ operates as a “wrapper” that transparently audits the usage of IND$FILE and writes an SMF record (unique to CorreLog and approved for use by IBM) that can be formatted for any SIEM system for every IND$FILE transfer. IND$defender™ then generates a real-time alert from the SMF record for the organization’s SIEM system. The product has a very small footprint that requires minimal system resources. The audit data that can be sent to the distributed SIEM system includes:


  • Invoking user ID, name and Group
  • Terminal name and IP address
  • Mainframe dataset name
  • Upload or download
  • Time of day and duration of transfer
  • Other IND$FILE parameters


CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to



sending SMF data to the CorreLog SIEM Correlation Server or CorreLog Visualizer™, IND$defender™ can send data to any brand-name SIEM system including Splunk, LogRhythm®, Dell SecureWorks and others.


IND$Defender™ is part of the CorreLog SIEM Agent for IBM z/OS solution, the industries’ first SIEM event message collector for z/OS that reports mainframe security event messages in real time. IND$Defender can be deployed as a standalone product or as part of a SIEM Agent for z/OS package. SIEM Agent for z/OS resides in a mainframe LPAR, or multiple LPARs, and in real time, converts mainframe security events such as RACF, ACF2, Top Secret and DB2 accesses to distributed syslog format for enterprise SIEM systems. In addition to mainframe SIEM functions, SIEM Agent includes functionality for Mainframe File Integrity Monitoring (MFIM) and Data Loss Prevention (DLP).


For additional details about the Correlog IND$Defender™, download the product datasheet.

This is CorreLog
Security Compliance
Read the CorreLog Blog

Request Product Demo


Click here to download
the CorreLog IND$Defender for IBM z/OS



NEW WHITEPAPER: InfoSec Myths Debunked:
The PCI DSS 3.1 FIM requirement 10.5.5 only
applies to Windows/UNIX



CorreLog Agent for IBM z/OS is now
ArcSight CEF Certified.


CorreLog Agent for IBM z/OS is now
certified ready for IBM Security Intelligence.


CorreLog Agent for IBM z/OS is now
RSA Security Analytics Certified.


z/OS download img

MTS logo

Read the MTS Allstream case study
for monitoring DB2 activity
with z/OS mainframe agent.

Privacy  |  Product Licensing  |  Contact Us  |  Toll-free USA: 1-877-CorreLog

CorreLog: High Performance Correlation, Search and Log Management

Copyright © 2010-2016, CorreLog, Inc. All rights reserved.
All trademarks and registered trademarks used herein are the properties of their respective owners.


Google, Twitter, Digg, SlashDot, Cisco, Microsoft