The link that contains the record layout of the SMF80 record which will be making reference to the fields needed to locate the *08*-B5 type security events can be found here
See the following fields in the security record to locate the *08*-B5 security events audited to the SMF dataset:
FLFLAGS DS X LOGGING INDICATORS:
$LOGVIOL EQU X'80' VIOLATION
...FLRETCOD DS X RETURN CODE
FLDETLRC DS X DETAIL REASON CODE
Choose the SMF80 records where :
1. FLFLAGS contain a x'80'. FLFLAGS is the event type. x'80' in this field is a 'violation'
2. FLRETCOD contains a x'08'. FLTRETCOD is the system RC.
3. FLDETLRC contains x'B5'. FLTRETCOD is the detailred reason code.
Notice that the TSSUTIL record layout is very similar to the SMF80 record. So, the logic used with the TSSUTIL records can be used with SMF80 records.