Blue Coat Web Security Service

The IBM QRadar DSM for Blue Coat Web Security Service collects events from the Blue Coat Web Security Service.

The following table describes the specifications for the Blue Coat Web Security Service DSM:
Table 1. Blue Coat Web Security Service DSM specifications
Specification Value
Manufacturer Blue Coat
DSM name Blue Coat Web Security Service
RPM file name DSM-BlueCoatWebSecurityService-Qradar_version-build_number.noarch.rpm
Event format Blue Coat ELFF
Recorded event types Access
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information Blue Coat website (https://www.bluecoat.com)
To integrate Blue Coat Web Security Service with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • Protocol Common RPM
    • Blue Coat Web Security Service REST API Protocol RPM
    • Blue Coat Web Security Service DSM RPM
  2. Configure Blue Coat Web Security Service to allow QRadar access to the Sync API.
  3. Add a Blue Coat Web Security Service log source on the QRadar Console. The following table describes the parameters that require specific values for Blue Coat Web Security Service event collection:
    Table 2. Blue Coat Web Security Service log source parameters
    Parameter Value
    Protocol Configuration The protocol that is used to receive events from the Blue Coat Web Security Service. You can specify the following protocol configuration options:

    Blue Coat Web Security Service REST API (recommended)

    Forwarded
    API Username The API user name that is used for authenticating with the Blue Coat Web Security Service. The API user name is configured through the Blue Coat Threat Pulse Portal.
    Password The password that is used for authenticating with the Blue Coat Web Security Service.
    Confirm Password The password that is used for authenticating with the Blue Coat Web Security Service.
    Use Proxy

    When you configure a proxy, all traffic for the log source travels through the proxy for QRadar to access the Blue Coat Web Security Service.

    Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
    Automatically Acquire Server Certificate(s) Select Yes for QRadar to automatically download the server certificate and begin trusting the target server.
    Recurrence You can specify the frequency of data collection. The format is M/H/D for Minutes/Hours/Days. The default is 5 M.
    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 5000.