CloudLock Cloud Security Fabric

The IBM QRadar DSM for CloudLock Cloud Security Fabric collects events from the CloudLock Cloud Security Fabric service.

The following table describes the specifications for the CloudLock Cloud Security Fabric DSM:
Table 1. CloudLock Cloud Security Fabric DSM specifications
Specification Value
Manufacturer CloudLock
DSM name CloudLock Cloud Security Fabric
RPM file name DSM-CloudLockCloudSecurityFabric-Qradar_version-build_number.noarch.rpm
Supported versions NA
Protocol Syslog
Event format Log Event Extended Format (LEEF)
Recorded event types Incidents
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information Cloud Cybersecurity (https://www.cloudlock.com/products/)
To integrate CloudLock Cloud Security Fabric with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console in the order that they are listed:
    • DSMCommon RPM
    • CloudLock Cloud Security Fabric DSM RPM
  2. Configure your CloudLock Cloud Security Fabric service to send Syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add a CloudLock Cloud Security Fabric log source on the QRadar Console. The following table describes the parameters that require specific values for CloudLock Cloud Security Fabric event collection:
    Table 2. CloudLock Cloud Security Fabric log source parameters
    Parameter Value
    Log Source type CloudLock Cloud Security Fabric
    Protocol Configuration Syslog
The following table provides a sample event message for the CloudLock Cloud Security Fabric DSM:
Table 3. CloudLock Cloud Security Fabric sample message supported by the CloudLock Cloud Security Fabric service
Event name Low level category Sample log message
New Incident Suspicious Activity
LEEF: 1.0|Cloudlock|API|v2|Incidents|match_count=2 sev=1 entity_id=ebR4q6DxvA entity_origin_type=document group=None url=https://example.com/a/path/file/d/<File_path_ID/view?usp=drivesdk CloudLockID=xxxxxxxxxx updated_at=2016¬01-20T15:42:15.128356+0000 entity_owner_email=user@example.com cat=NEW entity_origin_id=<File_path_ID> entity_mime_type=text/plain devTime=2016¬01-20T15:42:14.913178+0000 policy=Custom Regex resource=confidential.txt usrName=Admin Admin realm=domain policy_id=xxxxxxxxxx devTimeFormat=yyyy¬MM-dd'T'HH:mm:ss.SSSSSSZ