Cisco Cloud Web Security
The IBM QRadar DSM for Cisco Cloud Web Security (CWS) collects web usage logs from a Cisco Cloud Web Security (CWS) storage by using an Amazon S3 - compatible API.
| Specification | Value |
|---|---|
| Manufacturer | Cisco |
| DSM name | Cisco Cloud Web Security |
| RPM file name | DSM-CiscoCloudWebSecurity-QRadar_version-build_number.noarch.rpm |
| Supported versions | N/A |
| Protocol | Amazon AWS S3 REST API |
| Event format | W3C |
| Recorded event types | All web usage logs |
| Automatically discovered? | No |
| Includes identity? | No |
| Includes custom properties? | No |
| More information | Cisco CWS product information (https://www.cisco.com/go/cws) |
- If automatic updates are not enabled, download and install the most recent version of the
following RPMs from the IBM® Support Website, in the order that
they are listed, on your QRadar
Console:
- Protocol Common RPM
- Amazon AWS REST API Protocol RPM
- DSMCommon RPM
- Cisco Cloud Web Security DSM RPM
- Enable Log Extraction in your Cisco ScanCenter (administration portal).
- Add a Cisco Cloud Web Security log source on the QRadar
Console. The following table describes
the parameters that require specific values for Cisco Cloud Web Security event collection:
Table 2. Cisco Cloud Web Security log source parameters Parameter Value Log Source type Cisco Cloud Web Security Protocol Configuration Amazon AWS S3 REST API Log Source Identifier The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco CWS log source, you might want to identify the first log source as ciscocws1, the second log source as ciscocws2, and the third log source as ciscocws13.
Signature Version Select Signature Version 2.
If your Cisco CWS API is using Signature Version 4, contact your system administrator.
Region Name (Signature V4 only) The region that is associated with the Amazon S3 bucket. Service Name (Signature V4 only) Type s3. The name of the Amazon Web Service. Bucket Name The name of the Cisco CWS bucket where the log files are stored. Endpoint URL https://vault.scansafe.com/ Public Key The access key to enable log extraction from the Cisco CWS bucket. Access Key The secret key to enable log extraction from the Cisco CWS bucket. Directory Prefix The location of the root directory on the Cisco CWS storage bucket from where the Cisco CWS logs are retrieved. For example, the root directory location might be cws-logs/. File Pattern .*?\.txt\.gz Event Format W3C. The log source retrieves W3C text formatted events. Use Proxy When a proxy is configured, all traffic for the log source travels through the proxy so that QRadar can access the Amazon AWS S3 buckets.
Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank.
Automatically Acquire Server Certificate(s) If you select Yes, QRadar downloads the certificate and begins trusting the target server.
Recurrence Specifies how often the Amazon AWS S3 REST API Protocol connects to the Cisco CWS API to check for new files, and retrieves them if they exist. The format is M/H/D for Minutes/Hours/Days. The default is 5 M.
Every access to an AWS S3 bucket incurs a monetary cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.
| Event name | Low level category | Sample log message |
|---|---|---|
| c:comp - block | Access Denied |
|