Cisco Cloud Web Security

The IBM® QRadar® DSM for Cisco Cloud Web Security (CWS) collects web usage logs from a Cisco Cloud Web Security (CWS) storage by using an Amazon S3 - compatible API.

The following table describes the specifications for the Cisco Cloud Web Security DSM:
Table 1. Cisco Cloud Web Security DSM specifications
Specification Value
Manufacturer Cisco
DSM name Cisco Cloud Web Security
RPM file name DSM-CiscoCloudWebSecurity-QRadar_version-build_number.noarch.rpm
Supported versions N/A
Protocol Amazon AWS S3 REST API
Event format W3C
Recorded event types All web usage logs
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information Cisco CWS product information (
To integrate Cisco Cloud Web Security with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website, in the order that they are listed, on your QRadar Console:
    • Protocol Common RPM
    • Amazon AWS REST API Protocol RPM
    • DSMCommon RPM
    • Cisco Cloud Web Security DSM RPM
  2. Enable Log Extraction in your Cisco ScanCenter (administration portal).
  3. Add a Cisco Cloud Web Security log source on the QRadar Console. The following table describes the parameters that require specific values for Cisco Cloud Web Security event collection:
    Table 2. Cisco Cloud Web Security log source parameters
    Parameter Value
    Log Source type Cisco Cloud Web Security
    Protocol Configuration Amazon AWS S3 REST API
    Log Source Identifier

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco CWS log source, you might want to identify the first log source as ciscocws1, the second log source as ciscocws2, and the third log source as ciscocws13.

    Signature Version

    Select Signature Version 2.

    If your Cisco CWS API is using Signature Version 4, contact your system administrator.

    Region Name (Signature V4 only) The region that is associated with the Amazon S3 bucket.
    Service Name (Signature V4 only) Type s3. The name of the Amazon Web Service.
    Bucket Name The name of the Cisco CWS bucket where the log files are stored.
    Endpoint URL
    Public Key The access key to enable log extraction from the Cisco CWS bucket.
    Access Key The secret key to enable log extraction from the Cisco CWS bucket.
    Directory Prefix The location of the root directory on the Cisco CWS storage bucket from where the Cisco CWS logs are retrieved. For example, the root directory location might be cws-logs/.
    File Pattern .*?\.txt\.gz
    Event Format W3C. The log source retrieves W3C text formatted events.
    Use Proxy

    When a proxy is configured, all traffic for the log source travels through the proxy so that QRadar can access the Amazon AWS S3 buckets.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank.

    Automatically Acquire Server Certificate(s)

    If you select Yes, QRadar downloads the certificate and begins trusting the target server.


    Specifies how often the Amazon AWS S3 REST API Protocol connects to the Cisco CWS API to check for new files, and retrieves them if they exist. The format is M/H/D for Minutes/Hours/Days. The default is 5 M.

    Every access to an AWS S3 bucket incurs a monetary cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.

The following table shows a sample event message from Cisco Cloud Web Security:
Table 3. Cisco Cloud Web Security sample message
Event name Low level category Sample log message
c:comp - block Access Denied

2016-08-22 18:22:34 GMT    <IP_address1>        <IP_address1>    GET    http    80    /        Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0    -    0    0    0        <IP_address2>    c:comp    Block all    block    category    Computers and Internet    <IP_address1>        0    Unknown