To send events from Cloud Web Security to IBM®
QRadar®, you must enable log
extraction in Cisco CWS ScanCenter.
Before you begin
The log extraction service must be enabled and provisioned for your company. You must
have super user administrator privileges to access the Log Extraction page.
Procedure
-
Log in to your Cisco ScanCenter account.
-
Click the Admin tab to view the administration menus.
-
From the Your Account menu, click Log
Extraction.
-
In the Actions column in the Credentials area,
click Issue Key.
-
In the Warning dialog box, click Issue &
Download.
A key pair is issued and the keypair.csv file is downloaded.
The Access Key and Last issued column values are
updated. The secret key does not display in the user interface (UI).
-
Open the keypair.csv file and make a copy of the
accessKey and secretKey.
The keypair.csv file contains a 20 character string access key and a 40
character string secret key. The key pair values that you copied are used when you configure the log
source in QRadar.
-
From the Connection Details pane, copy and record the values in the
Endpoint and Bucket columns.
The connection details values that you copied are used when you configure the log source in
QRadar.
What to do next
Configure the log source in QRadar.
For more information about Cisco CWS log extraction, see the Cisco ScanCenter Administrator
Guide, Release 5.2 on the Cisco website
(https://search.cisco.com/search?query=cisco%20scancenter%20administrator%20guide&locale=enUS&tab=Cisco).