Manage the Cloud Security App for IBM QRadar

Available Languages

Download Options

  • PDF     (1.0 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 8, 2025
Document ID:225173

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to manage the Cisco Cloud Security app for IBM QRadar.

    Overview

    QRadar from IBM is a popular SIEM for log analysis. It provides a powerful interface for analyzing large chunks of data, such as the logs provided by Cisco Umbrella for your organization's DNS traffic. Information displayed in the Cisco Cloud Security App for IBM QRadar comes through the API's of Cisco Umbrella, CloudLock, Investigate and Enforcement.

    When you set up Cisco Cloud Security app for QRadar, it integrates all the data from Cisco Cloud Security platform and allows you to view the data in graphical form in the QRadar console. From the application, analysts can:

    • Investigate domains, ip addresses, email addresses
    • Block and Unblock domains (enforcement)
    • View the information of all the incidents of the network.

    This article walks you through how to navigate the Cisco Cloud Security App. Instructions on how to set-up the application can be found here: Configuring the Cisco Cloud Security App for IBM QRadar

    Accessing the Cisco Cloud Security App

    To navigate to the Cisco Cloud Security App in IBM QRadar, go to the homepage and click on the Cisco Cloud Security tab. The Cloud Overview tab and the Dashboard appears. You can then access the Umbrella, Investigate, CloudLock and Enforcement tabs to view your logs.

    The Cloud Security App is set to show the data from the last 7 days by default. You can change the time frame by clicking on the date range on the top right:

    360072030052360072030052

    Cisco Cloud Security App Components

    Cloud Overview

    The Cloud Overview Tab displays information such as All Requests, All Blocked, Security Blocked, Likely DGA’s, Suspicious Secure Rank, Cloudlock Incidents, CloudLock Overall, Top Policies, and Top Offenders in a chart based visual representation.

    360072257631360072257631360072257611360072257611

    Umbrella

    The Umbrella Tab displays information such as Events By Action, Top Blocked Categories, Number of Events by Identity, Domains Being Blocked, Domains No longer being blocked, Compromised Users, Restricted content alerts, Compromised Devices, Top Domains, Top Blocked Domains, Top Blocked Identities, Malicious Content Category breakdowns, Top Categories, Activity and User Access Trend in a chart based visual representation.

    360072263411360072263411360072263391360072263391360072037372360072037372360072263331360072263331360072263351360072263351

    Investigate

    The Investigate Tab enables the user to search the information related to hostname, URL, ASN, IP, Hash or email address. It also has information such as WHOIS record, DGA information and so on.

    360072263511360072263511360072037472360072037472360072037452360072037452

    CloudLock

    The CloudLock tab lets users view information about all of the incidents detected. Users can also update the severity and status of the incident by selecting the values from the drop-down menu and clicking "Update".

    360072268311360072268311

    Users can clock on any of the events to view more details about the incident.

    360072042332360072042332

    Enforcement Tab

    The Enforcement tab displays information about which domains are blocked. Users can also select blocked domains and unblock them from this interface.

    360072038472360072038472

    Revision History

    Revision Publish Date Comments
    1.0
    08-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products