McAfee Web Gateway

McAfee Web Gateway is a security tool used for web traffic. You can send web proxy logs to InsightIDR through syslog to be alerted on events occurring in McAfee Web Gateway.

To set up McAfee Web Gateway, you’ll need to:

  1. Configure McAfee Web Gateway to send data to your Collector.
  2. Set up the McAfee Web Gateway event source in InsightIDR.
  3. Verify the configuration works.

Configure McAfee Web Gateway to send data to your Collector

To send these logs to InsightIDR, you must configure syslog forwarding in McAfee Web Gateway.

Send logs in CEF format

You must send McAfee Web Gateway logs to InsightIDR in CEF format. For instructions on how to configure syslog forwarding in McAfee Web Gateway, view their documentation in the Skyhigh Security knowledge base: https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On_Prem)/Best_Practices/Logging_and_Monitoring/Configure_Syslog_for_your_SIEM

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for McAfee Web Gateway in the event sources search bar.
    • In the Product Type filter, select Web Proxy.
  3. Select the McAfee Web Gateway event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select an attribution source.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select Listen on Network Port as your Collection Method.
  10. Enter an unused Port number and choose a Protocol.
  11. If you chose TCP as your protocol, optionally select Encrypted to encrypt the event source and download the Rapid7 Certificate.
  12. Click the Save button.

Verify the Configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name is the event source name or “McAfee Web Gateway” if you did not name the event source. McAfee Web Gateway logs flow into these Log Sets:

  • Web Proxy
  • Virus Scan

McAfee Web Gateway logs appear in the Virus Scan Log Set if the Virus Name field in the logs is populated.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example input logs:

1
<30>Dec 30 08:51:02 r7asset mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|0|Proxy-|2|rt=Dec 30 2019 08:51:02 cat=Access Log dst=100.123.245.100 dhost=watson.telemetry.microsoft.com suser=- src=192.168.70.152 requestMethod=POST request=https://watson.telemetry.microsoft.com/Telemetry.Request app=HTTPS cs3=HTTP/2.0 cs3Label=Protocol/Version cs4= cs4Label=URL Categories cs6= cs6Label=Reputation fileType= out=0 requestClientApplication=MSDW cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy
1
30>Dec 30 08:46:08 sedzpprox2 mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|200|Proxy-Block If Virus was Found|2|rt=Dec 30 2019 08:46:07 cat=Access Log dst=100.123.123.100 dhost=s.evilsite.com suser=- src=10.104.7.40 requestMethod=GET request=https://s.evilsite.com/j/exp/index.js app=HTTPS cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Web Ads cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/javascript out=739 requestClientApplication=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko cs1=fakeVirusForTest cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy