McAfee Web Gateway

McAfee Web Gateway is a security tool used for web traffic. You can send web proxy logs to InsightIDR through syslog to be alerted on events occurring in McAfee Web Gateway.

To set up McAfee Web Gateway, you’ll need to:

  1. Configure McAfee Web Gateway to send data to your Collector.
  2. Set up the McAfee Web Gateway event source in InsightIDR.
  3. Verify the configuration works.

Configure McAfee Web Gateway to send data to your Collector

To send these logs to InsightIDR, you must configure syslog forwarding in McAfee Web Gateway.

Send logs in CEF format

You must send McAfee Web Gateway logs to InsightIDR in CEF format. For instructions on how to configure syslog forwarding in McAfee Web Gateway, see their documentation: https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-syslog-send-logs-to-your-SIEM-or-other/ta-p/554145

Set Up McAfee Web Gateway in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Web Proxy icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select an attribution source.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select Listen on Network Port as your Collection Method.
  10. Enter an unused Port number and choose a Protocol.
  11. If you chose TCP as your protocol, optionally select Encrypted to encrypt the event source and download the Rapid7 Certificate.
  12. Click the Save button.

Attribution source options

McAfee Web Gateway product logs can contain information about hosts and accounts. When setting up McAfee Web Gateway as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the Configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name is the event source name or “McAfee Web Gateway” if you did not name the event source. McAfee Web Gateway logs flow into these Log Sets:

  • Web Proxy
  • Virus Scan

McAfee Web Gateway logs appear in the Virus Scan Log Set if the Virus Name field in the logs is populated.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example input logs:

1
<30>Dec 30 08:51:02 r7asset mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|0|Proxy-|2|rt=Dec 30 2019 08:51:02 cat=Access Log dst=100.123.245.100 dhost=watson.telemetry.microsoft.com suser=- src=192.168.70.152 requestMethod=POST request=https://watson.telemetry.microsoft.com/Telemetry.Request app=HTTPS cs3=HTTP/2.0 cs3Label=Protocol/Version cs4= cs4Label=URL Categories cs6= cs6Label=Reputation fileType= out=0 requestClientApplication=MSDW cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy
1
30>Dec 30 08:46:08 sedzpprox2 mwg: CEF:0|McAfee|Web Gateway|7.8.2.8.0|200|Proxy-Block If Virus was Found|2|rt=Dec 30 2019 08:46:07 cat=Access Log dst=100.123.123.100 dhost=s.evilsite.com suser=- src=10.104.7.40 requestMethod=GET request=https://s.evilsite.com/j/exp/index.js app=HTTPS cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Web Ads cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/javascript out=739 requestClientApplication=Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko cs1=fakeVirusForTest cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy