McAfee Web Gateway¶
About¶
McAfee Web Gateway delivers comprehensive security for all aspects of web traffic in one high-performance appliance software architecture. For user-initiated web requests, McAfee Web Gateway first enforces an organization's internet use policy.
Product Details¶
Vendor URL: McAfee Web Gateway
Product Type: Proxy
Product Tier: Tier II
Integration Method: Syslog
Integration URL: McAfee Integration Guide
Log Guide: n/a
Parser Details¶
Log Format: Syslog with KV and CSV filter
Expected Normalization Rate: 80-100%
Data Label: MCAFEE_WEBPROXY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| src | principal.ip | Principal |
| usrName | principal.user.userid | Principal |
| dst | target.ip | Target |
| blockReason | metadata.product_event_type | Metadata |
| urlCategories | security_result.category_details | Security_Result |
| ALLOW/BLOCK | security_result.action | Security_Result |
| url | target.url | Target |
| NETWORK_CONNECTION/GENERIC_EVENT | metadata.event_type | Metadata |
| vendor | metadata.vendor_name | Metadata |
| product | metadata.product_name | Metadata |
| version | metadata.product_version | Metadata |
| httpStatus/HTTP response code description | metadata.description | Metadata |
| observer | observer.hostname | Observer |
| observer | observer.ip | Observer |
Product Event Types¶
| Description | metadata.event_type | security_result.action |
|---|---|---|
| Allow Traffic | NULL | ALLOW |
| Block Traffic | Block Reason | BLOCK |
Log Sample¶
<30>Jun 16 23:58:40 sysloghost mwg: CEF:0|McAfee|Web Gateway|9.2.7|0|devTime=1623887920000|src=10.1.1.1|usrName=bartsimpson|httpStatus=200|dst=10.2.2.2|urlCategories=Shareware/Freeware|blockReason=|url=url
Sample Parsing¶
metadata.event_timestamp: "2021-06-18T12:10:02.747536Z"
metadata.event_type: "NETWORK_CONNECTION"
metadata.vendor_name: "McAfee"
metadata.product_name: "Web Gateway"
metadata.product_version: "9.2.7"
metadata.description:"HTTP Status: 200 - OK - Standard response for successful HTTP requests. "
metadata.ingested_timestamp: "2021-06-18T12:10:02.747536Z"
principal.ip[0]: "10.1.1.1"
target.ip[0]: "10.2.2.2"
target.url: "url"
observer.hostname: "sysloghost"
security_result[0].category_details[0]: "Shareware/Freeware"
security_result[0].action[0]: "ALLOW"
network.http.response_code: 200
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon