This Splunk App for McAfee Web Gateway allows rapid insights and operational visibility into McAfee Web Gateway (MWG) and McAfee Web Gateway Cloud Service (WGCS) deployments. It provides field extraction and CIM field mapping using all available types of access logs (default and custom McAfee Web Gateway log, McAfee Web Gateway Cloud Service), facilitates fast incident response and troubleshooting. This app is designed for security administrators, CISOs, or security personnel dedicated to taking security seriously.
New major release 5.x is backwards compatible with old 4.x versions and old versions of log. This version provides major speedup (up to 100-fold) of reports using PREFIX (requires Splunk 8 and above). To use this new mode a slight log format modification required, read README for details.
Starting from version 4.0.7 audit.log is also supported.
Documentation: https://proxy-test.com/Splunk_App_for_SkyHigh_Secure_Web_Gateway_README.html
Upgrade from 4.x to 5.x version: https://proxy-test.com/Splunk_App_for_SkyHigh_Secure_Web_Gateway_README.html#upgrade_from_4x
Quick Start: https://proxy-test.com/Splunk_App_for_SkyHigh_Secure_Web_Gateway_README.html#quickstart
NEW Cheat Sheet: How to accelerate your searches by 10x and reports by 100x: https://proxy-test.com/swg_cheatsheet.pdf
NEW: Rsyslog/Syslog-NG interactive online configuration builder: https://proxy-test.com/Splunk_App_for_SkyHigh_Secure_Web_Gateway_README.html#interactive_configuration_builder - just enter destination, port and other parameters to generate ready to use configuration snippets.
HOWTO: Install Splunk on McAfee Web Gateway: https://youtu.be/96oRco3MTu0
HOWTO: Splunk App for McAfee Web Gateway (MWG) - send logs to Splunk - step by step configuration: https://youtu.be/vYy6ddpGkNw
HOWTO: SkyHigh Web Gateway Cloud (SSE) integration with Splunk Cloud - step by step configuration: https://www.youtube.com/watch?v=1vCbwz6uKB0
HOWTO: Configure a McAfee Web Gateway (MWG) syslog to send TLS-secured data to Splunk: https://youtu.be/-nSkYdDQA00
For local McAfee Client Proxy (MCP) logs use McAfee FireCore technical Add-On (https://splunkbase.splunk.com/app/4762/) and App for McAfee FireCore (https://splunkbase.splunk.com/app/4763/).
To receive support, write an email to splunk@compek.net
added search macro for Audit_Timeline, clarified configuration options for the least-privileged splunkfwd user on the UF and other security options.
added new views: Search+ (accelerated) Audit-Timeline and Bad_Reputation. Minor fixes in Monitoring and Authentication views. Added Sparklines to Monitoring view. Added an option to switch between Bytes/MB/GB to Overview page. Added drilldowns to URL (accelerated) view. props.conf - fixed extraction of the AuthMethod field. Added documentation about handling of punycode domains using custom segmenters.conf. Search renamed to Raw_Search to avoid overlapping with other savedsearches. transforms.conf: in the rewrite_host_from_host_field extraction - the field name called now swg and not host to avoid accidental overwriting of the host field. Improved documentation. Added a new improved version of the logging template.
added parsing of SSE/WGCS logs up to API version 12
added documentation about logging of /var/log/messages and /var/log/audit, fixed missing tokens in protocols view
minor fixes
New major release, backwards compatible with old 4.x versions and old versions of log.
This version provides major speedup (up to 100-fold) of reports using PREFIX (requires Splunk 8 and above). To use this new mode a slight log format modification required, read README for details
Added interactive online configuration builder and new views: monitoring, DoH and certificates. Added experimental support for DoH (DNS over HTTPS) and Client-Hints. Improved documentation.
added HTTP headers analysis view, new MWG Logging template, a supplemental script to compare MWG Logging templates to facilitate logging template upgrade. Improved documentation to include more best practices.
added a lookup of excutables that can be used for download and exfiltration (https://lolbas-project.github.io/). Fixed a TIME_PREFIX for wgcs_v5
improved WGCS regexes, now URL, rule name and User-Agent fields that contains quote character(s) are parsed correctly. Improved a TIME_PREFIX to fix parsing errors. New CIM fields added. Added distsearch.conf to enable replication of macros.
added sc_admin role to default.meta
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.