This application adds some SIEM features to McAfee Web Gateway 7 (MWG7), allows fast incident response, facilitates troubleshooting and log search.
Currently there are 59 different charts and tables grouped in 12 views:
Summary Requests / Block Ratio Block Rules Overview Applications Applications by Hits Applications by Volume Top Applications by Volume Top Applications by Hits Top Application Statistics Authentication Top IP by Failed Auth Top User-Agents by Failed Auth Top User-Agents + IPs by Failed Auth Multiple Logins from diff IPs Simple Search Web Usage Status Code Overview Web Usage by URL Category Web Usage by URL Category Area Graph Top User-Agents Users IP Addresses IP Addresses by Hits Graph Top Hosts by Hits Top Blocked Hosts by Hits Top Blocked URLs by Hits Events Malware Malware Top Malware Names by Hits Top Users by blocked Malware Top Hosts blocked by Malware Hits Media Types Media Types Top Media Types by Volume Top Media Types by Hits Performance Status Code Overview Time In Transaction Time to Resolve Host Name via DNS Slowest Hosts by DNS Resolution Time Potential Network Timeouts by Host Protocols Protocols by Hits Protocols by Hits (Percent) Protocols by Volume Protocols by Volume (Percent) Potential Risks Top Users with high Ratio of Blocked Requests (>10%) Unusal Ports Top Users by High Risk Requests Requests to IP Addresses CONNECT Requests to IP Addresses Long Running (>1m) Connections Longest Transactions Long running transactions + Volume Traffic Top Users/IPs Top destinations Top Uploads (> 1 MB) Top Downloads (> 100 MB) URL Filter URL Categories Blocked by URL Filter or by Web Reputation Top URL Categories by Volume Top URL Categories by Hits High Risk Destinations Not categorized Hosts Top not categorized Hosts User-Agents User-Agents Statistics
This App requires Splunk v6+
Works with McAfee Web Gateway v7.3, v7.4; for older versions (Webwasher v6.x, MWG v7.0-7.2) some modifications of props.conf and log structure may be required.
Migration from the version 2.xx:
Adjust the app for your environment:
2014-10-25 version 3.07
* commit changes in props.conf and transform.cofn by Myron Davis
* add contributors section in README
* clarifications for installation process in README
2014-10-12 version 3.06
* enabling Splunk CIM (Common Information Model) version 4 , by Myron Davis
* compatibility with Splunk App for Enterprise Security, by Myron Davis
* rename App folder from AppForMcAfeeWebGateway to McAfeeWebGateway to match it with the app ID
several bugfixes, new reports
improvements in parsing, MWG-TA, compatibility with Splunk Enterprise Security App, CIM compliant (thanks to myrond!)
The App package now includes a step-by-step installation instruction with screenshots
The log structure was reordered to avoid overwriting of parameters
- new short log format, many redundant fields removed
- faster search
- some panels were merged
this major version isn't compatible with the version 2.xx
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.