Current ThreatQ Version Filter
 

McAfee Web Gateway Operation

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The McAfee Web Gateway operation enables analysts to query McAfee Web Gateway for reputation information on network indicators (IP Address, FQDN, URL). The search is performed via a McAfee ePO. Any search results can be added as related indicators and/or attributes to the enriched indicator.

Prerequisites

  • Route between ThreatQ and McAfee ePO
  • McAfee products:
    • ePO with an installed Web Gateway extension
    • Web Gateway server connected to ePO and DXL fabric
  • Installed McAfee DXL SDK in ThreatQ

Install McAfee DXL SDK and Configure Certificates in ePO

  1. Install the McAfee DXL SDK:
    1. SSH to ThreatQ.
    2. Activate Python3.5:

      source /opt/threatq/python/bin/activate

    3. Install McAfee DXL SDK:

      pip install dxlclient

  2. Generate certificates for authenticating the connection between ThreatQ and McAfee ePO. Before executing the commands, confirm that you have the hostname/IP address, username, and password for the ePO available.

    source /opt/threatq/python/bin/activate

    cd /var/tmp

    python -m dxlclient provisionconfig /var/files/plugin_data/tq_op_mcafee_web_gateway <McAfee ePO Hostname or IP Address> threatq

  3. Change the owner of the generated files to apache. This is the system user that ThreatQ uses to execute the operations in the UI

    sudo chown -R apache:apache dxl_certs/

  4. Add the generated certificates to the trusted store in McAfee ePO
    1. Log into ePO as an admin via the UI.
    2. Navigate to Server Settings > DXL Topic Authorization.
    3. Click on the Edit button in the lower right corner and select the topics:
      • TIE Server Set Enterprise Reputation
      • TIE Server External Reputation Provider Event
      • Web Gateway
    4. While the topics are selected, click in the lower left corner on Actions > Send Certificates.
    5. Select the entry in the certificate list called threatq and click OK.
    6. Click Save when you return to the previous page.
    7. Log out of ePO.
  5. Proceed to the next installation section to install the Integration Rule Set.

Install the Integration Rule Set (DXL Listener) in Web Gateway

The steps below will show you how to install the Rule Set which will allow the retrieval of reputations from McAfee Web Gateway's servers.

  1. Download the configuration XML (2019-08-27_15-13_DXL Listener.xml) from the ThreatQ Download center (https://download.threatq.com/).
  2. Log into your McAfee Web Gateway instance via your browser.
  3. Navigate to the Policy page by clicking the book icon in the navigation bar. This will navigate you to the Rule Sets tab by default.
  4. Click on the Add button, then select Rule Set from Library.

    This should show a popup window.

  5. Click on the Import from File button at the bottom left of the popup
  6. Upload the 2019-08-27_15-13_DXL Listener.xml file to your McAfee Web Gateway instance via the GUI
  7. Click OK to import the configuration.

    The DXL Listener rule set should now be in your left-side navigator.

    DXL Listener Example
  8. Proceed to the next installation section to install the operation in ThreatQ.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Operation option from the Type dropdown (optional).
  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    ePO IP You hostname or IP address for ePO. 
    ePO Port The ePO communication port.

    The default is 8443, which can be changed if needed.
    ePO Username Your username for ePO.
    ePO Password Your password for ePO.
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following action:

Action Description Object Type Object Subtype
Get Reputation Performs a reputation lookup on a network indicator. Indicators IP Address, FQDN, URL

Get Reputation

The Get Reputation action queries McAfee Web Gateway and returns reputation for network indicators.

The operation uses the McAfee SDK to execute the search actions via ePO.

Example Result

Get Reputation Example Result

Change Log

  • Version 1.0.1
    • Updated dependencies.  
  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
McAfee Web Gateway Operation Guide v1.0.1 4.31.0 or Greater
McAfee Web Gateway Operation Guide v1.0.0 4.31.0 or Greater