McAfee Web Gateway Custom Response Integration
Before going through this article, check our
Out-of-the-Box App Integrations category. Out-of-the-Box Integration is highly recommended for to easily integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is among the software solutions listed in there, it is advised to use that integration instead.
This article shows how to leverage the Lumu Defender API and McAfee Web Gateway REST API to mitigate security risks. This integration script is offered as-is. No further support will be provided.
Requirements
- McAfee Web Gateway version 8.2.x or higher.
- McAfee Web Gateway Console access with admin role
- Access to the Rest Interface
- Lumu Defender API key.
-
Scripting host with Python v3.6+.
-
The host must be able to reach both McAfee Web Gateway REST API and Lumu Defender REST API endpoints. (By default, the McAfee Web Gateway listens on ports TCP/4711 and TCP/4712 )
- Script package.
Deploy the Script
First, contact the
Lumu support team to request the deployment package.
Script Location
Unpack the deployment package provided by Lumu in your preferred path/folder. Take note of this exact location, as it will be required for further configurations. As an example, we will refer to this folder as
<mwgl_lumu_root>
. This location should be in the same path as any other McAfee projects from other clients.
Installation Requirements
The file
requirements.txt
contains the list of requirements for this data collector. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt
Script Details
In order to use the script, you must locate yourself on the path selected for deployment (
<mwgl_lumu_root>
). Use the following command to show all options available for the package:
python mwg-response-api.py --help
Usage: mwg-response.py [options]
Options | Description |
-h, --help | Display a help message and exit. |
--company-key or --company-key COMPANY_KEY | Lumu Company Key (Defender API). |
--adversary-types or --adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing} | Lumu adversary types to be filtered. |
--client-key or --client_key CLIENT_KEY | Lumu Client Key. |
--logging or -log {screen,file} --verbose or -v | Logging option (default screen) Verbosity level. |
--proxy-host or --proxy_host PROXY_HOST --proxy-port or --proxy_port PROXY_PORT --proxy-user or --proxy_user PROXY_USER --proxy-password or -proxy_password PROXY_PASSWORD | Proxy host (if required) Proxy port (if required) Proxy user (if required) Proxy password (if required) |
--ip <ip-address-mcAfee> --port <port-mcafee> --username <user-name-mcafee> --password <password-mcafee> --listname <listname> --time_days <days> | IP Address of McAfee Web Gateway Port of McAfee Web Gateway (default 4711) Username of McAfee Web Gateway access Password of McAfee Web Gateway access Name of list in McAfee Web Gateway Days to search adversaries(Default 7 days) |
Configure the McAfee Web Gateway Rule Set
In the
Rule Set
, go to
URL Filtering
>
Default
and click on the
Add Rule
button. In the name field, enter
Lumu_Block_Adversaries
. In the
Rule Criteria
add the following rules:
-
Rule 1:
- Property: URL Domain
- Operator: matches in list
-
Operand: Lumu_List_Adversaries
- Rule 2:
- Property: URL Host
- Operator: matches in list
-
Operand: Lumu_List_Adversaries
-
Action:
- Action: Block
- Settings: URL Blocked
Usage Examples
By default
Use the following command to create a list with adversaries to be fetched by McAfee Web Gateway’s List module:
python mwg-response-api.py --company-key <lumu-defender-api-key> --ip <ip-address-mcAfee> --port <port-mcafee>--username <user-name-mcafee> --password <password-mcafee>
Each time the script is executed, it will overwrite the file with the new list of adversaries.
Other tasks
The above samples could be combined according to your needs.
Expected Results
After executing the script, all queried adversaries will be closed in the Lumu Administrator Console as shown in the following images:
Troubleshooting
To identify failures on the script, please use the -v flag. This will allow you to identify failures in the script execution.
Related Articles
McAfee Web Gateway Out-of-the-box Response Integration
To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure McAfee Web Gateway to receive and block adversaries detected by Lumu and improve the detection & ...Netskope Secure Web Gateway Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Bitdefender Custom Response Integration
Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...Infoblox Custom Response Integration
Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...Forcepoint Web Security Cloud Custom Response Integration
This article shows how to leverage the Lumu Defender API and Forcepoint Web Security Cloud to mitigate security risks. Forcepoint Web Security Cloud service doesn't have a REST API, so this script simulates the actions run by an admin user to feed a ...