cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 4

MCP Supplied Username and Groups Include Domain - How Can I Strip for Logging and/or Policy?

Jump to solution

Title says it all. MCP supplies group and usernames as domain\groupname and domain\username and that is what populates the authentication.usergroups and authentication.usernames property. When MWG authenticates a user without MCP, for example via Kerberos or NTLM the domain is not present in the username or usergroups properties. 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: MCP Supplied Groups Include Domain - How Can I Strip Domain for Policy?

Jump to solution

If you are using MCP only to connect to MWG. There is of course the option to exclude domains from groups during authentication. This is configurable in the MCP authentication settings.

MCPDomain.JPG

 

If you are managing WGCS policy with MWG, or you simply are using MCP to authenticate to MWG, this can also be accomplished with a relatively simple ruleset that rewrites the group list. This solution is better for a hybrid deployment where, for WGCS, MCP authenticates and populates Authentication.Usergroups independent of the authentication settings in MWG (which should not be enabled in the cloud anyway).

normmcpgroups.jpg

Importable ruleset attached. If you just want to normalize the groups starting with your domain name you can just use the first rule and replace “user-pc” string in the rule name and the regex in the event. If you want to generically remove all domain designations, you can disable the first rule and enable the second

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: MCP Supplied Groups Include Domain - How Can I Strip Domain for Policy?

Jump to solution

If you are using MCP only to connect to MWG. There is of course the option to exclude domains from groups during authentication. This is configurable in the MCP authentication settings.

MCPDomain.JPG

 

If you are managing WGCS policy with MWG, or you simply are using MCP to authenticate to MWG, this can also be accomplished with a relatively simple ruleset that rewrites the group list. This solution is better for a hybrid deployment where, for WGCS, MCP authenticates and populates Authentication.Usergroups independent of the authentication settings in MWG (which should not be enabled in the cloud anyway).

normmcpgroups.jpg

Importable ruleset attached. If you just want to normalize the groups starting with your domain name you can just use the first rule and replace “user-pc” string in the rule name and the regex in the event. If you want to generically remove all domain designations, you can disable the first rule and enable the second

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: MCP Supplied Groups Include Domain - How Can I Strip Domain for Policy?

Jump to solution

In a hybrid environment, do we need to both to not have the domain name in the log files?  We have the SWPS box unchecked like you show, but we still have the domain\user in our logs and when searching online.  I believe CSR strips it out though

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: MCP Supplied Groups Include Domain - How Can I Strip Domain for Policy?

Jump to solution

I haven't tested, but for usernames in WGCS logs I believe if you are managing policy from MWG you should be able to synch a rule to the cloud that essentially checks if there is a \ in the username and then if so, uses same string replace methodology used for groups to rewrite authentication.username.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community