Trellix Web Gateway · Capability

Trellix Web Gateway Security Operations

Unified capability for security operations teams to monitor, investigate, and respond to web security threats using Trellix Web Gateway. Combines traffic log analysis, security event investigation, threat statistics, and appliance health monitoring for SOC analysts and network security engineers.

Run with Naftiko Enterprise SecurityNetwork SecuritySecurity OperationsThreat DetectionWeb Security

What You Can Do

GET
Get security events — Retrieve security events for investigation
/v1/security-events
GET
Get traffic logs — Retrieve traffic logs
/v1/traffic-logs
GET
Get threat statistics — Get threat statistics
/v1/statistics/threats
GET
Get traffic statistics — Get traffic statistics
/v1/statistics/traffic
GET
Get top urls — Get top URLs
/v1/top-urls
GET
List appliances — List appliances and health status
/v1/appliances
GET
Get logs — Get system logs
/v1/logs

MCP Tools

get-security-events

Retrieve security events from Web Gateway including malware detections and policy violations. Use for incident investigation and threat hunting.

read-only
get-traffic-logs

Retrieve web traffic logs for forensic analysis, compliance auditing, and user behavior investigation.

read-only
get-threat-statistics

Get threat statistics to understand attack patterns, malware trends, and security posture over time.

read-only
get-traffic-statistics

Get web traffic statistics for capacity planning and anomaly detection.

read-only
get-top-urls

Get top accessed URLs to identify potential policy violations or unusual browsing patterns.

read-only
get-top-categories

Get top URL categories to understand web browsing patterns and policy effectiveness.

read-only
get-system-logs

Retrieve Web Gateway system and audit logs for compliance and change tracking.

read-only
list-appliances

List Web Gateway appliances and check their operational health status.

read-only

APIs Used

twg-rest twg-reporting

Capability Spec

web-security-operations.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Trellix Web Gateway Security Operations"
  description: >-
    Unified capability for security operations teams to monitor, investigate,
    and respond to web security threats using Trellix Web Gateway. Combines
    traffic log analysis, security event investigation, threat statistics,
    and appliance health monitoring for SOC analysts and network security engineers.
  tags:
    - Enterprise Security
    - Network Security
    - Security Operations
    - Threat Detection
    - Web Security
  created: "2026-05-03"
  modified: "2026-05-03"

binds:
  - namespace: env
    keys:
      TWG_SESSION_COOKIE: TWG_SESSION_COOKIE

capability:
  consumes:
    - import: twg-rest
      location: ./shared/web-gateway-rest-api.yaml
    - import: twg-reporting
      location: ./shared/web-gateway-reporting-api.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: twg-security-ops-api
      description: "Unified REST API for Web Gateway security operations and monitoring."
      resources:
        - path: /v1/security-events
          name: security-events
          description: "Security events and threat detections"
          operations:
            - method: GET
              name: get-security-events
              description: "Retrieve security events for investigation"
              call: "twg-reporting.get-security-events"
              with:
                from: "rest.from"
                to: "rest.to"
                severity: "rest.severity"
                limit: "rest.limit"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/traffic-logs
          name: traffic-logs
          description: "Web traffic logs for forensic analysis"
          operations:
            - method: GET
              name: get-traffic-logs
              description: "Retrieve traffic logs"
              call: "twg-reporting.get-traffic-logs"
              with:
                from: "rest.from"
                to: "rest.to"
                limit: "rest.limit"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/statistics/threats
          name: threat-statistics
          description: "Threat statistics for security reporting"
          operations:
            - method: GET
              name: get-threat-statistics
              description: "Get threat statistics"
              call: "twg-reporting.get-threat-statistics"
              with:
                period: "rest.period"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/statistics/traffic
          name: traffic-statistics
          description: "Traffic statistics for capacity and monitoring"
          operations:
            - method: GET
              name: get-traffic-statistics
              description: "Get traffic statistics"
              call: "twg-reporting.get-traffic-statistics"
              with:
                period: "rest.period"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/top-urls
          name: top-urls
          description: "Top accessed URLs"
          operations:
            - method: GET
              name: get-top-urls
              description: "Get top URLs"
              call: "twg-reporting.get-top-urls"
              with:
                limit: "rest.limit"
                period: "rest.period"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/appliances
          name: appliances
          description: "Web Gateway appliance health"
          operations:
            - method: GET
              name: list-appliances
              description: "List appliances and health status"
              call: "twg-rest.list-appliances"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/logs
          name: system-logs
          description: "System and audit logs"
          operations:
            - method: GET
              name: get-logs
              description: "Get system logs"
              call: "twg-rest.get-logs"
              with:
                type: "rest.type"
                from: "rest.from"
                to: "rest.to"
                limit: "rest.limit"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: twg-security-ops-mcp
      transport: http
      description: "MCP server for AI-assisted Web Gateway security operations and threat investigation."
      tools:
        - name: get-security-events
          description: "Retrieve security events from Web Gateway including malware detections and policy violations. Use for incident investigation and threat hunting."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-security-events"
          with:
            from: "tools.from"
            to: "tools.to"
            severity: "tools.severity"
            limit: "tools.limit"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-traffic-logs
          description: "Retrieve web traffic logs for forensic analysis, compliance auditing, and user behavior investigation."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-traffic-logs"
          with:
            from: "tools.from"
            to: "tools.to"
            limit: "tools.limit"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-threat-statistics
          description: "Get threat statistics to understand attack patterns, malware trends, and security posture over time."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-threat-statistics"
          with:
            period: "tools.period"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-traffic-statistics
          description: "Get web traffic statistics for capacity planning and anomaly detection."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-traffic-statistics"
          with:
            period: "tools.period"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-top-urls
          description: "Get top accessed URLs to identify potential policy violations or unusual browsing patterns."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-top-urls"
          with:
            limit: "tools.limit"
            period: "tools.period"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-top-categories
          description: "Get top URL categories to understand web browsing patterns and policy effectiveness."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-reporting.get-top-categories"
          with:
            limit: "tools.limit"
            period: "tools.period"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-system-logs
          description: "Retrieve Web Gateway system and audit logs for compliance and change tracking."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-rest.get-logs"
          with:
            type: "tools.type"
            from: "tools.from"
            to: "tools.to"
            limit: "tools.limit"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-appliances
          description: "List Web Gateway appliances and check their operational health status."
          hints:
            readOnly: true
            openWorld: true
          call: "twg-rest.list-appliances"
          outputParameters:
            - type: object
              mapping: "$."