Configure Syslog in Malwarebytes Cloud Console

Document created by bdemidov Employee on Dec 11, 2018Last modified by bdemidov Employee on Dec 18, 2018
Version 10Show Document
  • View in full screen mode

In addition to the reporting available in the Malwarebytes Cloud Console, you can also send all threat-related events into your SIEM solution like Splunk, Qradar etc for security insights, compliance and visbility.

This article provides you with the steps required to setup Syslog configuration for Malwarebytes Cloud managed products:

  • Malwarebytes Endpoint Protection and Response (EPR)
  • Malwarebytes Endpoint Protection (EP)
  • Malwarebytes Incident Response (IR)

 

Events flow

The diagram below represents the Malwarebytes events flow.

  1. Endpoints report threat detection, quarantine, and other events to Malwarebytes Cloud.
  2. Malwarebytes Syslog Communicator Endpoint pulls events from Malwarebytes Cloud.
  3. Communication Endpoint forwards events to Syslog server in CEF.

 

 

Requirements

  • Active subscription or trial for one of Malwarebytes Cloud Managed products:
    • Malwarebytes Endpoint Protection and Response (EPR)
    • Malwarebytes Endpoint Protection (EP)
    • Malwarebytes Incident Response (IR)
  • Network access between one of your Malwarebytes Syslog Communication Endpoint and SIEM or Syslog server (TCP/514 is used by default)

 

Configuration

  1. Navigate to Settings > Syslog Logging

  2. Click Add button and promote one of your Windows endpoints as the Syslog communication endpoint.


  3. Click Syslog Settings button in the top right corner. Provide IP address or hostname of your Syslog server, port number you have specified on your Syslog server, network protocol and communication interval.

    Note: The value entered in the Communication Interval field determines how often the Communication Endpoint will send data to Syslog server.

    If the endpoint is unable to contact Syslog server, we will buffer data from the last 24 hours. Data older than 24 hours ago will not be sent to Syslog.

     

  4. Navigate to Endpoints and choose your Syslog communication endpoint you have assigned in the previous step. In the Agent Information section you should see that SIEM plugin activated on the endpoint.

Attachments

    Outcomes