Configure Syslog in Malwarebytes Cloud Platform

Document created by bdemidov Employee on Dec 11, 2018Last modified by bgoddard on Nov 13, 2019
Version 18Show Document
  • View in full screen mode

In addition to the built-in reports available in the Malwarebytes Cloud Platform, you can send threat-related events to your SIEM solution for security insights, compliance, and visibility. This article provides the steps required to set up Syslog for the Malwarebytes Cloud Platform.

 

Events flow

The diagram below represents the Malwarebytes events flow. The flow follows this order:

  1. Endpoints report threat detection, quarantine, and other events to Malwarebytes Cloud.
  2. Malwarebytes Syslog Communicator Endpoint pulls events from Malwarebytes Cloud.
  3. Communication Endpoint forwards events to Syslog server in CEF format.

 

 

Requirements

  • Active subscription or trial for a Malwarebytes Cloud Platform product:
    • Malwarebytes Endpoint Protection and Response
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response
  • Network access between one of your Malwarebytes Syslog communication endpoints and SIEM or Syslog server. TCP over port 514 is used by default.

 

Configuration

  1. Go to Settings > Syslog Logging.

  2. Click Add. Promote one of your Windows endpoints as the Syslog communication endpoint.


  3. In the top-right corner, click Syslog Settings.

  4. Fill in the following information, then click Save.
    • IP Address/Host: IP or hostname of your Syslog server.
    • Port: Port you have specified on your Syslog server.
    • Protocol: Select either TCP or UDP protocol.
    • Severity: Choose a Severity from the list. This determines the Severity of all Malwarebytes events sent to Syslog.
    • Communication Interval (Minutes): Determines how often the communication endpoint gathers Syslog data from the Malwarebytes server. If the endpoint is unable to contact Malwarebytes, it buffers data from the last 24 hours. Data older than 24 hours is not sent to Syslog.

       

  5. Navigate to Endpoints. Select the Syslog communication endpoint you assigned in the previous step.

  6. In the Agent Information section, the SIEM version number is displayed. This confirms the SIEM plugin has activated on the endpoint.

 

The endpoint transfers data to Syslog without further configuration.

 

Change Syslog settings

If you need to change your Syslog communication endpoint, perform the following:

  1. Go to Settings > Syslog Logging > Settings.

  2. Click Remove to demote the existing endpoint.

  3. Click Add to promote a new endpoint. See the steps above in the Configuration section.

 

You may temporarily demote a communication endpoint using the On/Off toggle on this screen. Temporarily demoting a communication endpoint can be useful when troubleshooting your Syslog settings.

 

Example Syslog entry

Following is an example of a Syslog entry generated by Malwarebytes in raw CEF format. The tables below detail the Syslog prefix values, CEF headers, and extensions used in the example.

 

2018-04-13T21:06:05Z MININT-16Tjdoe CEF:0|Malwarebytes|Malwarebytes Endpoint Protection|Endpoint Protection 1.2.0.719|Detection|Website blocked|1|deviceExternalId=e150291a2b2513b9fd67941ab1135afa41111111 dvchost=MININT-16Tjdoe deviceDnsDomain=jdoeTest.local dvcmac=00:0C:29:33:C6:6A dvc=192.168.2.100 rt=Apr 13 2018 21:05:56 Z fileType=OutboundConnection cat=Website act=blocked msg=Website blocked\nProcess name: C:\Users\vmadmin\Desktop\test.exe filePath=drivinfosproduits.info(81.171.14.67:49846) cs1Label=Detection name cs1=Malicious Websites

 

Syslog PrefixDescriptionExamples
TimestampTime of recorded event2018-04-13T21:06:05Z
HostAffected endpointMININT-16Tjdoe

 

CEF HeaderDescriptionExamples
VersionVersion of the CEF formatCEF:0
Device VendorThe vendor will always be MalwarebytesMalwarebytes
Device ProductPlugin installed on endpoint at time of eventMalwarebytes Endpoint Protection
Malwarebytes Incident Response
Malwarebytes Endpoint Protection and Response
Device VersionPlugin name and versionEndpoint Protection 1.2.0.719
Device Event Class IDType of event reportedDetection
NameCategory of event and action takenWebsite Blocked
SeveritySeverity set in Syslog settings1

 

ExtensionDescriptionExamples
deviceExternalIdUnique identifier of device generating evente150291a2b2513b9fd67941ab1135afa41111111
dvchostDevice hostnameMININT-16Tjdoe
deviceDnsDomainDevice’s DNS domain namejdoeTest.local
dvcmacDevice’s MAC address00:0C:29:33:C6:6A
dvcDevice’s IPv4 address192.168.2.100
rtDate/Time when the event occurredApr 13 2018 21:05:56 Z
filetypeType of file that caused eventOutboundConnection
File
Module
Process
Registry Value
Exploit
CatCategory of the eventMalware
PUP
PUM
Ransomware
Exploit
Website
ActAction Takenblocked
found
quarantined
deleted
restored
MsgDetails of the system eventWebsite blocked\nProcess name:
C:\Users\vmadmin\Desktop\test.exe
filePathPath to the file, or blocked website domaindrivinfosproduits.info(81.171.14.67:49846)
C:\users\vmadmin\Desktop\test.exe
cs1LabelThe name label for the field cs1Detection name
cs1The detection nameMalicious Websites

 

See also

 

 

Return to the Malwarebytes Cloud Platform Administrator Guide 

Attachments

    Outcomes