Malwarebytes Visibility and Dashboards app for Splunk and Malwarebytes Cloud

Document created by jgolomb Employee on Jun 1, 2019Last modified by jgolomb Employee on Aug 5, 2019
Version 14Show Document
  • View in full screen mode

The Malwarebytes Visibility and Dashboards app provides custom Splunk searches and dashboards for Malwarebytes endpoint data. This app provides a visual experience for Malwarebytes users. Dashboards have been optimized for fast performance and contain custom drill-downs. 

 

Requirements

To run the Malwarebytes Visibility and Dashboards app, you need:

  • An active Splunk Enterprise or Splunk Cloud instance.
  • User login credentials for Splunk.
  • An active Malwarebytes Cloud subscription for either Endpoint Protection or Incident Response
  • Malwarebytes Cloud Console login credentials.
  • Technical Add-on for Malwarebytes installed. Refer to Install the Technical Add-on for Malwarebytes for Splunk  for more information.

 

Download Malwarebytes Visibility and Dashboards app

To download the Malwarebytes Visibility and Dashboards app:

  1. Go to the Malwarebytes Visibility and Dashboards page in Splunkbase.

  2. Click on LOGIN TO DOWNLOAD.  If already logged into Splunkbase, click on DOWNLOAD.

  3. Enter your Splunk user credentials.

 

Install Malwarebytes Visibility and Dashboards app

Where you install the Malwarebytes app is based on your Splunk environment.  

 

Splunk Enterprise Single Instance Environments

Install the Malwarebytes Visibility and Dashboards app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

 

Splunk Enterprise Distributed Environments

Install the Malwarebytes Visibility and Dashboards app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

 

Configure Malwarebytes Cloud Console

  1. Log into your Malwarebytes Cloud Console.

  2. Go to Settings Syslog Logging > click Syslog Settings.

  3. In the Syslog Communication Settings menu:
    1. Set the IP Address/Host to match the Splunk syslog server IP/Domain to receive events into the Splunk server.
    2. In Protocol, set the TCP/UDP as the same as your Splunk server configuration.
    3. Click Save.
      Image of Syslog Communication Settings menu in Malwarebytes Cloud Console.

  4. You must designate an endpoint to forward data to Splunk. An endpoint with a stable internet connection, such as a server, is recommended. In Settings > Syslog Logging:
    1. Click Add.
    2. Click a checkbox next the endpoint you want to designate.
    3. Click Assign.

 

Configure Splunk Enterprise

To configure the data inputs for Malwarebytes Endpoint Protection or Incident Response, follow the steps below.

 

  1. Login to Splunk using administrator credentials and go to Settings Data Inputs.
    Image of Splunk Enterprise console highlighting Data Input menu.

  2. Under Forwarded Inputs, select either TCP or UDP. Select New.

  3. Enter 514 in the Port field. Click Next.
    Image of new TCP entry in Splunk Enterprise highlighting the Port number entry.

  4. In the Input Settings screen: 
    1. For Source type, click Select and choose Malware > choose mwb:cloud from the dropdown menu.
    2. For App context, select Add-on for Malwarebytes (TA-malwarebytes) from the dropdown menu.
    3. For Host Method, select either IP or DNS.
    4. For Index, select malwarebytes from the dropdown menu. Click Review.
      Image of Input Settings menu for Splunk Enterprise.

  5. In Review, make sure all of your configurations are correct, then select Submit to complete the data input configuration on the Splunk instance.

 

Splunk Enterprise dashboard examples

 

Overview dashboard

Image of Splunk Enterprise dashboards after configuring Malwarebytes Apps.

 

Endpoints dashboard

Image of Splunk Enterprise dashboards after configuring Malwarebytes Apps.

 

Detections dashboard

Image of Splunk Enterprise dashboards after configuring Malwarebytes Apps.

 

Configure Splunk Cloud

You must have Universal Forwarder installed to configure Splunk Cloud. Refer to the Splunk support document, Configure forwarding and receiving for Splunk Cloud for instructions.

 

To get the Malwarebytes data into Splunk Cloud, configure your forwarder to send syslog data to your Splunk Cloud instance. 

 

Splunk Cloud dashboard examples

 

Overview dashboard

Image of Overview dashboard in the Splunk Cloud console.

 

Endpoints dashboard

Image of Endpoints dashboard in the Splunk Cloud console.

 

Detections dashboard

Image of Detections dashboard in the Splunk Cloud console.

 

Quarantined dashboard

Image of the Quarantined dashboard in the Splunk Cloud console.

 

The events received by Splunk Cloud from Malwarebytes products display in CEF format. Go to App: Search & Reporting > Search & Reporting to view.

Image of Search & Reporting tab in the Splunk Cloud console.

Attachments

    Outcomes