Malwarebytes Cloud Remediation app for Splunk

Document created by jgolomb Employee on Jun 1, 2019Last modified by jgolomb Employee on Jun 27, 2019
Version 25Show Document
  • View in full screen mode

The Malwarebytes Cloud Remediation app integrates Splunk to Malwarebytes Cloud.

 

Requirements

To run the Malwarebytes Cloud Remediation app, you need:

  • An active Splunk instance.
  • User login credentials for Splunk.
  • An active subscription for Malwarebytes Cloud.
  • Malwarebytes Cloud Console login credentials.
  • Technical Add-on for Malwarebytes installed. Refer to Install the Technical Add-on for Malwarebytes for Splunk for more information.

 

Download and install Malwarebytes Cloud Remediation app

To download the Malwarebytes Cloud Remediation app:

  1. Go to the Malwarebytes Cloud Remediation page in Splunkbase.

  2. Click on LOGIN TO DOWNLOAD. If already logged into Splunkbase, click on DOWNLOAD.

  3. Enter your Splunk user credentials.

 

Install Malwarebytes app

Where you install the Malwarebytes app is based on your Splunk environment.  

 

Splunk Enterprise Single Instance Environments

Install the Malwarebytes Cloud Remediation app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

 

Splunk Enterprise Distributed Environments

Install the Malwarebytes Cloud Remediation app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

 

Configure Malwarebytes Cloud Remediation app

Once installed, you configure the Malwarebytes Cloud Remediation app in Splunk.

 

  1. In Splunk, click Cloud Remediation > Configuration.
    Image of Cloud Remediation dashboard in the Splunk console.

  2. In the Logging tab, set Log level to INFO.
    Image of Cloud Remediation Configuration menu in Splunk console.

  3. Click the Add-on Settings tab and enter the following information:
    1. To get your Cloud Console Account Id:
      1. Log into the Malwarebytes Cloud Console.
      2. Copy the following string of characters found in the url.
        Image of Malwarebytes Cloud Console web url.
      3. In Splunk, paste the characters into the Cloud Console Account Id field.
    2. To get your Cloud Console Client Id and Cloud Console Client Secret:
      1. Click this Malwarebytes Cloud Console link.
      2. Enter your Malwarebytes Cloud Console administrator credentials.
      3. Click LOG IN > Generate Credentials > YES, GENERATE.
      4. Copy the generated Client Id > in Splunk, paste the Client Id in the Cloud Console Client Id field.
      5. Return to the Malwarebytes Cloud Console, copy the generated Client Secret > in Splunk, paste the Client Secret in the Cloud Console Client Secret field.
        Image of Client Credentials page in the Malwarebytes Cloud Console.
    3. In the Splunk Username field, enter your Splunk Administrator username.
    4. In the Splunk Password field, enter your Splunk Administrator password.
    5. Click Save.
      Image of Add-on Settings tab for configuring Malwarebytes Cloud Remediation app in Splunk.
      To confirm you entered credentials correctly, go to $SPLUNK_HOME\etc\apps\mbcr\local and check the passwords file.

  4. In the upper-left corner, click Inputs to configure your modular input into Splunk.
    1. Click Create New Input.
    2. In the Name field, enter a unique name for the modular input.
    3. In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, recommend interval times greater than 30 seconds.
    4. Set the Index field to malwarebytes.
    5. Click Add.
      Image of Add Malwarebytes Cloud Remediation Modular Input screen in the Splunk console.

 

Initiate scans with Malwarebytes alert action

The Malwarebytes alert action follows the standard Adaptive Response Framework alert action. You can send the hostnames of your endpoints to the alert action to issue threat scans. After initiating a scan, the alert action stores the scan details in Splunk’s internal key-value store. See the following information to initiate a Malwarebytes scan. Go to Search > enter syntax into the Seach field.

 

  • Usage:  
    • index="malwarebytes" sourcetype = "mwb:mbcr" | (Write your own query here to filter the necessary hosts) | sendalert mbcr param.hostname=hostvalue param.remaction=value

  • Arguments
    • param.hostname 
    • param.type_of_scan - Only scan or remove values can be used. The remove value scans and quarantines. The scan value scans and reports only.

  • Examples
    • index="malwarebytes" | stats delim="," values(dvchost) as dvchost | mvcombine dvchost | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan
    • To directly execute scans on specific endpoints:  
      |stats count as dvchost | eval dvchost="TLL-3560.local,EPR-IAL-ISLAM" | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan

      Image of example Malwarebytes alert Action in Splunk Enterprise console.

 

Schedule a scan with Malwarebytes alert action

To setup a scheduled scan using Malwarebytes Cloud Remediation alert action, follow these steps.

 

  1. Go to Search > in the Search bar, filter the hostnames using your own Splunk query.
    Image of Splunk query in the New Search bar for Splunk Enterprise console.

  2. After the search, click Save As > select Alert.
    Image of Search bar in Splunk Enterprise.

  3. In the Edit Alert menu, enter the following information:
    1. In the Alert field, enter an alert name.
    2. In the Cron Expressions field, set the time to initiate your scan.
    3. Under Trigger Conditions, enter a number threshold to trigger the alert. The image below shows, "Trigger an alert when the number of results is greater than 0."
    4. In the remaction drop-down menu, choose the scan type.
    5. In the Hostname field, enter $result.<your_variable_name>$. In the image below, dvchost refers to the variable that contains the hostnames.
    6. Click Save.
      Image of the Edit Alert menu in Splunk Enterprise console.

  4. To confirm your scan initiates as expected, login to the Malwarebytes Cloud Console and view the Tasks tab.
    Image of Tasks tab in the Malwarebytes cloud console.

 

View scan Status in Splunk

Click Cloud Remediation from your app dashboards to see the endpoints' scan Status.

Image of the Scan Status field in the Malwarebytes Cloud Remediation app for Splunk.

 

The scan Status types are:

  • COMPLETED
  • PENDING
  • STARTED
  • FAILED
  • TIMED_OUT
  • EXPIRED

 

Malwarebytes modular input action

The Malwarebytes modular input action checks scan progress of initiated scans using the details stored by alert action in Splunk’s internal key-value store. For every initiated scan, the modular input action updates real time progress in the Cloud Remediation dashboard based on the value set in your Input Configuration). Once the scans finished, modular input updates the Cloud Remediation dashboard with new threat findings.

 

To check Malwarebytes Cloud Remediation events:

  • In the New Search bar, enter:
    index="malwarebytes" sourcetype="mwb:mbcr"
    Image of Malwarebytes Cloud Remediation events in Splunk.

Logging details for Malwarebytes Cloud Remediation

The Scan status logs are found in the following locations:

  • For Malwarebytes alert action: 
    $SPLUNK_HOME/var/log/splunk/mbcr_modalert.log
  • For Malwarebytes data input: $SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_remediation_modular_input.log

Attachments

    Outcomes