Malwarebytes Cloud Remediation app for Splunk

Document created by jgolomb Employee on Jun 1, 2019Last modified by jgolomb Employee on Oct 16, 2019
Version 26Show Document
  • View in full screen mode

The Malwarebytes Cloud Remediation app integrates Splunk with Malwarebytes Cloud.

 

Requirements

To run the Malwarebytes Cloud Remediation app, you need:

  • An active Splunk instance.
  • User login credentials for Splunk.
  • An active subscription to Malwarebytes Cloud.
  • Malwarebytes Cloud Console login credentials.
  • Technical Add-on for Malwarebytes installed. Refer to Install the Technical Add-on for Malwarebytes for Splunk for more information.

 

Download and install Malwarebytes Cloud Remediation app

To download the Malwarebytes Cloud Remediation app:

  1. Go to the Malwarebytes Cloud Remediation page in Splunkbase.

  2. Click on LOGIN TO DOWNLOAD. If already logged into Splunkbase, click on DOWNLOAD.

  3. Enter your Splunk user credentials.

 

Install the Malwarebytes Cloud Remediation app

The location where you install the Malwarebytes Cloud Remediation app depends on how you have set up your Splunk environment. Splunk is set up as either a single instance or distributed environment.

 

Splunk Enterprise Single Instance Environments

Install the Malwarebytes Cloud Remediation app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

 

Splunk Enterprise Distributed Environments

Install the Malwarebytes Cloud Remediation app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

 

Configure Malwarebytes Cloud Remediation app

Once installed, configure the Malwarebytes Cloud Remediation app in Splunk.

 

  1. In Splunk, click Cloud Remediation > Configuration.
    Image of the Cloud Remediation table in Splunk Enterprise.

  2. In the Logging tab, set Log level to INFO.
    Image of Cloud Remediation Configuration menu in Splunk console.

  3. Click the Add-on Settings tab and enter the following information:
    1. To get your Cloud Console Account Id:
      1. Log into the Malwarebytes Cloud Console.
      2. Copy the following string of characters found in the url.
        Image of Malwarebytes Cloud Console web url.
      3. In Splunk, paste the characters into the Cloud Console Account Id field.
    2. To get your Cloud Console Client Id and Cloud Console Client Secret:
      1. Click this Malwarebytes Cloud Console link.
      2. Enter your Malwarebytes Cloud Console administrator credentials and click LOG IN.
      3. On the Client Credentials screen, click Generate Credentials > YES, GENERATE.
        Image of the Generate Client Credentials pop up screen on the Malwarebytes Cloud console login page.
      4. Copy the generated Client Id.
      5. In Splunk, paste the Client Id in the Cloud Console Client Id field.
      6. Return to the Malwarebytes Cloud Console, copy the generated Client Secret.
      7. In Splunk, paste the Client Secret in the Cloud Console Client Secret field.
        Image of Client Credentials page in the Malwarebytes Cloud Console.
    3. In the Splunk Username field, enter your Splunk Administrator username.
    4. In the Splunk Password field, enter your Splunk Administrator password.
    5. Click Save.
      Image of Add-on Settings tab for configuring Malwarebytes Cloud Remediation app in Splunk.
      To confirm you entered credentials correctly, go to $SPLUNK_HOME\etc\apps\mbcr\local and check the passwords file.

  4. In the upper-left corner, click Inputs to configure your modular input into Splunk.
    1. Click Create New Input.
    2. In the Name field, enter a unique name for the modular input.
    3. In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
    4. In the Index drop-down, select malwarebytes.
    5. Click Add.
      Image of Add Malwarebytes Cloud Remediation Modular Input screen in the Splunk console.

 

Initiate scans with Malwarebytes alert action

The Malwarebytes alert action follows the standard Adaptive Response Framework alert action. You can send the hostnames of your endpoints to the alert action to issue threat scans. After initiating a scan, the alert action stores the scan details in Splunk’s internal key-value store. See the following information to initiate a Malwarebytes scan. Go to Search > enter syntax into the Seach field.

 

  • Usage:  
    • index="malwarebytes" sourcetype = "mwb:mbcr" | (Write your own query here to filter the necessary hosts) | sendalert mbcr param.hostname=hostvalue param.remaction=value

  • Arguments
    • param.hostname - This can be a single hostname of an endpoint, or the location of a CSV file containing multiple hostnames.
    • param.type_of_scan - Possible values are:
      • scan - Scans and reports only.
      • remove - Scans and quarantines any suspicious item found.
      • isolate - Performs an isolation of the endpoint.
      • isolateprocess - Performs a process isolation of the endpoint.
      • isolatenetwork - Performs a network isolation of the endpoint.
      • isolatedesktop - Performs a desktop isolation of the endpoint.
      • deisolate - Performs a de-isolation of the endpoint.
      • subscribe - Subscribes to the suspicious activity feed.
      • unsubscribe - Unsubscribes from the suspicious activity feed.

 

  • Examples
    • index="malwarebytes" | stats delim="," values(dvchost) as dvchost | mvcombine dvchost | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan
    • To directly execute scans on specific endpoints:  
      |stats count as dvchost | eval dvchost="TLL-3560.local,EPR-IAL-ISLAM" | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan

      Image of example Malwarebytes alert Action in Splunk Enterprise console.

 

 

Initiate Suspicious Activity actions with Malwarebytes alert action

The Malwarebytes Suspicious Activity alert action enables administrators to subscribe and unsubscribe endpoint machines to the Malwarebytes Suspicious Activity feed. This will send notifications of potentially malicious software activity into Splunk. Subscribed endpoints can receive actions with the following functions:

  • Open - Considers the process as suspicious and will continue to trigger additional detections.
  • Remediate - Treats the process as malicious and remediates the threat on the endpoint.
  • Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.

 

We recommend to use this alert action only through the Splunk Search bar.

 

Usage

  • Subscribe or Unsubscribe:
    • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=<subscription_name>

 

  • Open, Remediate, or Close:
    • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=<machine_id> param.detection_id=<detection_id> param.sa_action=<action_name>

 

Arguments

  • param.sa_action - Has the value subscribe and unsubscribe. Use this value when subscribing or unsubscribing an endpoint to or from the Malwarebytes Suspicious Activity feed. When suspicious activities are found, you can use the values open, remediate, or close.
  • param.machine_id - The machine id of the endpoint where the suspicious activity originated. Must be used only with param.sa_action - open, remediate, or close.
  • param.detection_id - This value can be a detection id of the suspicious activity found. Must be used only with param.sa_action - open, remediate, or close.

 

Examples

The following are some example Suspicious Activity actions you can use in the Splunk Search bar.

  • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=subscribe
  • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=unsubscribe
  • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=open
  • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=remediate
  • | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=close

 

Note: If the administrator tries to remediate a threat which has already been remediated, error code 5 will return in the Splunk search.

Image of error code 5 returned in a failed Splunk Search.

 

Schedule a scan with Malwarebytes alert action

To setup a scheduled scan using Malwarebytes Cloud Remediation alert action, follow these steps.

 

  1. Go to Search > in the Search bar, filter the hostnames using your own Splunk query.
    Image of Splunk query in the New Search bar for Splunk Enterprise console.

  2. After the search, click Save As > select Alert.
    Image of Search bar in Splunk Enterprise.

  3. In the Edit Alert menu, enter the following information:
    1. In the Alert field, enter an alert name.
    2. In the Cron Expressions field, set the time to initiate your scan.
    3. Under Trigger Conditions, enter a number threshold to trigger the alert. The image below shows, "Trigger an alert when the number of results is greater than 0."
    4. In the remaction drop-down menu, choose the scan/action type.
    5. In the Hostname field, enter $result.<your_variable_name>$. In the image below, dvchost refers to the variable that contains the hostnames.
    6. Click Save.
      Image of the Edit Alert menu in Splunk Enterprise console.

  4. To confirm your scan initiates as expected, login to the Malwarebytes Cloud Console and view the Tasks tab.
    Image of Tasks tab in the Malwarebytes cloud console.

 

View scan Status in Splunk

Click Cloud Remediation from your app dashboards to see the endpoints' scan and action Status.

Image of Cloud Remediation dashboard in the Splunk console.

 

The scan Status types are:

  • COMPLETED
  • PENDING
  • STARTED
  • FAILED
  • TIMED_OUT
  • EXPIRED

 

The Action types are:

  • Scan
  • Quarantine
  • Isolate
  • Isolate_Network
  • Isolate_Process
  • Isolate_Desktop
  • Deisolate

 

Malwarebytes modular input action

The Malwarebytes modular input action checks scan progress of initiated scans using the details stored by alert action in Splunk’s internal key-value store. For every initiated scan, the modular input action updates real time progress in the Cloud Remediation dashboard based on the value set in your Input Configuration). Once the scans finished, modular input updates the Cloud Remediation dashboard with new threat findings.

 

To check Malwarebytes Cloud Remediation events:

  • In the New Search bar, enter:
    index="malwarebytes" sourcetype="mwb:mbcr"
    Image of Malwarebytes Cloud Remediation events in Splunk.

Logging details for Malwarebytes Cloud Remediation

The Scan status logs are found in the following locations:

  • For Malwarebytes alert action logs: 
    $SPLUNK_HOME/var/log/splunk/mbcr_modalert.log
  • For Malwarebytes data logs: $SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_remediation_modular_input.log

Attachments

    Outcomes