The Malwarebytes app for ServiceNow offers data via Webhooks for real-time protection events, such as scan and detection reports. This guide describes:
- Security Incidents created automatically when Malwarebytes detects threats.
- How to manually create Security Incidents
- How to initiate a scan through an existing Security Incident
- How to initiate Suspicious Activity actions
- How to configure Security Incidents to show historical scan and detection information.
- How to find logs and troubleshoot ServiceNow integration with the Malwarebytes app.
To install and configure the Malwarebytes app for your ServiceNow instance, refer to Install and configure Malwarebytes app for ServiceNow .
View Security Incidents created from Malwarebytes scans
When Malwarebytes detects a threat during a scheduled scan, information is sent to ServiceNow to create a Security Incident. The ServiceNow administrator can check the Security Incident to see the scan results and investigate the findings.
Security Incidents generate only for ransomware. Other kinds of threats can be viewed in the ServiceNow Logs.
When Malwarebytes detects ransomware, the Malwarebytes Cloud Console sends scan results to ServiceNow via Webhook. ServiceNow automatically creates a Security Incident in response.
To investigate the Security Incident
When a Security Incident is created, the ServiceNow administrator receives an email notification containing an incident number. Use this unique identifier to investigate the Security incident in ServiceNow.
- In the Filter navigator search box, enter "security incident".
- Click Security Incidents - Show All.
- In the Number search box, enter the incident number to find the ticket. This is useful if you have many Security incidents to manage.
- A description of the detection is viewable under the Short description column.
- Click the Security Incident Number to view further details of the detection.
ServiceNow unregistered endpoint
In the Security Incidents table, if an endpoint is not registered in ServiceNow and ransomware is found on that endpoint, the Configuration item column shows as (empty) for the endpoint. You can find the endpoint name in the Short Description column.
Manually create a Security Incident in ServiceNow
To manually create a security incident, the ServiceNow administrator needs to first register the endpoint name in the Configuration Items table. Once the endpoint from your Malwarebytes Cloud Console is added to your ServiceNow instance, you can create a security incident to initiate scans to that endpoint.
As the ServiceNow administrator:
- In the Filter navigator search box, enter "cmdb_ci.list".
- Click New to create a new record.
- In the new record menu, enter the following information:
- In the Name field, enter the endpoint name. This must match the endpoint name from your Malwarebytes Cloud Console.
- In the Assigned to field, enter the name of the person using the endpoint.
- Click Submit.
- To create a Security Incident associated with the registered user:
- In the new record, enter the following information:
- In the Requested by field, enter the user name of the endpoint.
- In the Configuration item field, enter the endpoint name that you registered in the new record menu above.
- In the Short description field, enter a description to identify the Security Incident.
- Click Submit in the upper-right corner to save your draft.
- Go back to Security Incidents - Show all Incidents to see the newly created incident. You can view the incident Number and Short description.
- Click the incident number of the Security Incident to view the endpoint and Configuration items associated with it.
Initiate a Malwarebytes scan through an existing Security Incident
ServiceNow administrators can open a Security Incident and perform a Malwarebytes scan on the endpoint associated with it.
- Open a Security Incident created by either Malwarebytes or an end user. Find the Configuration items tab at the bottom.
- Check the box for the Configuration item and the box next to Action on selected rows... > click Run Malwarebytes Scan from the drop-down menu.
- In the Malwarebytes Scan menu, select the scan type you wish to perform under Scan Options drop-down menu > click Start Scan to initiate the action.
- In Malwarebytes Scan Tasks, find the initiated scan job. Here you can view the Scan Status from the table view.
- Once the scan completes, view the scan results in the Malwarebytes Scan Reports table. Here you see the Task number, Computer Name, and Vendor Reference to learn more about threats detected on the endpoint.
Configure the Security Incident form
You can configure your Security Incidents to show historical scan tasks and reports pulled from Malwarebytes. Once configured, the Security Incident displays live status of scans and detected threats on an endpoint. Follow the steps to add Malwarebytes Scan Tasks and Scan Reports to your Security Incidents.
- Open an existing Security Incident. In the Security Incident form:
- Click Edit this view in Security Incident.
- From the Available list, move Malwarebytes Scan Task->Task and Malwarebytes Scan Report->Task to the Selected list. Click Save.
- Return to the Security incident you just configured, scroll down and click Show All Related Lists.
- The Malwarebytes Scan Tasks and Malwarebytes Scan Reports feeds are now visible in the Security Incident. These feeds show historical scan events and detection reports associated with the endpoint.
Now all of your Malwarebytes Security Incidents show these two feeds for your viewing.
Initiate Suspicious Activity Actions
The Malwarebytes - Suspicious Activities table displays all suspicious activity found on your endpoints and their severity levels: Low, Medium, or High. The administrator can select endpoints to action. Endpoints can receive actions with the following functions:
- Open - Considers the process as suspicious and will continue to trigger additional detections.
- Remediate - Treats the process as malicious and remediates the threat on the endpoint.
- Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.
To view Suspicious Activity and initiate actions:
- In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity table.
- This table shows all suspicious activity found on your endpoints. Check the box next to any detections you want to perform actions on.
- Click the Actions of selected rows... > select Malwarebytes Suspicious Activity Action from the drop-down menu.
- In the Malwarebytes Suspicious Activity Action window, select the type of action from the Action Options drop-down menu > click Start Action to initiate.
Once the action completes, you can view the action status under the Action Status column. The Action Status column always shows the last initiated action.
ServiceNow Logs and troubleshooting Malwarebytes app integration
The communication between ServiceNow and Malwarebytes Cloud Console may be interrupted if your settings are not properly configured, or your Malwarebytes credentials are incorrect. There is not a pop-up notification or display to let you know that the Webhooks are not properly working. You may simply notice that data is not feeding into your ServiceNow instance as expected. See resolutions below.
Resolve inactive settings
In ServiceNow, make sure to set the Active column to True for all of the following Malwarebytes components:
- Malwarebytes under Business Rules.
- Malwarebytes under Scheduled Jobs.
- Malwarebytes under Scripted REST APIs.
Resolve invalid Malwarebytes credentials
Follow the steps to make sure your Malwarebytes credentials are entered correctly:
- In the Filter navigator search box, enter "syslog.list" to view the Log table.
- Under the Message column, look for the error message "Please Enter the correct Credentials" and http error code "Malwarebytes GetAuthToken HTTP Error Code:401". This indicates your credentials or authorization token are entered incorrectly.
- If you find these error messages, enter the correct credentials in the Malwarebytes app configuration page and click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
Identify and resolve invalid ServiceNow Security Admin credentials
If your ServiceNow Security Admin credentials are entered incorrectly, the Scripted REST API cannot deliver Malwarebytes data to the ServiceNow instance. To confirm your ServiceNow instance correctly receives endpoint information, try the following:
- On one of your endpoints, visit iptest.malwarebytes.org which should produce a log event.
- In ServiceNow under Log, you should see "web" and "The Webhook Payload Received" messages under the Message column. If you did not see these logs, your Security Admin credentials are entered incorrectly.
- Enter the correct credentials in the Malwarebytes app configuration page and make sure the Subscribe Webhook box is checked. Click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
View the status of initiated Suspicious Activity actions
Administrators can view the status of initiated Suspicious Activity actions, which may include actions with the Failed status. To view the action status, user the Filter navigator bar to search for the Malwarebytes - SA Actions Queues table. In the following example image, you will see several Failed statuses.
A Failed status displays when the administrator tries to remediate a suspicious activity which has already been remediated.