The Malwarebytes app for ServiceNow offers real-time protection event data such as scan and detection reports via Webhooks. This guide describes:
- Security Incidents created automatically when Malwarebytes detects threats.
- How to manually create Security Incidents
- How to initiate a scan through an existing Security Incident
- How to configure Security Incidents to show historical scan and detection information.
- How to find logs and troubleshoot ServiceNow integration with the Malwarebytes app.
To install and configure the Malwarebytes app for your ServiceNow instance, refer to Install and configure Malwarebytes app for ServiceNow .
View Security Incidents created from Malwarebytes scans
When Malwarebytes detects a threat during a scheduled scan, information is sent to ServiceNow to create a Security Incident. The ServiceNow administrator can check the Security Incident to see the scan results and investigate the findings.
Security Incidents generate only for ransomware. Other kinds of threats can be viewed in the ServiceNow Logs.
When Malwarebytes detects ransomware, the Malwarebytes Cloud Console sends scan results to ServiceNow via Webhook. ServiceNow automatically creates a Security Incident in response.
To investigate the Security Incident
When a Security Incident is created, the ServiceNow administrator receives an email notification containing the incident number. Use this unique identifier to investigate the Security incident in ServiceNow.
- In the Filter navigator search box, enter "security incident".
- Click Security Incidents - Show All.
- In the Number search box, enter the incident number to find the ticket. This is useful if you have many Security incidents to sift through.
- A description of the detection is viewable under the Short description column.
- Click the Security Incident Number to view further details of the detection.
ServiceNow unregistered endpoint
In the Security Incidents table, if an endpoint is not registered in ServiceNow and ransomware is found on that endpoint, the Configuration item column shows as (empty) for the endpoint. You can find the endpoint name in the Short Description column.
Manually create a Security Incident in ServiceNow
To manually create a security incident, the ServiceNow administrator needs to first register the endpoint name in the Configuration Items table. Once the endpoint from your Malwarebytes Cloud Console is added to your ServiceNow instance, you can create a Security incident to initiate scans to that endpoint.
As the ServiceNow administrator:
- In the Filter navigator search box, enter "cmdb_ci.list".
- Click New to create a new record.
- In the new record menu, enter the following information:
- In the Name field, enter the desired endpoint name. This must match the endpoint name from your Malwarebytes Cloud Console.
- In the Assigned to field, enter the name of the person using the endpoint.
- Click Submit.
- To create a Security Incident associated with the registered user:
- In the new record, enter the following information:
- In the Requested by field, enter the user name of the endpoint.
- In the Configuration item field, enter the endpoint name that you registered in step 2 of this process.
- In the Short description field, enter a description to identify the Security Incident.
- Click Submit in the upper-right corner to save your draft.
- Go back to Security Incidents - Show all Incidents to see the newly created incident. You can view the incident Number and Short description.
- Click the incident number of the Security Incident to view the endpoint and Configuration items associated with it.
Initiate a Malwarebytes scan through an existing Security Incident
ServiceNow administrators can open a Security Incident and perform a Malwarebytes scan on the endpoint associated with it.
- Open a Security Incident created by either Malwarebytes or an End-User. Find the Configuration items tab at the bottom.
- Check the box for the Configuration item and the box next to Action on selected rows... > click Run Malwarebytes Scan from the drop-down menu.
- In the Malwarebytes Scan menu, select the scan type you wish to perform under Scan Options drop-down menu > click Start Scan to initiate the action.
- Find the initiated scan job in Malwarebytes Scan Tasks. Here you can view the Scan Status from the table view.
- Once the scan completes, view the scan results in the Malwarebytes Scan Reports table. Here you see the Task number, Computer Name, and Vendor Reference to learn more about threats detected on the endpoint.
Configure the Security Incident form
You can configure your Security Incidents to show historical scan tasks and reports pulled from Malwarebytes. Once configured, you can easily view a scan's live status and detected threats on an associated endpoint directly in the Security Incident. Follow the steps to add Malwarebytes Scan Tasks and Scan Reports to your Security Incidents.
- Open an existing Security Incident. In the Security Incident form:
- Click Edit this view in Security Incident.
- From the Available list, move Malwarebytes Scan Task->Task and Malwarebytes Scan Report->Task to the Selected list. Click Save.
- Return to the Security incident you just configured, scroll down and click Show All Related Lists.
- The Malwarebytes Scan Tasks and Malwarebytes Scan Reports feeds are now shown. These feeds show historical scan events and detection reports associated with the endpoint.
Now all of your Malwarebytes Security Incidents show these two feeds for your viewing.
ServiceNow Logs and troubleshooting Malwarebytes app integration
The communication between ServiceNow and Malwarebytes Cloud Console may be interrupted if your settings are not properly configured, or your Malwarebytes credentials are incorrect. There is not a pop-up notification or display to let you know that the Webhooks are not properly working. You may simply notice that data is not feeding into your ServiceNow instance as expected. See resolutions below.
Resolve inactive settings
In ServiceNow, make sure to set the Active column to True for all of the following Malwarebytes components:
- Malwarebytes under Business Rules.
- Malwarebytes under Scheduled Jobs.
- Malwarebytes under Scripted REST APIs.
Resolve invalid Malwarebytes credentials
Follow the steps to make sure your Malwarebytes credentials are entered correctly:
- In the Filter navigator search box, enter "syslog.list" to view the Log table.
- Under the Message column, look for the error message "Please Enter the correct Credentials" and http error code "Malwarebytes GetAuthToken HTTP Error Code:401". This indicates your credentials or authorization token are entered incorrectly.
- If you find these error messages, enter the correct credentials in the Malwarebytes app configuration page and click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
Identify and resolve invalid ServiceNow Security Admin credentials
If your ServiceNow Security Admin credentials are entered incorrectly, the Scripted REST API cannot deliver Malwarebytes data to the ServiceNow instance. To confirm your ServiceNow instance correctly receives endpoint information, try the following:
- On one of your endpoints, visit iptest.malwarebytes.org which should produce a log event.
- In ServiceNow under Log, you should see "web" and "The Webhook Payload Received" messages under the Message column. If you did not see these logs, your Security Admin credentials are entered incorrectly.
- Enter the correct credentials in the Malwarebytes app configuration page and make sure the Subscribe Webhook box is checked. Click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.