Malwarebytes app for ServiceNow user guide

Document created by jgolomb Employee on Jun 1, 2019Last modified by jgolomb Employee on Oct 16, 2019
Version 6Show Document
  • View in full screen mode

The Malwarebytes app for ServiceNow offers data via Webhooks for real-time protection events, such as scan and detection reports. This guide describes:

  • Security Incidents created automatically when Malwarebytes detects threats.
  • How to manually create Security Incidents
  • How to initiate a scan through an existing Security Incident
  • How to initiate Suspicious Activity actions
  • How to configure Security Incidents to show historical scan and detection information.
  • How to find logs and troubleshoot ServiceNow integration with the Malwarebytes app.

 

To install and configure the Malwarebytes app for your ServiceNow instance, refer to Install and configure Malwarebytes app for ServiceNow .

 

View Security Incidents created from Malwarebytes scans

When Malwarebytes detects a threat during a scheduled scan, information is sent to ServiceNow to create a Security Incident. The ServiceNow administrator can check the Security Incident to see the scan results and investigate the findings.

 

Security Incidents generate only for ransomware. Other kinds of threats can be viewed in the ServiceNow Logs.

 

When Malwarebytes detects ransomware, the Malwarebytes Cloud Console sends scan results to ServiceNow via Webhook. ServiceNow automatically creates a Security Incident in response.

  1. In ServiceNow, go to Malwarebytes - Ransoms.

  2. View the Threat Name column to identify the detection.
    Image of Malwarebytes Ransoms table in ServiceNow.

To investigate the Security Incident

When a Security Incident is created, the ServiceNow administrator receives an email notification containing an incident number. Use this unique identifier to investigate the Security incident in ServiceNow.

  1. In the Filter navigator search box, enter "security incident".

  2. Click Security Incidents - Show All.

  3. In the Number search box, enter the incident number to find the ticket. This is useful if you have many Security incidents to manage.

  4. A description of the detection is viewable under the Short description column.
    Image of Security Incidents screen in the ServiceNow console.

  5. Click the Security Incident Number to view further details of the detection.
    Image of Incident Details for a Security Incident in ServiceNow.

 

ServiceNow unregistered endpoint

In the Security Incidents table, if an endpoint is not registered in ServiceNow and ransomware is found on that endpoint, the Configuration item column shows as (empty) for the endpoint. You can find the endpoint name in the Short Description column.

Image of empty Configuration item detail in a ServiceNow Security Incident.

 

Manually create a Security Incident in ServiceNow

To manually create a security incident, the ServiceNow administrator needs to first register the endpoint name in the Configuration Items table. Once the endpoint from your Malwarebytes Cloud Console is added to your ServiceNow instance, you can create a security incident to initiate scans to that endpoint.

As the ServiceNow administrator:

  1. In the Filter navigator search box, enter "cmdb_ci.list".

  2. Click New to create a new record.
    Image of Configuration items table in ServiceNow.

  3. In the new record menu, enter the following information:
    1. In the Name field, enter the endpoint name. This must match the endpoint name from your Malwarebytes Cloud Console.
    2. In the Assigned to field, enter the name of the person using the endpoint.
    3. Click Submit.
    Image of Configuration item menu in ServiceNow.

  4.  To create a Security Incident associated with the registered user:
    1. Go to Security Incidents - Show all Incidents.
    2. Click New.
      Image of Show All Incident page in ServiceNow.

  5.  In the new record, enter the following information:
    1. In the Requested by field, enter the user name of the endpoint.
    2. In the Configuration item field, enter the endpoint name that you registered in the new record menu above.
    3. In the Short description field, enter a description to identify the Security Incident.
    4. Click Submit in the upper-right corner to save your draft.
      Image of Security Incident New Record in ServiceNow.

  6. Go back to Security Incidents - Show all Incidents to see the newly created incident. You can view the incident Number and Short description.
    Image of Security Incident in ServiceNow.

  7. Click the incident number of the Security Incident to view the endpoint and Configuration items associated with it.
    Image of Security Incident ticket view in ServiceNow.


Initiate a Malwarebytes scan through an existing Security Incident

ServiceNow administrators can open a Security Incident and perform a Malwarebytes scan on the endpoint associated with it.

  1. Open a Security Incident created by either Malwarebytes or an end user. Find the Configuration items tab at the bottom.
    Image of Security Incident in ServiceNow.

  2. Check the box for the Configuration item and the box next to Action on selected rows... > click Run Malwarebytes Scan from the drop-down menu.

  3. In the Malwarebytes Scan menu, select the scan type you wish to perform under Scan Options drop-down menu > click Start Scan to initiate the action.
    1. The possible Scan Options are Scan Only, Scan and Quarantine, Isolate Endpoint, Process Isolation, Network Isolation, Desktop Isolation, and Deisolate Endpoint.
      Image of Malwarebytes Scan menu in ServiceNow.

  4. In Malwarebytes Scan Tasks, find the initiated scan job. Here you can view the Scan Status from the table view.
    Image of Malwarebytes Scan Tasks table in ServiceNow.

  5. Once the scan completes, view the scan results in the Malwarebytes Scan Reports table. Here you see the Task number, Computer Name, and Vendor Reference to learn more about threats detected on the endpoint.
    Image of Malwarebytes Scan Reports table in ServiceNow.

 

Configure the Security Incident form

You can configure your Security Incidents to show historical scan tasks and reports pulled from Malwarebytes. Once configured, the Security Incident displays live status of scans and detected threats on an endpoint. Follow the steps to add Malwarebytes Scan Tasks and Scan Reports to your Security Incidents.

 

  1. Open an existing Security Incident. In the Security Incident form:
    1. Click the menu icon.
    2. Highlight Configure in the context menu.
    3. Click Related Lists.
      Image of Related Lists in the context menu of Security Incidents in ServiceNow.

  2. Click Edit this view in Security Incident.
    Image of Configuration related lists on Security Incident form in ServiceNow.

  3. From the Available list, move Malwarebytes Scan Task->Task and Malwarebytes Scan Report->Task to the Selected list. Click Save.
    Image of Configured related lists on Security Incident form in ServiceNow.

  4. Return to the Security incident you just configured, scroll down and click Show All Related Lists.
    Image of Security Incident in ServiceNow.

  5. The Malwarebytes Scan Tasks and Malwarebytes Scan Reports feeds are now visible in the Security Incident. These feeds show historical scan events and detection reports associated with the endpoint. 
    Image of Malwarebytes Scan Tasks and Malwarebytes Scan Reports in a configured Security Incident of ServiceNow.

 

Now all of your Malwarebytes Security Incidents show these two feeds for your viewing.

 

Initiate Suspicious Activity Actions

The Malwarebytes - Suspicious Activities table displays all suspicious activity found on your endpoints and their severity levels: Low, Medium, or High. The administrator can select endpoints to action. Endpoints can receive actions with the following functions:

  • Open - Considers the process as suspicious and will continue to trigger additional detections.
  • Remediate - Treats the process as malicious and remediates the threat on the endpoint.
  • Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.

 

To view Suspicious Activity and initiate actions:

  1. In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity table.

  2. This table shows all suspicious activity found on your endpoints. Check the box next to any detections you want to perform actions on.
    Image of The Malwarebytes Suspicious Activity table in ServiceNow.

  3. Click the Actions of selected rows... > select Malwarebytes Suspicious Activity Action from the drop-down menu.
    Image of Malwarebytes Suspicious Activity table in ServiceNow.

  4. In the Malwarebytes Suspicious Activity Action window, select the type of action from the Action Options drop-down menu > click Start Action to initiate.
    Image of Malwarebytes Suspicious Activity Action window in ServiceNow.

 

Once the action completes, you can view the action status under the Action Status column. The Action Status column always shows the last initiated action.

Image of the Action Status column on the Malwarebytes Suspicious Activities table in ServiveNow.

 

ServiceNow Logs and troubleshooting Malwarebytes app integration

The communication between ServiceNow and Malwarebytes Cloud Console may be interrupted if your settings are not properly configured, or your Malwarebytes credentials are incorrect. There is not a pop-up notification or display to let you know that the Webhooks are not properly working. You may simply notice that data is not feeding into your ServiceNow instance as expected. See resolutions below.

 

Resolve inactive settings

In ServiceNow, make sure to set the Active column to True for all of the following Malwarebytes components:

  • Malwarebytes under Business Rules.
  • Malwarebytes under Scheduled Jobs.
  • Malwarebytes under Scripted REST APIs.

 

Resolve invalid Malwarebytes credentials

Follow the steps to make sure your Malwarebytes credentials are entered correctly:

  1. In the Filter navigator search box, enter "syslog.list" to view the Log table.

  2. Under the Message column, look for the error message "Please Enter the correct Credentials" and http error code "Malwarebytes GetAuthToken HTTP Error Code:401". This indicates your credentials or authorization token are entered incorrectly.

  3. If you find these error messages, enter the correct credentials in the Malwarebytes app configuration page and click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.

 

Identify and resolve invalid ServiceNow Security Admin credentials

If your ServiceNow Security Admin credentials are entered incorrectly, the Scripted REST API cannot deliver Malwarebytes data to the ServiceNow instance. To confirm your ServiceNow instance correctly receives endpoint information, try the following:

  1. On one of your endpoints, visit iptest.malwarebytes.org which should produce a log event.

  2. In ServiceNow under Log, you should see "web" and "The Webhook Payload Received" messages under the Message column. If you did not see these logs, your Security Admin credentials are entered incorrectly.

  3. Enter the correct credentials in the Malwarebytes app configuration page and make sure the Subscribe Webhook box is checked. Click SubmitRefer to Install and configure Malwarebytes app for ServiceNow  for more information.

 

View the status of initiated Suspicious Activity actions

Administrators can view the status of initiated Suspicious Activity actions, which may include actions with the Failed status. To view the action status, user the Filter navigator bar to search for the Malwarebytes - SA Actions Queues table. In the following example image, you will see several Failed statuses.

Image of the Malwarebytes SA Action Queues table in ServiceNow.

 

A Failed status displays when the administrator tries to remediate a suspicious activity which has already been remediated.

Attachments

    Outcomes