Malwarebytes Integration for Incident Response enables Malwarebytes Breach Remediation (MBBR) to integrate with ServiceNow cloud instance to allow administrators to manage scans on endpoints, remove threats, and generate reports. This article describes requirements and configurations for the integration.
ServiceNow requires the following to integrate with Malwarebytes Breach Remediation:
- You must have an active ServiceNow Support Portal account.
- You must have purchased a subscription and installed the Security Incident Response plugin. Refer to Activate Security Incident Response document for more information.
- You must have access to ServiceNow appliance.
- Environment configured to use either Windows Remote Management (WinRM) or Windows Management Instrumentation (WMI).
- For configuring WMI, refer to Allow WMI through Windows Firewall for Endpoint Security.
- For configuring WinRM, refer to 4sysops support article, Enable PowerShell remoting.
- Setup a MID Server in your Windows server. For instructions, refer to the following ServiceNow resources:
Malwarebytes Breach Remediation requires the following to integrate with ServiceNow:
- You must have an active Malwarebytes cloud platform subscription.
- Have your subscription license key available.
- If using a Syslog Server, have your Syslog Server IP and Syslog Server Port available.
Install Malwarebytes Integration for Incident Response
Before you begin the installation process, verify the Security Incident Response plugin is installed and active on your ServiceNow instance.
- Open the ServiceNow Store and click the Get button.
- Enter your HI credentials.
- After installation completes, confirm Malwarebytes is installed.
- Log into ServiceNow.
- In the search box, enter "system app".
- Click on System Applications - Applications.
- Click on Downloads.
- Confirm Malwarebytes Integration for Incident Response appears in the Downloads page.
ServiceNow - Malwarebytes Breach Remediation installation
- Unzip the SN_MBBR_ALL.zip package. This contains two folders: SN_MBBR and SN_MBBR(syslog).
- The SN_MBBR folder is intended for customers using a non-syslog environment, and the SN_MBBR(syslog) folder is intended for customers using a Syslog Server.
- If using a non-syslog environment:
- If using a Syslog Server:
- Open the SN_MBBR(syslog) folder.
- Open Install_License.ps1 with Windows PowerShell.
- Enter your Malwarebytes Cloud license key and press Enter.
- Enter your Syslog Server IP and press Enter.
- Enter your Syslog Server port and press Enter. This propagates the license key, Syslog Server IP, and Syslog Server port to the other batch files.
- Create a new folder named mbbr in the Local Disk C:\ in the Windows server. Depending on your environment, copy either the contents of SN_MBBR or SN_MBBR(syslog) to the new mbbr folder.
Store MID Server credentials
As part of initial setup, you must store your credentials for your MID Server. To do this:
- Log in to ServiceNow.
- In the Filter navigator search box, enter "credentials store".
- In the left-side menu pane, go to the Malwarebytes Breach Remediation - Credentials Stores table.
- Click on New.
- In the New record, enter the following details:
- Click Submit.
The table refreshes to show the stored MID Server credentials.
To learn how to initiate and verify scans, check reports, and update Business Rules and Scheduled Jobs, see Malwarebytes Integration for Incident Response user guide.