Malwarebytes Integration for Incident Response user guide

Document created by jgolomb Employee on Jul 25, 2019Last modified by jgolomb Employee on Oct 1, 2019
Version 10Show Document
  • View in full screen mode

Malwarebytes Integration for Incident Response integrates Malwarebytes Breach Remediation with ServiceNow to enable ServiceNow administrators to push scans out to endpoints, remediate threats, and produce reports. This user guide describes how to:

  • Verify your Malwarebytes MID Server is online
  • Initiate scans
  • Confirm scan initiated
  • View scan reports
  • Schedule scans and reports

 

To install and configure Malwarebytes Integration for Incident Response with your ServiceNow instance, refer to Install and configure Malwarebytes Integration for Incident Response.

 

Verify Malwarebytes MID Server is online

Before initiating threat scans or updating any scheduled scans and reporting, make sure your MID server is online. The MID Server facilitates and moves data between ServiceNow and Malwarebytes Breach Remediation. To check the status:

  1. Log into your ServiceNow instance.

  2. In the Filter navigator search box, enter "mid server".

  3. In the left-side menu pane, go to MID Server > Servers.
    Image of Servers menu in the left side menu pane in ServiceNow.

  4. Under the Status column, you should see Up to verify your MID Server is online.
    Image of Malwarebytes MID Server status in ServiceNow.

 

 

Initiate scan and threat quarantine on an endpoint

  1. In the Filter navigator search box, enter "Security Incident".

  2. On the Security Incidents table, select an incident Number that contains a Configuration item.
    Image of the Security Incidents table in ServiceNow.

  3. In the security incident form, scroll down to Configuration Items section.
    Image of security incident form in ServiceNow.

  4. To run a scan on an endpoint, check the box in the row of the configuration item , then click the Action on selected Rows drop down menu > Run Malwarebytes MBBR Scan.
    Image of Configuration Items section of a security incident form in ServiceNow.

  5. In the Malwarebytes MBBR Scan window, enter the following details:
    1. For Scan Options, select either Scan Only or Scan and Quarantine from the drop down menu.
    2. For Communication Mode, select either Windows Management Instrumentation (WMI) or Windows Remote Management (WinRM) from the drop down menu.
    3. In the MID Server Name field, enter the name of your MID Server.
      Image of Malwarebytes MBBR Scan window in ServiceNow.

  6. Click Start Scan.

  7. Now let's see that the target endpoint received the scan. In the Filter navigator search box, enter "malwarebytes".

  8. In the left-side menu pane, go to the Malwarebytes Breach Remediation - Scan Queues table.

  9. On the Scan Queues table, the new endpoint is added to the queue with the security incident number listed under the Task column. Refresh the table to see the Queue Status change and confirm your MID Server received the scan task.
    Image of the Malwarebytes Breach Remediation Scan Queues table in ServiceNow.

  10. Once we refresh the page, you can see that the scan has been received by MID Server agent. The Queue Status lists the task as Received. At this point, the Malwarebytes Breach Remediation folders have been transferred to the endpoint.
    Image of Malwarebytes Breach Remediation Scan Queues table in ServiceNow.

 

Confirm scan initiated

  1. In the Filter navigator search box, enter "ECC Queue".

  2. In the ECC Queue table, under Topic, enter "Command" to see the response from the MID Server.
    Image of Queues table in ServiceNow.

  3. Under the Queue column, look for the row with "input". Click the timestamp of this row to view the scan status.
    Image of Queues table in ServiceNow.

  4. Look to the Payload field to verify that the Scan has been Initiated Successfully.
    Image of a Command in the Queue of ServiceNow.

  5. Once the scan completes, access the endpoint and go to mbbr_remediation > logs.  View the ScanProgress file to see that the scan is complete.

 

View scan progress and reports

The way to view scan reports depends on if you use a Syslog or non-syslog server.

  • Syslog users receive all the logs in their Syslog environment.
  • Administrators who do not have a Syslog Server environment must follow these steps in the ServiceNow instance:

 

Retrieve scan results from an endpoint into ServiceNow

  1. In the Filter navigator search box, enter "malwarebytes" and go to the Malwarebytes Breach Remediation - Reports Queues table.

  2. Click on New.

  3. In the New record, enter the following details:
    1. In the MID Server Log Path field, enter the PowerShell log location.
    2. In the Endpoint Log Path, enter the network share path of the target endpoint where the log file is located.
    3. In the MID Server Name field, enter the MID Server name of the target endpoint.
    4. In the IP/Domain field, enter the IP of the target endpoint.
      Image of a New record for the Malwarebytes Breach Remediation - Report Queue table in ServiceNow.
    5. Click Submit.

  4. In the Filter navigator search box, enter "ECC Queue" and go to the Queues table.

  5. In the Topic column, enter "Command" to filter for the new record.

  6. Under the Created column, click the timestamp of your new record to view the report of Scan Progress.

  7. In the record, look to the Payload field for the log data.
    Image of a Command in the Queues table of ServiceNow.

 

View retrieved scan results in ServiceNow

To find scan results records:

  1. In the Filter navigator search box, enter "scan results" and go to the Malwarebytes Breach Remediation - Scan Results table.

  2. You can view all Malwarebytes Breach Remediation scan results on this table. The Threat Name column shows the type of threat detected and the Endpoint/User column shows what device it was found on.
    Image of the Malwarebytes Breach Remediation Scan Results table in ServiceNow.

 

Schedule scans and reports

See the following steps to learn how to schedule scan or report actions for Malwarebytes Breach Remediation in the ServiceNow console. You can set these actions to occur at set times and intervals, and edit existing scheduled actions to suit your needs.

  1. In the Filter navigator search box, enter "scheduled jobs" and go to System Definition > Scheduled Jobs table.

  2. In the Scheduled Jobs table Search box, search for "MBBR" to filter for MBBR Scheduled Scans and MBBR Scheduled Reports.
    Image of Scheduled Jobs table in ServiceNow.

  3. Select MBBR Scheduled Scans and update or ensure the following information is to your liking:
    1. Check the Active box.
    2. For the Run field, select the scan interval of your choice.
    3. In the Time fields, select the hour, minute, and second of the day to run the scheduled scan.
      Image of Scheduled Script Execution screen in ServiceNow.
    4. Click Update.

  4. Select MBBR Scheduled Reports and update or ensure the following information is to your liking:
    1. Check the Active box.
    2. For the Run field, select the report interval of your choice.
    3. In the Time fields, select the hour, minute, and second of the day to run the scheduled report.
      Image of Scheduled Script Execution screen in ServiceNow.
    4. Click Update.

Attachments

    Outcomes