Malwarebytes Cloud Remediation app for Splunk – Malwarebytes Support

The Malwarebytes Cloud Remediation app integrates Splunk with Malwarebytes Cloud.

Requirements

To run the Malwarebytes Cloud Remediation app, you need:

An active Splunk instance.
User login credentials for Splunk.
An active Malwarebytes Nebula platform subscription.
Malwarebytes Nebula platform login credentials.
Technical Add-on for Malwarebytes installed. Refer to Install the Technical Add-on for Malwarebytes for Splunk for more information.

Download and install Malwarebytes Cloud Remediation app

To download the Malwarebytes Cloud Remediation app:

Go to the Malwarebytes Cloud Remediation page in Splunkbase.
Click on LOGIN TO DOWNLOAD. If already logged into Splunkbase, click on DOWNLOAD.
Enter your Splunk user credentials.

Install the Malwarebytes Cloud Remediation app

The location where you install the Malwarebytes Cloud Remediation app depends on how you have set up your Splunk environment. Splunk is set up as either a single instance or distributed environment.

Splunk Enterprise Single Instance Environments

Install the Malwarebytes Cloud Remediation app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

Splunk Enterprise Distributed Environments

Install the Malwarebytes Cloud Remediation app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

Configure Malwarebytes Cloud Remediation app

Once installed, configure the Malwarebytes Cloud Remediation app in Splunk.

In Splunk, click Cloud Remediation > Configuration.
In the Logging tab, set Log level to INFO.
Click the Add-on Settings tab and enter the following information: (This step needs to be revised now)
- To get your Cloud Console Account Id:
  - Log into the Malwarebytes Nebula platform.
  - Copy the following string of characters found in the url.
  - In Splunk, paste the characters into the Cloud Console Account Id field.
- To get your Cloud Console Client Id and Cloud Console Client Secret:
  - Log into the Malwarebytes Nebula platform.
  - Go to Settings > APIs & Integrations.
  - Click Add, then provide the Application name and select the required access, then Save.
  - Copy the generated Client Id.
  - In Splunk, paste the Client Id in the Cloud Console Client Id field.
  - Return to the Malwarebytes Cloud Console, copy the generated Client Secret.
  - In Splunk, paste the Client Secret in the Cloud Console Client Secret field.
In the Splunk Username field, enter your Splunk Administrator username.
In the Splunk Password field, enter your Splunk Administrator password.
In the Company Name field, enter your company name.
In the Email field, enter your company email address.
Click Save.

To confirm you entered credentials correctly, go to $SPLUNK_HOME\etc\apps\mbcr\local and check the passwords file.
In the upper-left corner, click Inputs to configure your modular inputs into Splunk.
Click Create New Input > Malwarebytes Cloud Remediation Summary. Configure this modular input in order to receive current endpoint data such as online status, scans needed, remediation required, endpoint isolation, suspicious activity detections, and restarts required.
- In the Name field, enter a unique name for the modular input.
- In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
- In the Index drop-down, select malwarebytes.
- Click Add.
Click Create New Input > Malwarebytes Cloud Detections. Configure this modular input in order to receive results for scans initiated in Malwarebytes Nebula.
- In the Name field, enter a unique name for the modular input.
- In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
- In the Index drop-down, select malwarebytes.
- Click Add.
Click Create New Input > Malwarebytes Cloud Audit Data. Configure this modular input in order to receive audit data from Malwarebytes Nebula.
- In the Name field, enter a unique name for the modular input.
- In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
- In the Index drop-down, select malwarebytes.
- Click Add.
Click Create New Input > Malwarebytes Cloud Remediation. Configure this modular input in order to receive scan detection events for scans initiated from Splunk.
- In the Name field, enter a unique name for the modular input.
- In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
- In the Index drop-down, select malwarebytes.
- Click Add.

Initiate scans with Malwarebytes alert action

The Malwarebytes alert action follows the standard Adaptive Response Framework alert action. You can send the hostnames of your endpoints to the alert action to issue threat scans. After initiating a scan, the alert action stores the scan details in Splunk’s internal key-value store. See the following information to initiate a Malwarebytes scan. Go to Search > enter syntax into the Seach field.

Usage:
- index="malwarebytes" sourcetype = "mwb:mbcr" | (Write your own query here to filter the necessary hosts) | sendalert mbcr param.hostname=hostvalue param.remaction=value
Arguments:
- param.hostname - This can be a single hostname of an endpoint, or the location of a CSV file containing multiple hostnames.
- param.type_of_scan - Possible values are:
  - scan - Scans and reports only.
  - remove - Scans and quarantines any suspicious item found.
  - isolate - Performs an isolation of the endpoint.
  - isolateprocess - Performs a process isolation of the endpoint.
  - isolatenetwork - Performs a network isolation of the endpoint.
  - isolatedesktop - Performs a desktop isolation of the endpoint.
  - deisolate - Performs a de-isolation of the endpoint.
  - subscribe - Subscribes to the suspicious activity feed.
  - unsubscribe - Unsubscribes from the suspicious activity feed.

Examples:
- index="malwarebytes" | stats delim="," values(dvchost) as dvchost | mvcombine dvchost | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan
- To directly execute scans on specific endpoints:
  |stats count as dvchost | eval dvchost="TLL-3560.local,EPR-IAL-ISLAM" | sendalert mbcr param.hostname=$result.dvchost$ param.remaction=scan

Initiate Suspicious Activity actions with Malwarebytes alert action

The Malwarebytes Suspicious Activity alert action enables administrators to subscribe and unsubscribe endpoint machines to the Malwarebytes Suspicious Activity feed. This will send notifications of potentially malicious software activity into Splunk. Subscribed endpoints can receive actions with the following functions:

Open - Considers the process as suspicious and will continue to trigger additional detections.
Remediate - Treats the process as malicious and remediates the threat on the endpoint.
Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.

We recommend to use this alert action only through the Splunk Search bar.

Usage

Subscribe or Unsubscribe:
- | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=<subscription_name>

Open, Remediate, or Close:
- | stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=<machine_id> param.detection_id=<detection_id> param.sa_action=<action_name>

Arguments

param.sa_action - Has the value subscribe and unsubscribe. Use this value when subscribing or unsubscribing an endpoint to or from the Malwarebytes Suspicious Activity feed. When suspicious activities are found, you can use the values open, remediate, or close.
param.machine_id - The machine id of the endpoint where the suspicious activity originated. Must be used only with param.sa_action - open, remediate, or close.
param.detection_id - This value can be a detection id of the suspicious activity found. Must be used only with param.sa_action - open, remediate, or close.

Examples

The following are some example Suspicious Activity actions you can use in the Splunk Search bar.

| stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=subscribe
| stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.sa_action=unsubscribe
| stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=open
| stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=remediate
| stats count as dvchost | eval dvchost="SA" | sendalert mbcr_sa param.machine_id=cc107e39-4d68-42eb-9a27-3a87943ed239 param.detection_id=4415730 param.sa_action=close

Note: If the administrator tries to remediate a threat which has already been remediated, error code 5 will return in the Splunk search.

Schedule a scan with Malwarebytes alert action

To setup a scheduled scan using Malwarebytes Cloud Remediation alert action, follow these steps.

Go to Search > in the Search bar, filter the hostnames using your own Splunk query.
After the search, click Save As > select Alert.
In the Edit Alert menu, enter the following information:
- In the Alert field, enter an alert name.
- In the Cron Expressions field, set the time to initiate your scan.
- Under Trigger Conditions, enter a number threshold to trigger the alert. The image below shows, "Trigger an alert when the number of results is greater than 0."
- In the remaction drop-down menu, choose the scan/action type.
- In the Hostname field, enter $result.<your_variable_name>$. In the image below, dvchost refers to the variable that contains the hostnames.
- Click Save.
To confirm your scan initiates as expected, login to the Malwarebytes Nebula platform and view the Tasks tab.

View scan Status in Splunk

Click Cloud Remediation from your app dashboards to see the endpoints' scan and action Status.

The scan Status types are:

COMPLETED
PENDING
STARTED
FAILED
TIMED_OUT
EXPIRED

The Action types are:

Scan
Quarantine
Isolate
Isolate_Network
Isolate_Process
Isolate_Desktop
Deisolate

Malwarebytes modular input action

The Malwarebytes modular input action checks scan progress of initiated scans using the details stored by alert action in Splunk’s internal key-value store. For every initiated scan, the modular input action updates real time progress in the Cloud Remediation dashboard based on the value set in your Input Configuration). Once the scans finished, modular input updates the Cloud Remediation dashboard with new threat findings.

To check Malwarebytes Cloud Remediation events:

In the New Search bar, enter:
index="malwarebytes" sourcetype="mwb:mbcr"
In the New Search bar, enter:
index="malwarebytes" sourcetype="mwb:mbcr_summary"
In the New Search bar, enter:
index="malwarebytes" sourcetype="mwb_audit"

Logging details for Malwarebytes Cloud Remediation

The Scan status logs are found in the following locations:

For Malwarebytes alert action logs:

$SPLUNK_HOME/var/log/splunk/mbcr_modalert.log
$SPLUNK_HOME/var/log/splunk/mbcr_sa_modalert.log

For Malwarebytes data logs:

$SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_remediation_modular_input.log
$SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_remediation_audit_data_modular_input.log
$SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_detections_modular_input.log
$SPLUNK_HOME/var/log/splunk/mbcr_malwarebytes_cloud_remediation_summary_modular_input.log