The Malwarebytes app for ServiceNow offers data via Webhooks for real-time protection events, such as scan and detection reports. This guide describes:
- Security Incidents created automatically when Malwarebytes detects threats.
- How to manually create Security Incidents.
- How to initiate a scan through an existing Security Incident.
- How to initiate Suspicious Activity actions.
- How to configure Security Incidents to show historical scan and detection information.
- How to configure Automatic Malware Remediation.
- How to find logs and troubleshoot ServiceNow integration with the Malwarebytes app.
To install and configure the Malwarebytes app for your ServiceNow instance, refer to Install and configure Malwarebytes app for ServiceNow .
View Security Incidents created from Malwarebytes scans
When Malwarebytes detects a threat during a scheduled scan, information is sent to ServiceNow to create a Security Incident. The ServiceNow administrator can check the Security Incident to see the scan results and investigate the findings.
Security Incidents generate only for ransomware. Other kinds of threats can be viewed in the ServiceNow Logs.
When Malwarebytes detects ransomware, the Malwarebytes Nebula platform sends scan results to ServiceNow via Webhook. ServiceNow automatically creates a Security Incident in response.
- In ServiceNow, go to Malwarebytes - Ransoms.
- View the Threat Name column to identify the detection.
To investigate the Security Incident
When a Security Incident is created, the ServiceNow administrator receives an email notification containing an incident number. Use this unique identifier to investigate the Security incident in ServiceNow.
- In the Filter navigator search box, enter "security incident".
- Click Security Incidents - Show All.
- In the Number search box, enter the incident number to find the ticket. This is useful if you have many Security incidents to manage.
- A description of the detection is viewable under the Short description column.
- Click the Security Incident Number to view further details of the detection.
ServiceNow unregistered endpoint
In the Security Incidents table, if an endpoint is not registered in ServiceNow and ransomware is found on that endpoint, the Configuration item column shows as (empty) for the endpoint. You can find the endpoint name in the Short Description column.
Manually create a Security Incident in ServiceNow
To manually create a security incident, the ServiceNow administrator needs to first register the endpoint name in the Configuration Items table. Once the endpoint from your Malwarebytes Nebula platform is added to your ServiceNow instance, you can create a security incident to initiate scans to that endpoint.
As the ServiceNow administrator:
- In the Filter navigator search box, enter "cmdb_ci.list".
- Click New to create a new record.
- In the new record menu, enter the following information:
- In the Name field, enter the endpoint name. This must match the endpoint name from your Malwarebytes Nebula platform.
- In the Assigned to field, enter the name of the person using the endpoint.
- Click Submit.
- To create a Security Incident associated with the registered user:
- Go to Security Incidents - Show all Incidents.
- Click New.
- In the new record, enter the following information:
- In the Requested by field, enter the user name of the endpoint.
- In the Configuration item field, enter the endpoint name that you registered in the new record menu above.
- In the Short description field, enter a description to identify the Security Incident.
- Click Submit in the upper-right corner to save your draft.
- Go back to Security Incidents - Show all Incidents to see the newly created incident. You can view the incident Number and Short description.
- Click the incident number of the Security Incident to view the endpoint and Configuration items associated with it.
Initiate a Malwarebytes scan through an existing Security Incident
ServiceNow administrators can open a Security Incident and perform a Malwarebytes scan on the endpoint associated with it.
- Open a Security Incident created by either Malwarebytes or an end user. Find the Configuration items tab at the bottom.
- Check the box for the Configuration item and the box next to Action on selected rows... > click Run Malwarebytes Scan from the drop-down menu.
- In the Malwarebytes Scan menu, select the scan type you wish to perform under Scan Options drop-down menu > click Start Scan to initiate the action.
- The possible Scan Options are Scan Only, Scan and Quarantine, Isolate Endpoint, Process Isolation, Network Isolation, Desktop Isolation, and Deisolate Endpoint.
- The possible Scan Options are Scan Only, Scan and Quarantine, Isolate Endpoint, Process Isolation, Network Isolation, Desktop Isolation, and Deisolate Endpoint.
- In Malwarebytes Scan Tasks, find the initiated scan job. Here you can view the Scan Status from the table view.
- View the scan results in the Malwarebytes Scan Reports table. Here you see the Task number, Computer Name, and Vendor Reference to learn more about threats detected on the endpoint.
Configure the Security Incident form
You can configure your Security Incidents to show historical scan tasks and reports pulled from Malwarebytes. Once configured, the Security Incident displays live status of scans and detected threats on an endpoint. Follow the steps to add Malwarebytes Scan Tasks and Scan Reports to your Security Incidents.
- Open an existing Security Incident. In the Security Incident form:
- Click the menu icon.
- Highlight Configure in the context menu.
- Click Related Lists.
- Click Edit this view in Security Incident.
- From the Available list, move Malwarebytes Scan Task->Task and Malwarebytes Scan Report->Task to the Selected list. Click Save.
- Return to the Security incident you just configured, scroll down and click Show All Related Lists.
- The Malwarebytes Scan Tasks and Malwarebytes Scan Reports feeds are now visible in the Security Incident. These feeds show historical scan events and detection reports associated with the endpoint.
Now all of your Malwarebytes Security Incidents show these two feeds for your viewing.
Initiate Suspicious Activity Actions
The Malwarebytes - Suspicious Activities table displays all suspicious activity found on your endpoints and their severity levels: Low, Medium, or High. The administrator can select endpoints to action. Endpoints can receive actions with the following functions:
- Open - Considers the process as suspicious and will continue to trigger additional detections.
- Remediate - Treats the process as malicious and remediates the threat on the endpoint.
- Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.
To view Suspicious Activity and initiate actions:
- In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity table.
- This table shows all suspicious activity found on your endpoints. Check the box next to any detections you want to perform actions on.
- Click the Actions of selected rows... > select Malwarebytes Suspicious Activity action from the drop-down menu.
- In the Malwarebytes Suspicious Activity Action window, select the Action drop-down menu > select Remediate Suspicious Activity > click Start Action to initiate.
- View the action status under the Action Status column. The Action Status column always shows the last initiated action.
To create Security Incidents from high severity suspicious activities:
- In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity. This table shows all suspicious activity found on your endpoints.
- Check the box next to any detections you want to perform actions on.
- Click the Actions of selected rows... > select Escalate as ServiceNow Security Incident from the drop-down menu.
- In the Escalate as ServiceNow Security Incident window, select Create a Security Incident from the Action drop-down menu > click Start Action to initiate.
- Go to ServiceNow Security Incidents table to find the created ticket.
- Open the ticket. The suspicious activity details are attached as work notes within the ticket.
Note: If the user selects multiple suspicious activities for a single endpoint (hostname/configuration item), one security incident ticket is created with suspicious activities attached in the Activities section. If the user selects multiple suspicious activities across multiple endpoints, multiple tickets are created.
Automatic Malware Remediation
With Malwarebytes Integration for Security Operations, you can automatically remediate malware from endpoints based on security tickets from end users.
To enable Automatic Malware Remediation:
- In ServiceNow, use the Filter navigator Search bar to find System Definition > Business Rules.
- In the Name column search bar, enter Malwarebytes Automatic Remediation.
- Change the value of the Active column to true.
Example: End user computer is infected
In the following example, an end user computer is infected. The end user creates a security ticket and Malwarebytes automatically remediates the endpoint.
End user steps
The end user creates a ticket following these steps:
- In ServiceNow, the end user uses the Filter navigator Search bar to find Self-Service > Security Incident Catalog.
- For the security incident category, the end user selects Malicious code activity.
- For the subcategory, the end user selects Worms, Virus, Trojan.
- On the next screen, the end user inputs
- Affected System: The hostname of the end user’s endpoint
- A Short Description
- Priority: Select from the drop-down menu
- The end user clicks submit. This creates a security incident ticket which the security analyst can access.
Security analyst steps
- When the security analyst goes to the Security Incidents table, they see a security incident ticket with the description “My computer has been infected! Please HELP!”
- The analyst opens the ticket and sees the scan & quarantine task has been initiated on the endpoint.
ServiceNow Logs and troubleshooting Malwarebytes app integration
The communication between ServiceNow and Malwarebytes Nebula platform may be interrupted if your settings are not properly configured, or your Malwarebytes credentials are incorrect. There is not a pop-up notification or display to let you know that the Webhooks are not properly working. You may simply notice that data is not feeding into your ServiceNow instance as expected. See resolutions below.
Resolve inactive settings
In ServiceNow, make sure to set the Active column to True for all of the following Malwarebytes components:
- Malwarebytes under Business Rules.
- Malwarebytes under Scheduled Jobs.
- Malwarebytes under Scripted REST APIs.
Resolve invalid Malwarebytes credentials
Follow the steps to make sure your Malwarebytes credentials are entered correctly:
- In the Filter navigator search box, enter "syslog.list" to view the Log table.
- Under the Message column, look for the error message "Please Enter the correct Credentials" and http error code "Malwarebytes GetAuthToken HTTP Error Code:401". This indicates your credentials or authorization token are entered incorrectly.
- If you find these error messages, enter the correct credentials in the Malwarebytes app configuration page and click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
Identify and resolve invalid ServiceNow Security Admin credentials
If your ServiceNow Security Admin credentials are entered incorrectly, the Scripted REST API cannot deliver Malwarebytes data to the ServiceNow instance. To confirm your ServiceNow instance correctly receives endpoint information, try the following:
- On one of your endpoints, visit iptest.malwarebytes.org which should produce a log event.
- In ServiceNow under Log, you should see "web" and "The Webhook Payload Received" messages under the Message column. If you did not see these logs, your Security Admin credentials are entered incorrectly.
- Enter the correct credentials in the Malwarebytes app configuration page and make sure the Subscribe Webhook box is checked. Click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
View the status of initiated Suspicious Activity actions
Administrators can view the status of initiated Suspicious Activity actions, which may include actions with the Failed status. To view the action status, user the Filter navigator bar to search for the Malwarebytes - SA Actions Queues table. In the following example image, you will see several Failed statuses.
A Failed status displays when the administrator tries to remediate a suspicious activity which has already been remediated.