The Malwarebytes integration with ServiceNow includes logs to identify issues occurring with the application. This article describes troubleshooting steps and log information to resolve integration issues.
ServiceNow Logs and troubleshooting Malwarebytes app integration
The communication between ServiceNow and Malwarebytes Nebula platform may be interrupted if your settings are not properly configured, or your Malwarebytes credentials are incorrect. There is not a pop-up notification or display to let you know that the Webhooks are not properly working. You may simply notice that data is not feeding into your ServiceNow instance as expected. See resolutions below.
Resolve inactive settings
In ServiceNow, make sure to set the Active column to True for all of the following Malwarebytes components:
- Malwarebytes under Business Rules.
- Malwarebytes under Scheduled Jobs.
- Malwarebytes under Scripted REST APIs.
Resolve invalid Malwarebytes credentials
Follow the steps to make sure your Malwarebytes credentials are entered correctly:
- In the Filter navigator search box, enter "syslog.list" to view the Log table.
- Under the Message column, look for the error message "Please Enter the correct Credentials" and http error code "Malwarebytes GetAuthToken HTTP Error Code:401". This indicates your credentials or authorization token are entered incorrectly.
- If you find these error messages, enter the correct credentials in the Malwarebytes app configuration page and click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
Identify and resolve invalid ServiceNow Security Admin credentials
If your ServiceNow Security Admin credentials are entered incorrectly, the Scripted REST API cannot deliver Malwarebytes data to the ServiceNow instance. To confirm your ServiceNow instance correctly receives endpoint information, try the following:
- On one of your endpoints, visit iptest.malwarebytes.org which should produce a log event.
- In ServiceNow under Log, you should see "web" and "The Webhook Payload Received" messages under the Message column. If you did not see these logs, your Security Admin credentials are entered incorrectly.
- Enter the correct credentials in the Malwarebytes app configuration page and make sure the Subscribe Webhook box is checked. Click Submit. Refer to Install and configure Malwarebytes app for ServiceNow for more information.
View the status of initiated Suspicious Activity actions
Administrators can view the status of initiated Suspicious Activity actions, which may include actions with the Failed status. To view the action status, user the Filter navigator bar to search for the Malwarebytes - SA Actions Queues table. In the following example image, you will see several Failed statuses.
A Failed status displays when the administrator tries to remediate a suspicious activity which has already been remediated.
Return to the Malwarebytes Nebula Integration with ServiceNow guide.