Effective August 18, 2023, the integration between ServiceNow and Malwarebytes Breach Remediation has reached its End of Maintenance (EOM). While the integration remains available for use, we would like to inform you that it will no longer receive updates. We encourage you to exercise caution when using this integration, as any use will be at your own risk. We are committed to providing ongoing support for common product usage questions and access to our online articles.
Malwarebytes Integration for Incident Response integrates Malwarebytes Breach Remediation with ServiceNow to enable ServiceNow administrators to push scans out to endpoints, remediate threats, and produce reports. This user guide describes how to:
- Verify your Malwarebytes MID Server is online
- Initiate scans
- Confirm scan initiated
- View scan reports
- Schedule scans and reports
To install and configure Malwarebytes Integration for Incident Response with your ServiceNow instance, refer to Install and configure Malwarebytes Integration for Incident Response.
Verify Malwarebytes MID Server is online
Before initiating threat scans or updating any scheduled scans and reporting, make sure your MID server is online. The MID Server facilitates and moves data between ServiceNow and Malwarebytes Breach Remediation. To check the status:
- Log into your ServiceNow instance.
- In the Filter navigator search box, enter "mid server".
- In the left-side menu pane, go to MID Server > Servers.
- Under the Status column, you should see Up to verify your MID Server is online.
Initiate scan and threat quarantine on an endpoint
- In the Filter navigator search box, enter "Security Incident".
- On the Security Incidents table, select an incident Number that contains a Configuration item.
- In the security incident form, scroll down to Configuration Items section.
- To run a scan on an endpoint, check the box in the row of the configuration item , then click the Action on selected Rows drop down menu > Run Malwarebytes MBBR Scan.
- In the Malwarebytes MBBR Scan window, enter the following details:
- For Scan Options, select either Scan Only or Scan and Quarantine from the drop down menu.
- For Communication Mode, select either Windows Management Instrumentation (WMI) or Windows Remote Management (WinRM) from the drop down menu.
- In the MID Server Name field, enter the name of your MID Server.
- Click Start Scan.
- Now let's see that the target endpoint received the scan. In the Filter navigator search box, enter "malwarebytes".
- In the left-side menu pane, go to the Malwarebytes Breach Remediation - Scan Queues table.
- On the Scan Queues table, the new endpoint is added to the queue with the security incident number listed under the Task column. Refresh the table to see the Queue Status change and confirm your MID Server received the scan task.
- Once we refresh the page, you can see that the scan has been received by MID Server agent. The Queue Status lists the task as Received. At this point, the Malwarebytes Breach Remediation folders have been transferred to the endpoint.
Confirm scan initiated
- In the Filter navigator search box, enter "ECC Queue".
- In the ECC Queue table, under Topic, enter "Command" to see the response from the MID Server.
- Under the Queue column, look for the row with "input". Click the timestamp of this row to view the scan status.
- Look to the Payload field to verify that the Scan has been Initiated Successfully.
- Once the scan completes, access the endpoint and go to mbbr_remediation > logs. View the ScanProgress file to see that the scan is complete.
View scan progress and reports
The way to view scan reports depends on if you use a Syslog or non-syslog server.
- Syslog users receive all the logs in their Syslog environment.
- Administrators who do not have a Syslog Server environment must follow these steps in the ServiceNow instance:
Retrieve scan results from an endpoint into ServiceNow
- In the Filter navigator search box, enter "malwarebytes" and go to the Malwarebytes Breach Remediation - Reports Queues table.
- Click on New.
- In the New record, enter the following details:
- In the MID Server Log Path field, enter the PowerShell log location.
- In the Endpoint Log Path, enter the network share path of the target endpoint where the log file is located.
- In the MID Server Name field, enter the MID Server name of the target endpoint.
- In the IP/Domain field, enter the IP of the target endpoint.
- Click Submit.
- In the Filter navigator search box, enter "ECC Queue" and go to the Queues table.
- In the Topic column, enter "Command" to filter for the new record.
- Under the Created column, click the timestamp of your new record to view the report of Scan Progress.
- In the record, look to the Payload field for the log data.
View retrieved scan results in ServiceNow
To find scan results records:
- In the Filter navigator search box, enter "scan results" and go to the Malwarebytes Breach Remediation - Scan Results table.
- You can view all Malwarebytes Breach Remediation scan results on this table. The Threat Name column shows the type of threat detected and the Endpoint/User column shows what device it was found on.
Schedule scans and reports
See the following steps to learn how to schedule scan or report actions for Malwarebytes Breach Remediation in the ServiceNow console. You can set these actions to occur at set times and intervals, and edit existing scheduled actions to suit your needs.
- In the Filter navigator search box, enter "scheduled jobs" and go to System Definition > Scheduled Jobs table.
- In the Scheduled Jobs table Search box, search for "MBBR" to filter for MBBR Scheduled Scans and MBBR Scheduled Reports.
- Select MBBR Scheduled Scans and update or ensure the following information is to your liking:
- Check the Active box.
- For the Run field, select the scan interval of your choice.
- In the Time fields, select the hour, minute, and second of the day to run the scheduled scan.
- Click Update.
- Select MBBR Scheduled Reports and update or ensure the following information is to your liking:
- Check the Active box.
- For the Run field, select the report interval of your choice.
- In the Time fields, select the hour, minute, and second of the day to run the scheduled report.
- Click Update.