Security incidents and scans in Nebula integration with ServiceNow

The Malwarebytes app for ServiceNow offers data via Webhooks for real-time protection events, such as scan and detection reports. This guide describes:

To install and configure the Malwarebytes app for your ServiceNow instance, refer to Install and configure Malwarebytes app for ServiceNow ‌.

View Detections and Events

View detections and events directly through ServiceNow when they are pulled from the Nebula console. These are listed by endpoint at the reported date for the detection and event. 

1. In ServiceNow, go to Detection - Malwarebytes or Events - Malwarebytes. 
2. View the Threat Name or Event Description sections to identify the detection or event.
   

To investigate the Security Incident

When a Security Incident is created, the ServiceNow administrator receives an email notification containing an incident number. Use this unique identifier to investigate the Security incident in ServiceNow.

1. In the Filter navigator search box, enter "security incident".
2. Click Security Incidents - Show All.
3. In the Number search box, enter the incident number to find the ticket. This is useful if you have many Security incidents to manage.
4. A description of the detection is viewable under the Short description column.
   
5. Click the Security Incident Number to view further details of the detection.
   

ServiceNow unregistered endpoint

In the Security Incidents table, if an endpoint is not registered in ServiceNow and ransomware is found on that endpoint, the Configuration item column shows as (empty) for the endpoint. You can find the endpoint name in the Short Description column.

Manually create a Security Incident in ServiceNow

To manually create a security incident, the ServiceNow administrator needs to first register the endpoint name in the Configuration Items table. Once the endpoint from your Nebula platform is added to your ServiceNow instance, you can create a security incident to initiate scans to that endpoint.

As the ServiceNow administrator:

1. In the Filter navigator search box, enter "cmdb_ci.list".
2. Click New to create a new record.
3. In the new record menu, enter the following information:
   • In the Name field, enter the endpoint name. This must match the endpoint name from your Nebula platform.
   • In the Assigned to field, enter the name of the person using the endpoint.
   • Click Submit.
4. To create a Security Incident associated with the registered user:
   • Go to Security Incidents - Show all Incidents.
   • Click New.
5. In the new record, enter the following information:
   
   • In the Requested by field, enter the user name of the endpoint.
   • In the Configuration item field, enter the endpoint name that you registered in the new record menu above.
   • In the Short description field, enter a description to identify the Security Incident.
   • Click Submit in the upper-right corner to save your draft.
6. Go back to Security Incidents - Show all Incidents to see the newly created incident. You can view the incident Number and Short description.
7. Click the incident number of the Security Incident to view the endpoint and Configuration items associated with it.

Initiate a Malwarebytes scan through an existing Security Incident

ServiceNow administrators can open a Security Incident and perform a Malwarebytes scan on the endpoint associated with it.

1. Open a Security Incident created by either Malwarebytes or an end user. Find the Configuration items tab at the bottom.
   
2. Check the box for the Configuration item and the box next to Action on selected rows... > click Run Malwarebytes Scan from the drop-down menu.
3. In the Malwarebytes Scan menu, select the scan type you wish to perform under Scan Options drop-down menu > click Start Scan to initiate the action.
   • The possible Scan Options are Scan Only, Scan and Quarantine, Isolate Endpoint, Process Isolation, Network Isolation, Desktop Isolation, and Deisolate Endpoint.
4. In Malwarebytes Scan Tasks, find the initiated scan job. Here you can view the Scan Status from the table view.
5. View the scan results in the Malwarebytes Scan Reports table. Here you see the Task number, Computer Name, and Vendor Reference to learn more about threats detected on the endpoint.

Configure the Security Incident form

You can configure your Security Incidents to show historical scan tasks and reports pulled from Malwarebytes. Once configured, the Security Incident displays live status of scans and detected threats on an endpoint. Follow the steps to add Malwarebytes Scan Tasks and Scan Reports to your Security Incidents.

1. Open an existing Security Incident. In the Security Incident form:
   • Click the menu icon.
   • Highlight Configure in the context menu.
   • Click Related Lists.
2. Click Edit this view in Security Incident.
3. From the Available list, move Malwarebytes Scan Task->Task and Malwarebytes Scan Report->Task to the Selected list. Click Save.
4. Return to the Security incident you just configured, scroll down and click Show All Related Lists.
5. The Malwarebytes Scan Tasks and Malwarebytes Scan Reports feeds are now visible in the Security Incident. These feeds show historical scan events and detection reports associated with the endpoint.

Return to the Nebula Integration with ServiceNow guide.