Technical Add-on for Malwarebytes for Splunk

The Technical Add-on for Malwarebytes app is a prerequisite for all Malwarebytes apps for Splunk. The app includes Common Information Model (CIM) compliant field extractions and predefined source types for multiple Malwarebytes products making it compatible with all CIM based Splunk apps including Splunk Enterprise Security.

Download Technical Add-on from Splunkbase

1. Go to the Technical Add-on for Malwarebytes page in Splunkbase.
2. Click on LOGIN TO DOWNLOAD.
3. Enter your Splunk user credentials.

Install Technical Add-on for Malwarebytes

Where you install Technical Add-on for Malwarebytes is based on your Splunk environment.

Splunk Enterprise Single Instance Environments

Install the Technical Add-on for Malwarebytes in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

Splunk Enterprise Distributed Environments

Install the Technical Add-on app where your Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

Once the Technical Add-on for Malwarebytes is installed, you can now install the Malwarebytes Visibility and Dashboards app, or Agentless Remediation app for your Splunk environment.

Configure Technical Add-on for Malwarebytes

Once installed, configure the Malwarebytes Technical Add-on app in Splunk.

1. In Splunk, click Technical Add-on > Configuration.
2. In the Logging tab, set the preferred Log level.
3. Click the Add-on Settings tab and enter the following information:
   • To get your Cloud Console Account Id:
     • Cloud Console Account Id:
       • Log in to Malwarebytes Nebula.
       • Copy the following string of characters found in the url.
         
       • In Splunk, paste the characters into the Cloud Console Account Id field.
     • Cloud Console Client Id and Cloud Console Client Secret:
       • To create Client ID and Client Secret, see Create OAuth2 credentials for Nebula.
4. Click Save.

Create Inputs for Malwarebytes data

In the upper-left corner, click Inputs to configure your modular inputs into Splunk.

1. Click Create New Input and select an input to configure:
   • Malwarebytes TA Endpoints Data: Configure this modular input in order to receive data on endpoints from Nebula.
   • Malwarebytes TA Endpoints Lite Data: Configure this modular input in order to receive lite data on Endpoints from Nebula. 
   • Malwarebytes TA Detections Data: Configure this modular input in order to receive data on Detections from Nebula.
   • Malwarebytes TA SA Data 2: Configure this modular input in order to receive Suspicious Activity data from Nebula.
   • Malwarebytes TA Audit Data: Configure this modular input in order to receive audit event data from Nebula.
   • Malwarebytes TA Alerts: Configure this modular input in order to receive alerts from Nebula. 
   • Malwarebytes TA Vulnerabilities Data: Configure this modular input in order to receive Vulnerability event data from Nebula. 
   • Malwarebytes TA OS Patches Data: Configure this modular input in order to receive OS Patch event data from Nebula. 
   • Malwarebytes TA Device Control Data: Configure this modular input in order to receive Device Control event data from Nebula. 
2. In the Name field, enter a unique name for the modular input.
3. In the Interval field, enter an interval time for how often you want Splunk to collect data. To not impact Splunk server performance, we recommend interval times greater than 30 seconds.
4. In the Index drop-down, select your preferred index type.
5. Click Add. Repeat steps 1-5 for additional inputs. 

Malwarebytes modular input action

The Malwarebytes modular input action checks the details stored in Splunk’s internal key-value store.  Use these key values to generate technical add-on information for the following sources. Choose the index name based on your previously configured input settings.

• index = "*" sourcetype="mwb:ta_endpoints"
• index = "*" sourcetype="mwb:ta_endpoints_lite"
• index = "*" sourcetype="mwb:ta_detections"
• index = "*" sourcetype="mwb:ta_sa2"
• index = "*" sourcetype="mwb:ta_audit"
• index = "*" sourcetype="mwb:jobs"
• index = "*" sourcetype="mwb:ta_vulnerabilities"
• index = "*" sourcetype="mwb:ta_patches"
• index = "*" sourcetype="mwb:ta_device_control"

Logging details for Malwarebytes Technical Add-on

For Malwarebytes data logs:

• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_audit_data.log
  
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_detections_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_endpoints_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_alerts_input.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_endpoints_lite_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_sa_data_2.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_vulnerabilities_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_os_patches_data.log
• $SPLUNK_HOME/var/log/splunk/ta_malwarebytes_malwarebytes_ta_device_control_data.log

To setup the Malwarebytes Visibility and Dashboard app for Splunk, see Malwarebytes Visibility and Dashboards app for Splunk and Malwarebytes Nebula.

Return to the Malwarebytes Nebula integration with Splunk guide.