With the Malwarebytes Integration for ServiceNow you can perform actions to suspicious activity events when detected by Malwarebytes. This article describes how to perform actions on suspicious activity detections.
Initiate Suspicious Activity Actions
The Malwarebytes - Suspicious Activities table displays all suspicious activity found on your endpoints and their severity levels: Low, Medium, or High. The administrator can select endpoints to action. Endpoints can receive actions with the following functions:
- Open - Considers the process as suspicious and will continue to trigger additional detections.
- Remediate - Treats the process as malicious and remediates the threat on the endpoint.
- Close - Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.
To view Suspicious Activity and initiate actions:
- In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity table.
- This table shows all suspicious activity found on your endpoints. Check the box next to any detections you want to perform actions on.
- Click the Actions of selected rows... > select Malwarebytes Suspicious Activity action from the drop-down menu.
- In the Malwarebytes Suspicious Activity Action window, select the Action drop-down menu > select Remediate Suspicious Activity > click Start Action to initiate.
- View the action status under the Action Status column. The Action Status column always shows the last initiated action.
To create Security Incidents from high severity suspicious activities:
- In ServiceNow, use the Filter navigator Search bar to find the Malwarebytes - Suspicious Activity. This table shows all suspicious activity found on your endpoints.
- Check the box next to any detections you want to perform actions on.
- Click the Actions of selected rows... > select Escalate as ServiceNow Security Incident from the drop-down menu.
- In the Escalate as ServiceNow Security Incident window, select Create a Security Incident from the Action drop-down menu > click Start Action to initiate.
- Go to ServiceNow Security Incidents table to find the created ticket.
- Open the ticket. The suspicious activity details are attached as work notes within the ticket.
Note: If the user selects multiple suspicious activities for a single endpoint (hostname/configuration item), one security incident ticket is created with suspicious activities attached in the Activities section. If the user selects multiple suspicious activities across multiple endpoints, multiple tickets are created.
Return to the Nebula Integration with ServiceNow guide.