Malwarebytes Cloud Remediation app for Splunk

The Malwarebytes Cloud Remediation app integrates Splunk with Malwarebytes Cloud. This application works with the Malwarebytes Technical Add-on and Malwarebytes Dashboards App, however, their installation is not required for the Malwarebytes Cloud Remediation app.

While using the Malwarebytes Cloud Remediation App, it's possible to trigger and run alerts which execute corresponding actions for Endpoints and/or Suspicious Activities in your system.

Requirements

To run the Malwarebytes Cloud Remediation app, you need:

• An active Splunk instance.
• User login credentials for Splunk.
• An active Malwarebytes Nebula platform subscription.
• Malwarebytes Nebula platform login credentials.
• Technical Add-on for Malwarebytes installed. Refer to Install the Technical Add-on for Malwarebytes for Splunk for more information.

Download and install Malwarebytes Cloud Remediation app

To download the Malwarebytes Cloud Remediation app:

1. Go to the Malwarebytes Cloud Remediation page in Splunkbase.
2. Click on LOGIN TO DOWNLOAD. If already logged into Splunkbase, click on DOWNLOAD.
3. Enter your Splunk user credentials.

Install the Malwarebytes Cloud Remediation app

The location where you install the Malwarebytes Cloud Remediation app depends on how you have set up your Splunk environment. Splunk is set up as either a single instance or distributed environment.

Splunk Enterprise Single Instance Environments

Install the Malwarebytes Cloud Remediation app in the same location where the Splunk components, Search Tier, Indexer Tier, and Forwarder Tier are located. For instructions on installing add-on in a single instance environments, refer to Splunk's support article Install an add-on in a single-instance Splunk Enterprise deployment.

Splunk Enterprise Distributed Environments

Install the Malwarebytes Cloud Remediation app where your Search Tier is located. For instructions on installing an add-on in a distributed Splunk Enterprise environment, refer to Splunk's support article Install an add-on in a distributed Splunk Enterprise deployment.

Configure Malwarebytes Cloud Remediation app

Once installed, configure the Malwarebytes Cloud Remediation app in Splunk.

1. In Splunk, select the Malwarebytes Cloud Remediation App.
2. In the Logging tab, set the preferred Log level.
   
3. Click the Add-on Settings tab and enter the following information:
   
   
   • Cloud Console Account Id:
     • Log in to Malwarebytes Nebula.
     • Copy the following string of characters found in the url.
       
     • In Splunk, paste the characters into the Cloud Console Account Id field.
   • Cloud Console Client Id and Cloud Console Client Secret:
     • To create Client ID and Client Secret, see Create OAuth2 credentials for Malwarebytes Nebula.
4. Click Save.
5. To confirm you entered credentials correctly, go to $SPLUNK_HOME\etc\apps\mbcr\local and check the passwords file.

Initiate scans with Malwarebytes alert action

The Malwarebytes alert action follows the standard Adaptive Response Framework alert action. You can send the hostnames of your endpoints to the alert action to issue threat scans. After initiating available actions, alert events are created and stored under the main index.

Events are pulled by the Malwarebytes Technical Add-on and Dashboard app if the apps are installed and the Alerts Input is running.

To initiate a Malwarebytes scan, go to Search > enter syntax into the Search field.

• Usage:
  • index="malwarebytes" sourcetype = "mwb:mbcr" | (Write your own query here to filter the necessary hosts) | sendalert mbcr_alert param.hostname=hostmachine param.action=value
    
    
• Arguments:
  • param.hostname - This can be a single hostname of an endpoint, or the location of a CSV file containing multiple hostnames.
  • param.action - Possible values are:
    
    • scan - Scans and reports only.
    • remove - Scans and quarantines any suspicious item found.
    • isolate - Performs an isolation of the endpoint.
    • isolatedesktop - Performs a desktop isolation of the endpoint.
    • isolateprocess - Performs a process isolation of the endpoint.
    • isolatenetwork - Performs a network isolation of the endpoint.
    • deisolate - Performs a de-isolation of the endpoint.

• Examples:
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=scan
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=remove
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolate
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolatedesktop
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolateprocess
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=isolatenetwork
  • | makeresults "" | sendalert mbcr_alert param.hostname="HOSTNAME" param.action=deisolate 
    
    

Initiate Suspicious Activity actions with Malwarebytes alert action

The Malwarebytes Suspicious Activities (SA) alert action follows the standard Adaptive Response Framework alert action. Send the hostnames of your endpoints, suspicious activity ID, and Action type name to perform actions on suspicious activities. After performing available actions, alert events are created and stored under the main index.

Events are pulled by the Malwarebytes Technical Add-on and Dashboard app if the apps are installed and the Suspicious Activities Input is running. 

Change the status of found suspicious activities using the following alert actions:

• Open: Considers the process as suspicious and will continue to trigger additional detections.
• Remediate: Treats the process as malicious and remediates the threat on the endpoint.
• Close: Closes the suspicious activity incident with no further action. Most likely use in the case of a false positive.

We recommend to use this alert action only through the Splunk Search bar.

Usage

• Open, Remediate, or Close:
  • | makeresults | sendalert mbcr_alert_sa param.host=<machine_name> param.action=<action_name> param.detection_id=<detection_id>

Arguments

• param.machine_id - The machine id of the endpoint where the suspicious activity originated. Must be used only with param.action - open, remediate, or close.
• param.detection_id - This value can be a detection id of the suspicious activity found. Must be used only with param.action - open, remediate, or close.

Examples

The following are some example Suspicious Activity actions you can use in the Splunk Search bar.

• | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME" param.action=remediate param.detection_id=123456789
• | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME” param.action=open param.detection_id=123456789
• | makeresults | sendalert mbcr_alert_sa param.hostname=“HOSTNAME" param.action=close param.detection_id=123456789

Schedule a scan with Malwarebytes alert action

To setup a scheduled scan using Malwarebytes Cloud Remediation alert action, follow these steps.

1. Go to Search > in the Search bar, filter the hostnames using your own Splunk query.
   
2. After the search, click Save As > select Alert.
   
3. In the Edit Alert menu, enter the following information:
   • Alert: Enter an alert name.
   • Cron Expressions: Set the time to initiate your scan.
   • Trigger Conditions: Enter a number threshold to trigger the alert. The image below shows, “Trigger an alert when the number of results is greater than 0.”
   • Action drop-down: Choose the scan/action type.
   • Hostname: Enter $result.<your_variable_name>$. In the image below, dvchost refers to the variable that contains the hostnames.
   • Click Save.
     
4. To confirm your scan initiates as expected, login to the Malwarebytes Nebula platform and view the Tasks tab.

View scan Status in Splunk

Click Cloud Remediation from your app dashboards to see the endpoints' scan and action Status.

The scan Status types are:

• COMPLETED
• PENDING
• STARTED
• FAILED
• TIMED_OUT
• EXPIRED

The Action types are:

• Scan
• Quarantine
• Isolate
• Isolate_Network
• Isolate_Process
• Isolate_Desktop
• Deisolate

Examples of alerts:

• job_id=00000000-0000-0000-0000-000000000000 machine_id=00000000-0000-0000-0000-000000000000 type=job_detections timestamp=2022-09-16T23:16:46.738555797Z
• detection_id=00000000 machine_id=00000000-0000-0000-0000-000000000000 type=sa_alert command=remediate timestamp=2022-09-16T23:16:46.738555797Z

Malwarebytes modular input action

The Malwarebytes modular input action checks scan progress of initiated scans using the details stored by alert action in Splunk’s internal key-value store. For every initiated scan, the modular input action updates real time progress in the Malwarebytes Technical Add-on. Once scans are finished, modular input updates the Cloud Remediation dashboard with new threat findings. 

After performing available alert actions, events are pulled by the Malwarebytes Technical Add-on if the app is installed, the Alerts and Suspicious Activities Inputs must also be running. 

To check Malwarebytes Cloud Remediation events:

• In the New Search bar, enter:
  index="malwarebytes" sourcetype="mwb:mbcr"
• In the New Search bar, enter:
  index="malwarebytes" sourcetype="mwb:mbcr_summary"
  
• In the New Search bar, enter:
  index="malwarebytes" sourcetype="mwb_audit"

Errors in Malwarebytes Cloud Remediation

The following are errors viewable in the Cloud Remediation app: 

• Code 3: Invalid API credentials, check if credentials enter in the app are correct or review log files.
• Code 4: Action is rejected by API. Verify the the hostname or action name parameters are correct.
• Code 5: Unexpected error. Review logs or contact Malwarebytes support.

Logging details for Malwarebytes Cloud Remediation

The Scan status logs are found in the following locations:

For Malwarebytes alert action logs:

• $SPLUNK_HOME/var/log/splunk/mbcr_alert_modalert.log
• $SPLUNK_HOME/var/log/splunk/mbcr_alert_sa_modalert.log

 

Return to the Malwarebytes Nebula integration with Splunk guide.