Getting Data In
Highlighted

What is the best app or sourcetype to use for Malwarebytes data?

Splunk Employee
Splunk Employee

Hi Folks,

I am working on boarding logs from MalwareBytes. The log is being written to a Kiwi Syslog server.

Can anyone recommend an app or sourcetype for this data?

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Contributor

Hi,

Could you share some sample logs / data?

I'm sure others use MalwareBytes, so it would be interesting to see what could be extracted from the logs.

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Path Finder

Any one know the answer to this question?

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Path Finder

I know this is old but the Malwarebytes addon/app is helpful - You need to contact them directly but they are more than willing to assist with getting everything configured with you on a call if need be

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Esteemed Legend

There are 3 sourcetypes defined in props.conf:

[mwb:cloud]
description = Malwarebytes Cloud CEF
[mwb:mbbr]
description = Malwarebytes Breach Remediation CEF
[mwb:mbmc]
description = Malwarebytes Management Console CEF

But, unlike Palo Alto, there are no configurations to split a generic incoming sourceytpe into separate specific sourcetypes (there isn't even a transforms.conf at all). So it appears that if you:

1: "Configure the Management Console to connect to a Syslog server" like this:
https://support.malwarebytes.com/docs/DOC-1028
Then you should use "sourcetype=mwb:mbmc"
2: "Configure Syslog in Malwarebytes Cloud Console" like this:
https://support.malwarebytes.com/docs/DOC-2811
Then you should use "sourcetype=mwb:cloud"
3: ???  I don't know how to generate the "Malwarebytes Breach Remediation CEF" for "sourcetype=mwb:mbbr"

The documentation on the TA here is of no help:
https://support.malwarebytes.com/docs/DOC-3237

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Path Finder

Has anyone successfully used Malwarebytes addon for getting the data in and being extracted as it shows in the addon?

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Esteemed Legend

Yes, I just explained how I did it in my answer.

0 Karma
Highlighted

Re: What is the best app or sourcetype to use for Malwarebytes data?

Path Finder

I having an issue with the data is not extracting per the addon - which is why I had asked.

0 Karma