MalwareBytes Endpoint Protection
MalwareBytes is software installed on your assets that detects malware and viruses. You can connect MalwareBytes to send its data to SIEM (InsightIDR) in order to more quickly detect suspicious files on your Windows assets.
To do so:
Configure MalwareBytes Logging
You must be an Administrator to configure syslog logging for this application.
You can configure MalwareBytes to send its log to syslog following the instructions on page 33 of this guide: https://de.malwarebytes.com/pdf/guides/MBQSG.pdf
To configure syslog logging as an admin:
- Log in to the MalwareBytes interface.
- On the left menu, select the Settings page.
- Select the Syslog Logging page.
- Select which Windows Endpoint should send its log to a syslog server.
- Provide information for the IP address/host, port, protocol, message severity, and communication interval (where the default is five minutes).
- Click the Save button.
Configure SIEM (InsightIDR) to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).
To configure the new event source in SIEM (InsightIDR):
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Malwarebytes Endpoint Security in the event sources search bar.
- In the Product Type filter, select Virus Scan.
- Select the Malwarebytes Endpoint Security event source tile.
- Choose your collector and event source. If you want, you can also name your event source.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain or add a new domain.
- Select syslog and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click the Save button.