Malwarebytes¶
About¶
Malwarebytes protects your home devices and your business endpoints against malware, ransomware, malicious websites, and other advanced online threats.
Malwarebytes is an anti-malware software for Microsoft Windows, macOS, Chrome OS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006.
Product Details¶
Vendor URL: Malwarebytes Cybersecurity for Home and Business | Anti-Malware
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Configure the Management Console to connect to a Syslog
Log Guide: Malwarebytes Endpoint Security logs
Parser Details¶
Log Format: Syslog/CEF
Expected Normalization Rate: 75%-100%
Data Label: MALWAREBYTES_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| product_event | metadata.product_event_type |
| Statically Defined | metadata.event_type |
| msg | metadata.description |
| src_domain | principal.administrative_domain |
| deviceExternalId | additional.fields |
| src, shost | principal.hostname |
| src, shost | principal.ip |
| dst, dhost | target.hostname |
| dst, dhost | target.ip |
| suser | principal.user.userid |
| request | target.url |
| observer | observer.hostname |
| observer | observer.ip |
| INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL | security_result.severity |
| SOFTWARE_SUSPICIOUS, SOFTWARE_MALICIOUS | security_result.security_category |
| fileType | additional.fields |
| mime_type | target.file.mime_type |
| file_path | target.file.full_path |
| cs1 | security_result.threat_name |
| cat | security_result.category_details |
| ALLOW, BLOCK, QUARANTINE | security_result.action |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| PUP quarantined | SCAN_HOST | ||
| Malware quarantined | SCAN_HOST | ||
| Malware found | SCAN_HOST | Y | |
| PUP found | SCAN_HOST |
Log Sample¶
2022-01-05T12:16:56Z hostname2 CEF:0|Malwarebytes|Malwarebytes Incident Response|Incident Response 1.2.0.689|Detection|Malware quarantined|1|deviceExternalId=extid dvchost=hostname2 deviceDnsDomain=domain.companyname dvcmac=devmac dvc=10.0.0.113 rt=Jan 04 2022 21:00:01 Z fileType=file cat=Malware act=quarantined msg=Malware quarantined\nFile: C:\\USERS\\1234567890\\DOWNLOADS\\file\nMD5: md5 filePath=C:\\USERS\\1234567890\\DOWNLOADS\\file cs1Label=Detection name cs1=RiskWare.FileServer
Sample Parsing¶
metadata.event_timestamp = "2022-01-04T21:00:01Z"
metadata.event_type = "SCAN_HOST"
metadata.vendor_name = "Malwarebytes"
metadata.product_name = "Malwarebytes Incident Response"
metadata.product_version = "Incident Response 1.2.0.689"
metadata.product_event_type = "Malware quarantined"
metadata.description = "Malware quarantined\nFile: C:\\USERS\\1234567890\\DOWNLOADS\\file\nMD5: md5"
metadata.ingested_timestamp = "2022-01-05T12:20:37.720248Z"
additional.device_external_id = "extid"
additional.file_type = "file"
principal.hostname = "hostname1"
principal.ip = "10.0.0.113"
principal.administrative_domain = "domain.companyname"
principal.asset.ip = "10.0.0.113"
src.file.full_path = "C:\\USERS\\1234567890\\DOWNLOADS\\file"
src.file.mime_type = "EXE"
observer.hostname = "hostname2"
security_result.category = "SOFTWARE_MALICIOUS"
security_result.category_details = "Malware"
security_result.threat_name = "RiskWare.FileServer"
security_result.action = "QUARANTINE"
security_result.severity = "HIGH"
security_result.alert_state = "ALERTING"
Parser Alerting¶
| loglevel | sec_result.severity | security_action | is_alert |
|---|---|---|---|
| Malware Found | High | Y |
Rules¶
Coming Soon