Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best app or sourcetype to use for Malwarebytes data?

abeeber_splunk
Splunk Employee
Splunk Employee
‎02-24-2017 11:53 AM

Hi Folks,

I am working on boarding logs from MalwareBytes. The log is being written to a Kiwi Syslog server.

Can anyone recommend an app or sourcetype for this data?

0 Karma
Reply

Crashfry
Path Finder
‎07-03-2019 08:29 AM

Has anyone successfully used Malwarebytes addon for getting the data in and being extracted as it shows in the addon?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-03-2019 11:45 AM

Yes, I just explained how I did it in my answer.

0 Karma
Reply

Crashfry
Path Finder
‎07-03-2019 12:39 PM

I having an issue with the data is not extracting per the addon - which is why I had asked.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-28-2019 07:45 AM

There are 3 sourcetypes defined in props.conf:

[mwb:cloud]
description = Malwarebytes Cloud CEF
[mwb:mbbr]
description = Malwarebytes Breach Remediation CEF
[mwb:mbmc]
description = Malwarebytes Management Console CEF

But, unlike Palo Alto, there are no configurations to split a generic incoming sourceytpe into separate specific sourcetypes (there isn't even a transforms.conf at all). So it appears that if you:

1: "Configure the Management Console to connect to a Syslog server" like this:
https://support.malwarebytes.com/docs/DOC-1028
Then you should use "sourcetype=mwb:mbmc"
2: "Configure Syslog in Malwarebytes Cloud Console" like this:
https://support.malwarebytes.com/docs/DOC-2811
Then you should use "sourcetype=mwb:cloud"
3: ???  I don't know how to generate the "Malwarebytes Breach Remediation CEF" for "sourcetype=mwb:mbbr"

The documentation on the TA here is of no help:
https://support.malwarebytes.com/docs/DOC-3237

0 Karma
Reply

Crashfry
Path Finder
‎02-05-2019 05:44 AM

I know this is old but the Malwarebytes addon/app is helpful - You need to contact them directly but they are more than willing to assist with getting everything configured with you on a call if need be

0 Karma
Reply

mrtolu6
Path Finder
‎06-07-2018 11:14 AM

Any one know the answer to this question?

0 Karma
Reply

gvmorley
Contributor
‎02-26-2017 08:22 PM

Hi,

Could you share some sample logs / data?

I'm sure others use MalwareBytes, so it would be interesting to see what could be extracted from the logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...