USM Anywhere™

Malwarebytes Endpoint Security

When you configure Malwarebytes Endpoint Security integration to send log data to USM Anywhere, you can use the Malwarebytes Endpoint Security plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Malwarebytes Endpoint Security
Device type Endpoint security
Connection type syslog
Vendor link

Integrating Malwarebytes Endpoint Security

To configure Malwarebytes Endpoint Security to send log data over syslog to USM Anywhere

  1. Log onto the Management Console.

  2. Click the Admin pane.

  3. Click the Syslog Server tab.

  4. Click Change...

  5. Check Enable Syslog.

  6. Enter the following information into the respective fields:

    Field Value Explanation
    Syslog Server IP address of the USM Anywhere sensor
    Port 514 for UDP, or 601 for TCP
    Protocol UDP or TCP
    Facility Facility in which you'd like Malwarebytes logs to appear
    Severity Severity threshold of events you want Malwarebytes logs to capture in syslog
    Payload Format JSON
  7. Click OK.

Plugin Enablement

The Malwarebytes Endpoint Security plugin automatically processes all messages that contain Malwarebytes-Endpoint-Security in their syslog tag.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application

  • destination_address

  • device_direction

  • event_action

  • event_description

  • event_name

  • event_outcome

  • event_severity

  • external_id

  • file_name

  • file_path

  • log_json

  • malware_variant

  • plugin_device

  • rep_device_model

  • source_address

  • source_hostname

  • source_mac

  • source_ntdomain

  • source_port

  • source_process

  • source_username