hkelley

Feeding MBAE event data to SIEM

Recommended Posts

Has anybody forwarded/collected endpoint event data from MBAE for use in a logging or SIEM tool?

If so, how did you get the data, from the DB or from a text log? How actionable has the data been?

Share this post


Link to post
Share on other sites

Welcome to the forum hkelley!

You can enable the MBAE clients to submit alert and service events to a syslog server. Details on how to enable this, as well as customizeable syslog options, can be found in the MBAE Admin Guide PDF in the last section.

In the Guide there's also a section on alert reporting that explains the different data to interpret it into actionable intel.

Share this post


Link to post
Share on other sites

Thanks, Pedro.

 

That guide says "The Malwarebytes Anti-Exploit for Business standalone client can be configured to send alert and service events".   Is the same data automatically collected by the Management Console service for managed clients?   If so, is there a log file or a SQL table we could query from?

 

Would the columns be the same as those in mbae-alert.log, plus the originating client host name?

 

Hugh

Share this post


Link to post
Share on other sites

Yes, the same data is collected through the Management Console into the SQL Server. Not sure which table this is stored in. Let me find out and I'll get back to you.

Share this post


Link to post
Share on other sites

Hi,

I know this is an old thread but would you be able to outline how you integrated it with LogRhythm please?  We have a customer looking to do exactly the same thing so any pointers would be greatly appreciated.

Share this post


Link to post
Share on other sites

Welcome to the forum cmorris.

There's two ways to do this:

1- Forward events from centralized Malwarebytes Management Console to a syslog server. This can be activated from the "Admin" pane.

2- Enable syslog support on each endpoint (by simply creating a registry key and some values) and point each endpoint to submit their MBAE events directly to the syslog server, bypassing the Management Console. Details for this can be found towards the end of the "MBAE Admin Guide".

 

 

Share this post


Link to post
Share on other sites

Thanks for the quick response pbust.

Is there a way the LogRhjythm SIEM could hook directly into the Malwarebytes database or will the Syslog provide all relevant information?

Share this post


Link to post
Share on other sites

We currently don't have direct integration into LogRhythm or other SIEMs. It all needs to go through a syslog first and then feed the events from the syslog to the LogRhythm SIEM. Our Sales Engineers have a library of integration scripts into a bunch of different SIEMs and other network tools (Breach Detection Systems, Endpoint manangement frameworks, etc.). Send me a PM and I'll put you in touch if you are interested in those.

 

Share this post


Link to post
Share on other sites

Can someone tell me the settings for LogRhythm with the console?  I know the port is 514.  Should I choose TCP or UDP?  Do I choose CEF or JSON?

thanks

 

Share this post


Link to post
Share on other sites

Can someone help with integration with the new Cloud Console for MalwareBytes.  I don't see any sections for Syslog....I want to integrate this with our SIEM.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.