Effective August 18, 2023, the integration between ServiceNow and Malwarebytes Breach Remediation has reached its End of Maintenance (EOM). While the integration remains available for use, we would like to inform you that it will no longer receive updates. We encourage you to exercise caution when using this integration, as any use will be at your own risk. We are committed to providing ongoing support for common product usage questions and access to our online articles.
Malwarebytes Integration for Incident Response enables Malwarebytes Breach Remediation (MBBR) to integrate with ServiceNow cloud instance to allow administrators to manage scans on endpoints, remove threats, and generate reports. This article describes requirements and configurations for the integration.
ServiceNow requirements
ServiceNow requires the following to integrate with Breach Remediation:
- You must have an active ServiceNow Support Portal account.
- You must have access to ServiceNow appliance.
- Environment configured to use either Windows Remote Management (WinRM) or Windows Management Instrumentation (WMI).
- Setup a MID Server in your Windows server. For instructions, refer to the following ServiceNow resources:
Malwarebytes requirements
Breach Remediation requires the following to integrate with ServiceNow:
- You must have an active Nebula subscription.
- Have your subscription license key available.
- If using a Syslog Server, have your Syslog Server IP and Syslog Server Port available.
Install Malwarebytes Integration for Incident Response
Before you begin the installation process, verify the Security Incident Response plugin is installed and active on your ServiceNow instance.
- Open the ServiceNow Store and click the Get button.
- Enter your HI credentials.
- After installation completes, confirm Malwarebytes is installed.
- Log into ServiceNow.
- In the search box, enter "system app".
- Click on System Applications - Applications.
- Click on Downloads.
- Confirm Malwarebytes Integration for Incident Response appears in the Downloads page.
ServiceNow - Malwarebytes Breach Remediation installation
- Download the SN_MBBR_ALL.zip package here.
- Unzip the SN_MBBR_ALL.zip package. This contains two folders: SN_MBBR and SN_MBBR(syslog).
- The SN_MBBR folder is intended for customers using a non-syslog environment, and the SN_MBBR(syslog) folder is intended for customers using a Syslog Server.
- If using a non-syslog environment:
- Open the SN_MBBR folder.
- Open Install_License.ps1 with Windows PowerShell.
- Enter your Nebula license key and press Enter. This propagates the license key to the other batch files.
- If using a Syslog Server:
- Open the SN_MBBR(syslog) folder.
- Open Install_License.ps1 with Windows PowerShell.
- Enter your Nebula license key and press Enter.
- Enter your Syslog Server IP and press Enter.
- Enter your Syslog Server port and press Enter. This propagates the license key, Syslog Server IP, and Syslog Server port to the other batch files.
- If using a non-syslog environment:
- Create a new folder named mbbr in the Local Disk C:\ in the Windows server. Depending on your environment, copy either the contents of SN_MBBR or SN_MBBR(syslog) to the new mbbr folder.
Store MID Server credentials
As part of initial setup, you must store your credentials for your MID Server. To do this:
- Log in to ServiceNow.
- In the Filter navigator search box, enter "credentials store".
- In the left-side menu pane, go to the Malwarebytes Breach Remediation - Credentials Stores table.
- Click on New.
- In the New record, enter the following details:
- In the Windows Username field, enter your administrator domain username.
- In the Windows Password field, enter your administrator domain password.
- In the MID Server Name field, enter the name for your MID Server.
- Click Submit.
The table refreshes to show the stored MID Server credentials.
To learn how to initiate and verify scans, check reports, and update Business Rules and Scheduled Jobs, see Malwarebytes Integration for Incident Response user guide.