Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

Malwarebytes is an anti-malware software for Microsoft Windows, MacOS, Android, and iOS that finds and removes malware.

This document provides information about the Malwarebytes connector, which facilitates automated interactions, with a Malwarebytes server using FortiSOAR™ playbooks. Add the Malwarebytes connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning specified endpoints or retrieving information for a specified endpoint or a list of endpoints connected to Malwarebytes.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the Malwarebytes in version 1.0.1:

  • Ensured that connector actions fail with a valid error message when the connector health check is disconnected.

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-malwarebytes

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the API Server URL of the Malwarebytes server to which you will connect and perform the automated operations and the credentials (username and password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Malwarebytes connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
API Server URL API Server URL of the Malwarebytes server to which you will connect and perform automated operations.
Username Username used to connect to the Malwarebytes server to which you will connect and perform automated operations.
Password Password used to connect to the Malwarebytes server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Scan Endpoint Scans one or more endpoints on the Malwarebytes server, based on the input (filter) parameters you have specified. scan_endpoints
Investigation
Get Scan Result Retrieves the scan history for the endpoint(s) connected to the Malwarebytes server, based on the endpoint name and ID, and other input parameters you have specified. get_scan_result
Investigation
Get Endpoints Retrieves information about the endpoints connected to the Malwarebytes server, based on the input (filter) parameters you have specified. get_endpoints
Investigation
Get Endpoint Details Retrieves information about a specific endpoint connected to the Malwarebytes server, based on the endpoint name and ID you have specified. get_endpoint_info
Investigation
Delete Endpoints Deletes endpoints connected to the Malwarebytes server, based on the endpoint name or ID you have specified. delete_endpoints
Miscellaneous
Get Threats Retrieves a list and details of all threats detected on endpoints connected to the Malwarebytes server, based on the endpoint type, and other input parameters you have specified. get_threats
Investigation
Get Quarantined Threats Retrieves a list of all quarantined threats detected on endpoints connected to the Malwarebytes server, based on the endpoint type, and other input parameters you have specified. get_threats
Investigation
Manage Quarantine Threats Restores or deletes quarantined threats associated with endpoints connected to the Malwarebytes server, based on the detection ID and other input parameters you have specified. manage_quarantine_threats
Containment
Get Events Retrieves a list and details of all events associated with an endpoint connected to the Malwarebytes server, based on endpoint name or endpoint ID and severity you have specified. get_events
Investigation
Get Tasks Retrieves a list and details of all tasks associated with an endpoint connected to the Malwarebytes server, based on endpoint name or endpoint ID and status you have specified. get_tasks
Investigation
Create Group Adds a policy group on the Malwarebytes server, based on input parameters you have specified. create_group
Investigation
Get Groups Retrieves a list of all policy groups associated with endpoints connected to the Malwarebytes server. get_groups
Investigation
Delete Group Deletes a group of policies associated with endpoints connected to the Malwarebytes server, based on the group name or ID you have specified. delete_group
Miscellaneous
Assign Policy Group Assigns a specific endpoint policy to a specific policy group on the Malwarebytes server. assign_policy_group
Investigation
Get Policies Retrieves a list of all policies associated with endpoints connected to the Malwarebytes server. get_policy
Investigation
Delete Policy Deletes a policy associated with endpoints connected to the Malwarebytes server, based on the policy name or ID you have specified. delete_policy
Miscellaneous

operation: Scan Endpoint

Input parameters

Parameter Description
Action Scan action that you want this operation to take on the endpoint on the Malwarebytes server.
You can choose from one of the following actions: Scan + Report, Scan + Quarantine, Refresh Assets, or Check for Protection Updates.
Endpoint Options based on which endpoints will be scanned on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID that you want to scan on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
For example, endpoint 1, endpoint 2

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Scan Result

Input parameters

Parameter Description
Endpoint Options based on which scan results of endpoints will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a Single endpoint ID whose scan results you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Show last Number of days for which you want to retrieve scan results from the Malwarebytes server.
You can choose from one of the following: 1 Day, 7 Days, or 30 Days.
Threats Filter based on which you want to retrieve scan results from the Malwarebytes servers.
You can choose from one of the following: All Scans, Threats Found, or No Threats.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "machine_id": "",
     "deleted_count": "",
     "found_count": "",
     "from_cloud": "",
     "ondemand": "",
     "duration_seconds": "",
     "id": "",
     "started_at": "",
     "metadata": {
         "detectionDateTime": "",
         "isUserAdmin": "",
         "licenseState": "",
         "modulesDetected": "",
         "registryValuesDetected": "",
         "clientID": "",
         "filesDetected": "",
         "sourceDetails": {
             "scanDurationSecs": "",
             "objectsScanned": "",
             "scanResult": "",
             "scanOptions": {
                 "scanArchives": "",
                 "pupHandling": "",
                 "scanPUPs": "",
                 "useHeuristics": "",
                 "scanRookits": "",
                 "scanMemoryObjects": "",
                 "scanFileSystem": "",
                 "scanType": "",
                 "scanStartupAndRegistry": "",
                 "scanPUMs": "",
                 "pumHandling": ""
             },
             "type": ""
         },
         "applicationVersion": "",
         "componentsUpdatePackageVersion": "",
         "schemaVersion": "",
         "dbSDKUpdatePackageVersion": "",
         "os": "",
         "clientType": "",
         "processesDetected": "",
         "foldersDetected": "",
         "cpu": "",
         "registryKeysDetected": "",
         "id": "",
         "fileSystem": "",
         "loggedOnUserName": "",
         "wmiObjectsDetected": "",
         "registryDataDetected": ""
     },
     "os_platform": "",
     "started_at_local": "",
     "scan_type": "",
     "machine_name": "",
     "quarantined_count": "",
     "reported_at": "",
     "total_count": ""
}

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Filter Endpoints Filter based on which you want to retrieve endpoint details from the Malwarebytes server.
Note: If you do not specify any filter then details of all the endpoints are retrieved from the Malwarebytes server.
You can choose one of the following: All Endpoints, Online Endpoints, Offline Endpoints, or Offline 7+Days.
Group Group name or ID whose endpoint(s) member details you want to retrieve from the Malwarebytes server.
Note: If you specify the group name or ID, then the details for only those endpoints whose are members of the specified policy group will be retrieved from the Malwarebytes server.
You can choose one of the following: Group Name or Group ID.
Value CSV list or a single group name or a CSV list or a single group ID whose endpoint details you want to retrieve from the Malwarebytes server, based on the group option you have chosen in the Group field.
Search String Query string based on which you want to retrieve endpoint details from the Malwarebytes server. Note: If you do not specify any query string then details of all the endpoints are retrieved from the Malwarebytes server.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "machines": [
         {
             "desktop_isolation": "",
             "os_architecture": "",
             "os_release_name": "",
             "network_isolation": "",
             "online": "",
             "created_at": "",
             "suspicious_activity_count": "",
             "policy_id": "",
             "group_id": "",
             "group_name": "",
             "os_platform": "",
             "id": "",
             "uuid": "",
             "updated_at": "",
             "process_isolation": "",
             "name": "",
             "last_seen_at": "",
             "policy_name": ""
         }
     ],
     "total_count": ""
}

operation: Get Endpoint Details

Input parameters

Parameter Description
Endpoint Options based on which details of the endpoints will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a Single endpoint ID whose details you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.

Output

The output contains the following populated JSON schema:
{
     "desktop_isolation": "",
     "os_architecture": "",
     "network_isolation": "",
     "online": "",
     "created_at": "",
     "suspicious_activity_count": "",
     "group_id": "",
     "os_platform": "",
     "id": "",
     "uuid": "",
     "updated_at": "",
     "process_isolation": "",
     "os_release_name": "",
     "last_seen_at": "",
     "name": ""
}

operation: Delete Endpoints

Input parameters

Parameter Description
Endpoint Options based on which endpoints will be deleted from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID that you want to delete from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Threats

Input parameters

Parameter Description
Endpoint Types Type of endpoint whose associated threats information you want to retrieve from the Malwarebytes server.
You must choose one of the following: All Endpoints or Single Endpoint.
Action Taken Action that was taken on the threat, i.e., the current status of the threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Blocked, Cleaned Offline, Deleted, Found, Quarantined, or Restored.
Category Category of the threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Exploit, Malware, PUM, PUP, Ransomware, or Website.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "total_count": "",
     "threats": [
         {
             "machine_id": "",
             "path": "",
             "status": "",
             "ip_address": "",
             "affected_application": "",
             "reported_at": "",
             "url": "",
             "group_name": "",
             "scan_id": "",
             "scanned_at_local": "",
             "detection_id": "",
             "type": [],
             "threat_name": "",
             "process_name": "",
             "id": "",
             "policy_name": "",
             "md5": "",
             "group_id": "",
             "machine_name": "",
             "category": "",
             "port": "",
             "scanned_at": ""
         }
     ]
}

operation: Get Quarantined Threats

Input parameters

Parameter Description
Endpoint Types Type of endpoint whose associated quarantined threats information you want to retrieve from the Malwarebytes server.
You must choose one of the following: All Endpoints or Single Endpoint.
Show last Number of days for which you want to retrieve quarantined threats information from the Malwarebytes server.
You can choose from one of the following: 1 Day, 7 Days, or 30 Days.
Category Category of the quarantined threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Exploit, PUM, PUP, or Ransomware.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "quarantined_threats": [
         {
             "machine_id": "",
             "scanned_at_local": "",
             "path": "",
             "detection_id": "",
             "threat_name": "",
             "type": [],
             "machine_name": "",
             "ip_address": "",
             "group_id": "",
             "url": "",
             "id": "",
             "scan_id": "",
             "reported_at": "",
             "category": "",
             "port": "",
             "scanned_at": ""
         }
     ],
     "total_count": ""
}

operation: Manage Quarantined Threats

Input parameters

Parameter Description
Action Action that you want to take for a quarantined threat on the Malwarebytes server.
You must choose one of the following: Restore or Delete.
Detection ID CSV list of detection IDs based on which you want to manage quarantined threats on the Malwarebytes server.
Endpoint Options based on which quarantined threats associated with an endpoint will be managed on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID whose quarantined threats you want to manage on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Events

Input parameters

Parameter Description
Severity Severity based on which you want to retrieve events from the Malwarebytes server.
Note: If you do not specify any severity then details of all the events are retrieved from the Malwarebytes server.
You can choose one of the following: Severe, Warning, Info, or Audit.
Endpoint Options based on which events information associated with an endpoint will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a single endpoint ID whose events information you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "events": [
         {
             "user_id": "",
             "machine_id": "",
             "timestamp": "",
             "severity": "",
             "type": "",
             "source": "",
             "severity_name": "",
             "id": "",
             "machine_name": "",
             "source_name": "",
             "friendly_type": "",
             "type_name": "",
             "details": ""
         }
     ],
     "total_count": ""
}

operation: Get Tasks

Input parameters

Parameter Description
Status Status based on which you want to retrieve tasks from the Malwarebytes server.
Note: If you do not specify any status then details of all the events are retrieved from the Malwarebytes server.
You can choose one of the following: Pending, Success, or Failure.
Endpoint Options based on which tasks information associated with an endpoint will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a single endpoint ID whose tasks information you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "jobs": [
         {
             "machine_id": "",
             "state": "",
             "issued_at": "",
             "data": "",
             "issued_by_name": "",
             "issued_by": "",
             "command": "",
             "id": "",
             "machine_name": "",
             "updated_at": "",
             "expires_at": "",
             "issued_by_email": ""
         }
     ],
     "total_count": ""
}

operation: Create Group

Input parameters

New Group Name Name of the policy group that you want to create on the Malwarebytes server.
Policy Options based on which you want to add a policy to the new policy group that you want to create on the Malwarebytes server.
You must choose one of the following: Policy Name or Policy ID.
Value Single policy name or a single policy ID that will be added to the policy group that you want to create on the Malwarebytes server, based on the policy option you have chosen in the Policy field.
Create within an existing group (Optional) If you want to add the new policy group to an existing group, then select the Existing group option from this field.
Group If you select Existing from the Create within an existing group field, then you must specify the group name or group ID in which you want to create the new policy group.
This field specifies options based on which you want the newly created group to an existing group on the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value Single group name or a single group ID to which the newly created policy group on the Malwarebytes server will be added, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
      "updated_at": "",
     "policy_name": "",
     "name": "",
     "is_default": "",
     "parent_id": "",
     "machines_count": "",
     "policy_id": "",
     "schedule_ids": []
}

operation: Delete Group

Input parameters

Parameter Description
Group Options based on which the group of policies will be deleted from the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value Single policy group name or a single policy group ID that you want to delete from the Malwarebytes server, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "status": ""
}

operation: Assign Policy Group

Input parameters

Parameter Description
Endpoint Options based on which you want to assign the specified endpoint policy to a specific policy group on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single policy endpoint name or a CSV list or a single endpoint group ID whose associated policy you want to assign to the specified policy group on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Group Options based on which you want to assign the specified endpoint policy to a specific policy group on the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value CSV list or a single policy group name or a CSV list or a single policy group ID to which you want to assign the specified endpoint policy on the Malwarebytes server, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Policies

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Delete Policy

Input parameters

Parameter Description
Policy Options based on which the policy will be deleted from the Malwarebytes server.
You must choose one of the following: Policy Name or Policy ID.
Value Single Policy name or a Single Policy ID that you want to delete from the Malwarebytes server, based on the policy option you have chosen in the Policy field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

Included playbooks

The Sample - Malwarebytes - 1.0.1 playbook collection comes bundled with the Malwarebytes connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malwarebytes connector.

  • Assign Policy Group
  • Create Group
  • Delete Endpoints
  • Delete Group
  • Delete Policy
  • Get Endpoint Details
  • Get Endpoints
  • Get Events
  • Get Groups
  • Get Policies
  • Get Quarantined Threats
  • Get Scan Result
  • Get Tasks
  • Get Threats
  • Manage Quarantine Threats
  • Scan Endpoints

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Malwarebytes is an anti-malware software for Microsoft Windows, MacOS, Android, and iOS that finds and removes malware.

This document provides information about the Malwarebytes connector, which facilitates automated interactions, with a Malwarebytes server using FortiSOAR™ playbooks. Add the Malwarebytes connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning specified endpoints or retrieving information for a specified endpoint or a list of endpoints connected to Malwarebytes.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.11.0-1161

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the Malwarebytes in version 1.0.1:

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-malwarebytes

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Malwarebytes connector row, and in the Configuration tab enter the required configuration details.

Parameter Description
API Server URL API Server URL of the Malwarebytes server to which you will connect and perform automated operations.
Username Username used to connect to the Malwarebytes server to which you will connect and perform automated operations.
Password Password used to connect to the Malwarebytes server to which you will connect and perform automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Scan Endpoint Scans one or more endpoints on the Malwarebytes server, based on the input (filter) parameters you have specified. scan_endpoints
Investigation
Get Scan Result Retrieves the scan history for the endpoint(s) connected to the Malwarebytes server, based on the endpoint name and ID, and other input parameters you have specified. get_scan_result
Investigation
Get Endpoints Retrieves information about the endpoints connected to the Malwarebytes server, based on the input (filter) parameters you have specified. get_endpoints
Investigation
Get Endpoint Details Retrieves information about a specific endpoint connected to the Malwarebytes server, based on the endpoint name and ID you have specified. get_endpoint_info
Investigation
Delete Endpoints Deletes endpoints connected to the Malwarebytes server, based on the endpoint name or ID you have specified. delete_endpoints
Miscellaneous
Get Threats Retrieves a list and details of all threats detected on endpoints connected to the Malwarebytes server, based on the endpoint type, and other input parameters you have specified. get_threats
Investigation
Get Quarantined Threats Retrieves a list of all quarantined threats detected on endpoints connected to the Malwarebytes server, based on the endpoint type, and other input parameters you have specified. get_threats
Investigation
Manage Quarantine Threats Restores or deletes quarantined threats associated with endpoints connected to the Malwarebytes server, based on the detection ID and other input parameters you have specified. manage_quarantine_threats
Containment
Get Events Retrieves a list and details of all events associated with an endpoint connected to the Malwarebytes server, based on endpoint name or endpoint ID and severity you have specified. get_events
Investigation
Get Tasks Retrieves a list and details of all tasks associated with an endpoint connected to the Malwarebytes server, based on endpoint name or endpoint ID and status you have specified. get_tasks
Investigation
Create Group Adds a policy group on the Malwarebytes server, based on input parameters you have specified. create_group
Investigation
Get Groups Retrieves a list of all policy groups associated with endpoints connected to the Malwarebytes server. get_groups
Investigation
Delete Group Deletes a group of policies associated with endpoints connected to the Malwarebytes server, based on the group name or ID you have specified. delete_group
Miscellaneous
Assign Policy Group Assigns a specific endpoint policy to a specific policy group on the Malwarebytes server. assign_policy_group
Investigation
Get Policies Retrieves a list of all policies associated with endpoints connected to the Malwarebytes server. get_policy
Investigation
Delete Policy Deletes a policy associated with endpoints connected to the Malwarebytes server, based on the policy name or ID you have specified. delete_policy
Miscellaneous

operation: Scan Endpoint

Input parameters

Parameter Description
Action Scan action that you want this operation to take on the endpoint on the Malwarebytes server.
You can choose from one of the following actions: Scan + Report, Scan + Quarantine, Refresh Assets, or Check for Protection Updates.
Endpoint Options based on which endpoints will be scanned on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID that you want to scan on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
For example, endpoint 1, endpoint 2

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Scan Result

Input parameters

Parameter Description
Endpoint Options based on which scan results of endpoints will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a Single endpoint ID whose scan results you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Show last Number of days for which you want to retrieve scan results from the Malwarebytes server.
You can choose from one of the following: 1 Day, 7 Days, or 30 Days.
Threats Filter based on which you want to retrieve scan results from the Malwarebytes servers.
You can choose from one of the following: All Scans, Threats Found, or No Threats.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "machine_id": "",
     "deleted_count": "",
     "found_count": "",
     "from_cloud": "",
     "ondemand": "",
     "duration_seconds": "",
     "id": "",
     "started_at": "",
     "metadata": {
         "detectionDateTime": "",
         "isUserAdmin": "",
         "licenseState": "",
         "modulesDetected": "",
         "registryValuesDetected": "",
         "clientID": "",
         "filesDetected": "",
         "sourceDetails": {
             "scanDurationSecs": "",
             "objectsScanned": "",
             "scanResult": "",
             "scanOptions": {
                 "scanArchives": "",
                 "pupHandling": "",
                 "scanPUPs": "",
                 "useHeuristics": "",
                 "scanRookits": "",
                 "scanMemoryObjects": "",
                 "scanFileSystem": "",
                 "scanType": "",
                 "scanStartupAndRegistry": "",
                 "scanPUMs": "",
                 "pumHandling": ""
             },
             "type": ""
         },
         "applicationVersion": "",
         "componentsUpdatePackageVersion": "",
         "schemaVersion": "",
         "dbSDKUpdatePackageVersion": "",
         "os": "",
         "clientType": "",
         "processesDetected": "",
         "foldersDetected": "",
         "cpu": "",
         "registryKeysDetected": "",
         "id": "",
         "fileSystem": "",
         "loggedOnUserName": "",
         "wmiObjectsDetected": "",
         "registryDataDetected": ""
     },
     "os_platform": "",
     "started_at_local": "",
     "scan_type": "",
     "machine_name": "",
     "quarantined_count": "",
     "reported_at": "",
     "total_count": ""
}

operation: Get Endpoints

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Filter Endpoints Filter based on which you want to retrieve endpoint details from the Malwarebytes server.
Note: If you do not specify any filter then details of all the endpoints are retrieved from the Malwarebytes server.
You can choose one of the following: All Endpoints, Online Endpoints, Offline Endpoints, or Offline 7+Days.
Group Group name or ID whose endpoint(s) member details you want to retrieve from the Malwarebytes server.
Note: If you specify the group name or ID, then the details for only those endpoints whose are members of the specified policy group will be retrieved from the Malwarebytes server.
You can choose one of the following: Group Name or Group ID.
Value CSV list or a single group name or a CSV list or a single group ID whose endpoint details you want to retrieve from the Malwarebytes server, based on the group option you have chosen in the Group field.
Search String Query string based on which you want to retrieve endpoint details from the Malwarebytes server. Note: If you do not specify any query string then details of all the endpoints are retrieved from the Malwarebytes server.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "machines": [
         {
             "desktop_isolation": "",
             "os_architecture": "",
             "os_release_name": "",
             "network_isolation": "",
             "online": "",
             "created_at": "",
             "suspicious_activity_count": "",
             "policy_id": "",
             "group_id": "",
             "group_name": "",
             "os_platform": "",
             "id": "",
             "uuid": "",
             "updated_at": "",
             "process_isolation": "",
             "name": "",
             "last_seen_at": "",
             "policy_name": ""
         }
     ],
     "total_count": ""
}

operation: Get Endpoint Details

Input parameters

Parameter Description
Endpoint Options based on which details of the endpoints will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a Single endpoint ID whose details you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.

Output

The output contains the following populated JSON schema:
{
     "desktop_isolation": "",
     "os_architecture": "",
     "network_isolation": "",
     "online": "",
     "created_at": "",
     "suspicious_activity_count": "",
     "group_id": "",
     "os_platform": "",
     "id": "",
     "uuid": "",
     "updated_at": "",
     "process_isolation": "",
     "os_release_name": "",
     "last_seen_at": "",
     "name": ""
}

operation: Delete Endpoints

Input parameters

Parameter Description
Endpoint Options based on which endpoints will be deleted from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID that you want to delete from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Threats

Input parameters

Parameter Description
Endpoint Types Type of endpoint whose associated threats information you want to retrieve from the Malwarebytes server.
You must choose one of the following: All Endpoints or Single Endpoint.
Action Taken Action that was taken on the threat, i.e., the current status of the threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Blocked, Cleaned Offline, Deleted, Found, Quarantined, or Restored.
Category Category of the threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Exploit, Malware, PUM, PUP, Ransomware, or Website.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "total_count": "",
     "threats": [
         {
             "machine_id": "",
             "path": "",
             "status": "",
             "ip_address": "",
             "affected_application": "",
             "reported_at": "",
             "url": "",
             "group_name": "",
             "scan_id": "",
             "scanned_at_local": "",
             "detection_id": "",
             "type": [],
             "threat_name": "",
             "process_name": "",
             "id": "",
             "policy_name": "",
             "md5": "",
             "group_id": "",
             "machine_name": "",
             "category": "",
             "port": "",
             "scanned_at": ""
         }
     ]
}

operation: Get Quarantined Threats

Input parameters

Parameter Description
Endpoint Types Type of endpoint whose associated quarantined threats information you want to retrieve from the Malwarebytes server.
You must choose one of the following: All Endpoints or Single Endpoint.
Show last Number of days for which you want to retrieve quarantined threats information from the Malwarebytes server.
You can choose from one of the following: 1 Day, 7 Days, or 30 Days.
Category Category of the quarantined threat whose information you want to retrieve from the Malwarebytes server.
You must choose one of the following: Exploit, PUM, PUP, or Ransomware.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "quarantined_threats": [
         {
             "machine_id": "",
             "scanned_at_local": "",
             "path": "",
             "detection_id": "",
             "threat_name": "",
             "type": [],
             "machine_name": "",
             "ip_address": "",
             "group_id": "",
             "url": "",
             "id": "",
             "scan_id": "",
             "reported_at": "",
             "category": "",
             "port": "",
             "scanned_at": ""
         }
     ],
     "total_count": ""
}

operation: Manage Quarantined Threats

Input parameters

Parameter Description
Action Action that you want to take for a quarantined threat on the Malwarebytes server.
You must choose one of the following: Restore or Delete.
Detection ID CSV list of detection IDs based on which you want to manage quarantined threats on the Malwarebytes server.
Endpoint Options based on which quarantined threats associated with an endpoint will be managed on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single endpoint name or a CSV list or a single endpoint ID whose quarantined threats you want to manage on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Events

Input parameters

Parameter Description
Severity Severity based on which you want to retrieve events from the Malwarebytes server.
Note: If you do not specify any severity then details of all the events are retrieved from the Malwarebytes server.
You can choose one of the following: Severe, Warning, Info, or Audit.
Endpoint Options based on which events information associated with an endpoint will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a single endpoint ID whose events information you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "events": [
         {
             "user_id": "",
             "machine_id": "",
             "timestamp": "",
             "severity": "",
             "type": "",
             "source": "",
             "severity_name": "",
             "id": "",
             "machine_name": "",
             "source_name": "",
             "friendly_type": "",
             "type_name": "",
             "details": ""
         }
     ],
     "total_count": ""
}

operation: Get Tasks

Input parameters

Parameter Description
Status Status based on which you want to retrieve tasks from the Malwarebytes server.
Note: If you do not specify any status then details of all the events are retrieved from the Malwarebytes server.
You can choose one of the following: Pending, Success, or Failure.
Endpoint Options based on which tasks information associated with an endpoint will be retrieved from the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value Single endpoint name or a single endpoint ID whose tasks information you want to retrieve from the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Start Index (Optional) Index of the first item that this operation should return.
This is optional query string parameter, and if you do not specify any value, then this defaults to 0.
Records Per Page (Optional) Number of records that you want to retrieve per page.
This is optional query string parameter, and if you do not specify any value, then this defaults to 25.

Output

The output contains the following populated JSON schema:
{
     "jobs": [
         {
             "machine_id": "",
             "state": "",
             "issued_at": "",
             "data": "",
             "issued_by_name": "",
             "issued_by": "",
             "command": "",
             "id": "",
             "machine_name": "",
             "updated_at": "",
             "expires_at": "",
             "issued_by_email": ""
         }
     ],
     "total_count": ""
}

operation: Create Group

Input parameters

New Group Name Name of the policy group that you want to create on the Malwarebytes server.
Policy Options based on which you want to add a policy to the new policy group that you want to create on the Malwarebytes server.
You must choose one of the following: Policy Name or Policy ID.
Value Single policy name or a single policy ID that will be added to the policy group that you want to create on the Malwarebytes server, based on the policy option you have chosen in the Policy field.
Create within an existing group (Optional) If you want to add the new policy group to an existing group, then select the Existing group option from this field.
Group If you select Existing from the Create within an existing group field, then you must specify the group name or group ID in which you want to create the new policy group.
This field specifies options based on which you want the newly created group to an existing group on the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value Single group name or a single group ID to which the newly created policy group on the Malwarebytes server will be added, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Groups

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
      "updated_at": "",
     "policy_name": "",
     "name": "",
     "is_default": "",
     "parent_id": "",
     "machines_count": "",
     "policy_id": "",
     "schedule_ids": []
}

operation: Delete Group

Input parameters

Parameter Description
Group Options based on which the group of policies will be deleted from the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value Single policy group name or a single policy group ID that you want to delete from the Malwarebytes server, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "status": ""
}

operation: Assign Policy Group

Input parameters

Parameter Description
Endpoint Options based on which you want to assign the specified endpoint policy to a specific policy group on the Malwarebytes server.
You must choose one of the following: Endpoint Name or Endpoint ID.
Value CSV list or a single policy endpoint name or a CSV list or a single endpoint group ID whose associated policy you want to assign to the specified policy group on the Malwarebytes server, based on the endpoint option you have chosen in the Endpoint field.
Group Options based on which you want to assign the specified endpoint policy to a specific policy group on the Malwarebytes server.
You must choose one of the following: Group Name or Group ID.
Value CSV list or a single policy group name or a CSV list or a single policy group ID to which you want to assign the specified endpoint policy on the Malwarebytes server, based on the group option you have chosen in the Group field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Get Policies

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Delete Policy

Input parameters

Parameter Description
Policy Options based on which the policy will be deleted from the Malwarebytes server.
You must choose one of the following: Policy Name or Policy ID.
Value Single Policy name or a Single Policy ID that you want to delete from the Malwarebytes server, based on the policy option you have chosen in the Policy field.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

Included playbooks

The Sample - Malwarebytes - 1.0.1 playbook collection comes bundled with the Malwarebytes connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malwarebytes connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.