Malwarebytes is an anti-malware software for Microsoft Windows, MacOS, Android, and iOS that finds and protects endpoints against malware, ransomware, and other advanced online threats.
This document provides information about the Malwarebytes connector, which facilitates automated interactions, with a Malwarebytes server using FortiSOAR™ playbooks. Add the Malwarebytes connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning specified endpoints or retrieving information for a specified endpoint or a list of endpoints connected to Malwarebytes.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the Malwarebytes Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-malwarebytes
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Malwarebytes connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
API Server URL | Specify the Malwarebytes API server URL to which you will connect and perform the automated operations. |
Account ID | Specify the ID of your Malwarebytes account using which you can connect to Malwarebytes and perform automated operations. |
Client ID | Specify the client ID using which you can connect to Malwarebytes and perform automated operations. |
Client Secret | Specify the client Secret using which you can connect to Malwarebytes and perform automated operations. |
Scope | Select the scope of access that you want to allow to FortiSOAR. You can choose one or more of the following options: Read, Write, or Execute. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Endpoints | Retrieves all endpoints or specific endpoints connected to Malwarebytes based on the input parameters you have specified. | get_endpoints Investigation |
Get Endpoint Details | Retrieves information about a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_details Investigation |
Get Endpoint Status | Retrieves the status of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_status Investigation |
Get Endpoint Agent Info | Retrieves agent information of a specified endpoint from Malwarebytes based on the endpoint ID you have specified. | get_endpoint_agent_info Investigation |
Get Endpoint Assets | Retrieves information about the assets of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified | get_endpoint_assets Investigation |
Get Endpoint Network Info | Retrieves the network information of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_network_info Investigation |
Scan Endpoints | Scans one or more specific endpoints connected to Malwarebytes based on the action and endpoint ID you have specified | scan_endpoints Investigation |
Get Scan Result | Retrieves the scan history of a specific endpoint connected to Malwarebytes based on the endpoint ID and other input parameters you have specified. | get_scan_result Investigation |
Quarantine Endpoints | Quarantines specified endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | quarantine_endpoints Investigation |
Unquarantine Endpoints | Unquarantines specified endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | unquarantine_endpoints Investigation |
Get Endpoint Suspicious Activities | Retrieves suspicious activities of the specified endpoint from Malwarebytes based on the endpoint ID and other input parameters you have specified. | get_endpoint_suspicious_activities Investigation |
Remediate Endpoint Suspicious Activity | Remediates the suspicious activity on the specified endpoint connected to Malwarebytes based on the endpoint ID and suspicious activity ID you have specified. | remediate_endpoint_suspicious_activity Investigation |
Update Endpoint Suspicious Activity | Updates the status of the specified suspicious activity of the specified endpoint to either Open or Close based on the endpoint ID, suspicious activity ID, and status you have specified. | update_endpoint_suspicious_activity Investigation |
Get Endpoint Quarantined Items | Retrieves quarantined items of the specified endpoint from Malwarebytes based on the endpoint ID you have specified. | get_endpoint_quarantined_items Investigation |
Assign Group to Endpoints | Assigns specific group to endpoints connected to Malwarebytes based on the group ID and other input parameters you have specified. | assign_group_to_endpoints Investigation |
Delete Endpoints | Deletes endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | delete_endpoints Investigation |
Get Events | Retrieves a list of all events or specific events from Malwarebytes based on the input parameters you have specified. | get_events Investigation |
Get Tasks | Retrieves a list of all tasks or specific tasks from Malwarebytes based on the input parameters you have specified. | get_tasks Investigation |
Create Group | Creates a policy group in Malwarebytes based on the name of the policy group, policy ID to be applied to the group, and other input parameters you have specified. | create_group Investigation |
Get Groups | Retrieves a list of all policy groups or specific policy groups, which are associated with endpoints connected to Malwarebytes, from Malwarebytes based on the input parameters you have specified. | get_groups Investigation |
Delete Group | Deletes a policy group associated with endpoints connected to Malwarebytes based on the group ID you have specified. | delete_group Investigation |
Create Policy | Creates a new policy in Malwarebytes based on the policy name and contents you have specified. | create_policy Investigation |
Get Policies | Retrieves a list of all policies or specific policies, which are associated with endpoints connected to Malwarebytes, from Malwarebytes based on the policy ID you have specified. | get_policies Investigation |
Delete Policy | Deletes a specific policy from Malwarebytes based on the policy ID you have specified. | delete_policy Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID using which you want to filter endpoints retrieved from Malwarebytes. |
Isolated | Select this option to filter endpoints retrieved from Malwarebytes to only isolated endpoints. |
Has Alerts | Select this option to filter endpoints retrieved from Malwarebytes to only those endpoints that have associated alerts. |
Policy ID | Specify the policy ID using which you want to filter endpoints retrieved from Malwarebytes. |
Policy Name | Specify the policy name using which you want to filter endpoints retrieved from Malwarebytes. |
Host Name | Specify the hostname using which you want to filter endpoints retrieved from Malwarebytes. |
OS Platform | Specify the OS platform type using which you want to filter endpoints retrieved from Malwarebytes. |
Domain Name | Specify the domain name using which you want to filter endpoints retrieved from Malwarebytes. |
Group Name | Specify the group name using which you want to filter endpoints retrieved from Malwarebytes. |
Endpoint IP Address | Specify the endpoint IP address using which you want to filter endpoints retrieved from Malwarebytes. |
Page Size | Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
Extra Query Params | Specify any additional query parameters, in the JSON format, using which you want to filter endpoints retrieved from Malwarebytes. For more information, see https://api.malwarebytes.com/nebula/v1/docs#operation/api.v2.nebula.post.endpoints. |
The output contains the following populated JSON schema:
{
"aggregations": {},
"endpoints": [
{
"link": "",
"protection_status": "",
"display_name": "",
"agent": {
"is_software_update_available": "",
"has_alerts": "",
"last_user": "",
"at": "",
"machine_id": "",
"account_id": "",
"group_id": "",
"nics": [
{
"ips": [],
"description": "",
"mac_address": ""
}
],
"os_info": {
"os_type": "",
"os_version": "",
"os_platform": "",
"os_architecture": "",
"os_release_name": ""
},
"domain_name": "",
"host_name": "",
"fully_qualified_host_name": "",
"object_guid": "",
"plugins": {
"incident_response": {
"product_name": "",
"plugin_version": "",
"update_package_version": "",
"component_package_version": "",
"alerts": {
"codes": []
}
},
"endpoint_protection": {
"sdk_version": "",
"product_name": "",
"plugin_version": "",
"update_package_version": "",
"component_package_version": "",
"alerts": {
"codes": []
}
},
"asset_manager": {
"product_name": "",
"plugin_version": "",
"alerts": {
"codes": []
}
},
"endpoint_detection_and_response": {
"product_name": "",
"plugin_version": "",
"alerts": {
"codes": []
}
}
},
"engine_version": "",
"policy_etag": "",
"version": "",
"document_id": "",
"machine_ip": "",
"source_location": {
"city": "",
"country": "",
"country_iso": "",
"continent": "",
"accuracy_radius": "",
"point": {
"lat": "",
"lon": ""
},
"time_zone": "",
"postal_code": "",
"subdivisions": [],
"anonymous_proxy": ""
},
"serial_number": ""
},
"machine": {
"id": "",
"job": {},
"account": {},
"online": "",
"account_id": "",
"group_id": "",
"root_group_id": "",
"group_name": "",
"policy_id": "",
"policy_name": "",
"last_day_seen": "",
"isolated": "",
"scan_age_days": "",
"suspicious_activity_count": "",
"infection_count": "",
"reboot_required": "",
"last_scanned_at": "",
"is_deleted": "",
"version": "",
"document_id": "",
"created_at": ""
},
"machineVersion": ""
}
],
"total_count": "",
"next_cursor": "",
"after": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve details from Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"policy_id": "",
"group_id": "",
"name": "",
"online": "",
"is_deleted": "",
"os_architecture": "",
"os_platform": "",
"os_release_name": "",
"last_seen_at": "",
"tags": {},
"stats": {}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose status you want to retrieve from Malwarebytes. |
The output contains the following populated JSON schema:
{
"remediation_required": {
"status": "",
"infection_count": "",
"job_state": ""
},
"reboot_required": {
"status": "",
"reasons": "",
"job_id": "",
"job_state": ""
},
"suspicious_activity": {
"status": "",
"count": ""
},
"isolation": {
"status": "",
"process": "",
"network": "",
"desktop": ""
},
"scan_needed": {
"status": "",
"last_scanned_at": ""
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose agent information you want to retrieve from Malwarebytes. |
The output contains the following populated JSON schema:
{
"agent_info": "",
"last_seen_at": "",
"agent_info_last_updated_at": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve asset information from Malwarebytes. |
The output contains the following populated JSON schema:
{
"startups": [
{
"key": "",
"name": ""
}
],
"os_info": {
"os_platform": "",
"os_architecture": "",
"os_version": "",
"os_release_name": "",
"os_type": ""
},
"computer_info": {
"manufacturer": "",
"model": ""
},
"software_installed": [
{
"vendor": "",
"product": "",
"version": ""
}
],
"nics": [
{
"mac_address": "",
"description": "",
"ips": []
}
],
"updates_installed": [
{
"title": ""
}
],
"culture": "",
"dhcp_scope_name": "",
"time_zone": "",
"host_name": "",
"fully_qualified_host_name": "",
"plugin_version": "",
"updates_available": [
{
"category": "",
"date": "",
"description": "",
"kb_id": "",
"product": "",
"reboot_required": "",
"security_update_id": "",
"severity": "",
"size": "",
"title": "",
"vendor": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve network information from Malwarebytes. |
The output contains the following populated JSON schema:
{
"nics": [
{
"ips": [],
"description": "",
"mac_address": ""
}
],
"host_name": "",
"fully_qualified_host_name": "",
"last_seen_at": "",
"agent_info_last_updated_at": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified endpoints. You can choose between Scan + Report, Scan + Quarantine, Refresh Assets, or Check for Protection Updated. |
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to scan. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose scan history you want to retrieve from Malwarebytes |
From | Select the DateTime from when you want to retrieve the scan history from Malwarebytes. |
Next Cursor | (Optional) Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"id": "",
"deleted_count": "",
"duration_seconds": "",
"found_count": "",
"from_cloud": "",
"machine_id": "",
"machine_name": "",
"ondemand": "",
"os_platform": "",
"quarantined_count": "",
"reported_at": "",
"scan_type": "",
"started_at": "",
"started_at_local": "",
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to quarantine. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to unquarantine. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve suspicious activities from Malwarebytes. |
From | Select the DateTime from when you want to retrieve suspicious activities from Malwarebytes. |
Page Size | (Optional) Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | (Optional) Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"sa": [
{
"detection_id_list": [
""
],
"status": "",
"timestamp": "",
"path": "",
"pc_hostname": "",
"machine_id": "",
"account_id": "",
"closed": "",
"level": "",
"detected_by_count": ""
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose suspicious activity you want to remediate. |
Suspicious Activity ID | Specify the ID of the suspicious activity ID you want to remediate. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose suspicious activity status you want to update. |
Suspicious Activity ID | Specify the ID of the suspicious activity ID whose status you want to update |
Status | Select the status that you want to set for the specified suspicious activity. You can choose between Open or Close. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve quarantined items from Malwarebytes. |
The output contains the following populated JSON schema:
{
"quarantined_threats": [
{
"id": "",
"scan_id": "",
"machine_id": "",
"machine_name": "",
"group_id": "",
"detection_id": "",
"scanned_at": "",
"scanned_at_local": "",
"reported_at": "",
"threat_name": "",
"type": [],
"path": "",
"category": "",
"ip_address": "",
"url": "",
"port": ""
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Group ID | Specify the group ID that you want to assign to the endpoints connected to Malwarebytes. |
Endpoint IDs | (Optional) Specify a comma-separated list of endpoints that you want to assign to the specified group. |
Filter Query | (Optional) Specify a query to filter endpoints connected to Malwarebytes. For more information, see https://api.malwarebytes.com/nebula/v1/docs#operation/api.v2.nebula.post.groups.bulk. |
The output contains the following populated JSON schema:
{
"moved": [],
"errors": [
{
"id": "",
"account_id": "",
"account_ids": []
}
]
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to delete from Malwarebytes. |
The output contains the following populated JSON schema:
{
"result": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Search String | Specify a search string using which you want to filter events retrieved from Malwarebytes. |
Endpoint ID | Specify the endpoint ID (machine_id/endpoint_id) using which you want to filter events retrieved from Malwarebytes. |
From | Select the DateTime from when you want to filter events retrieved from Malwarebytes. |
To | Select the DateTime till when you want to filter events retrieved from Malwarebytes. |
Severity | Select the severity using which you want to filter events retrieved from Malwarebytes. You can choose from the following options: All, Audit, Info, Severe, or Warning. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"events": [
{
"id": "",
"machine_id": "",
"user_id": "",
"source": "",
"source_name": "",
"type": "",
"type_name": "",
"friendly_type": "",
"severity": "",
"severity_name": "",
"details": {
"message": "",
"filename": "",
"name": "",
"user_email": "",
"user_name": "",
"user_role": ""
},
"timestamp": ""
}
],
"total_count": "",
"next_cursor": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Task ID | Specify a single job ID using which you want to filter events retrieved from Malwarebytes. |
Endpoint Name | Specify the endpoint name using which you want to filter events retrieved from Malwarebytes. |
Endpoint ID | Specify the endpoint ID (machine_id/endpoint_id) using which you want to filter tasks retrieved from Malwarebytes. |
Status | Select the status using which you want to filter tasks retrieved from Malwarebytes. You can choose from the following options: All, Created, Sent, Received, Started, Timed Out, Complete, Expired, or Failed. |
Result Size | Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"id": "",
"account_id": "",
"account_name": "",
"command": "",
"data": "",
"expires_at": "",
"issued_at": "",
"issued_by": "",
"issued_by_email": "",
"issued_by_name": "",
"machine_id": "",
"machine_name": "",
"status": "",
"updated_at": "",
"relay_state": "",
"tags": {
"alias": ""
}
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Group Name | Specify the name of the policy group that you want to create in Malwarebytes. |
Policy ID | Specify the ID of the policy to be applied to the group that you want to create in Malwarebytes. |
Parent ID | Specify the ID of the parent group to be applied to the group that you want to create in Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Group Name | Specify the name of the policy group using which you want to filter groups retrieved from Malwarebytes. |
Parent ID | Specify the ID of the parent group using which you want to filter groups retrieved from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
Parameter | Description |
---|---|
Group ID | Specify the ID of the policy group that you want to delete from Malwarebytes. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Policy Name | Specify the name of the policy that you want to create in Malwarebytes. |
Contents | Specify the contents of the policy (in the JSON format) that you want to create in Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"etag": "",
"name": "",
"expire_endpoints": "",
"contents": {},
"created_at": "",
"updated_at": "",
"migrated_at": "",
"is_default": "",
"deny_edit": "",
"groups": [
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
],
"exclusions": [
{
"id": "",
"etag": "",
"type": "",
"value": "",
"enabled": "",
"comment": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"updated_by": "",
"exclude_from": {},
"friendly_name": "",
"account_level": "",
"policies": [
{
"id": "",
"name": ""
}
]
}
],
"secret_hash": ""
}
Parameter | Description |
---|---|
Policy ID | Specify the ID of the policy associated with endpoints connected to Malwarebytes whose details you want to retrieve from Malwarebytes. Note: If you do not specify any policy ID then all the policies associated with endpoints connected to Malwarebytes are retrieved. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"etag": "",
"name": "",
"expire_endpoints": "",
"contents": {},
"created_at": "",
"updated_at": "",
"migrated_at": "",
"is_default": "",
"deny_edit": "",
"groups": [
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
],
"exclusions": [
{
"id": "",
"etag": "",
"type": "",
"value": "",
"enabled": "",
"comment": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"updated_by": "",
"exclude_from": {},
"friendly_name": "",
"account_level": "",
"policies": [
{
"id": "",
"name": ""
}
]
}
],
"secret_hash": ""
}
Parameter | Description |
---|---|
Policy ID | Specify the ID of the policy that you want to delete from Malwarebytes |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Malwarebytes - 2.0.0
playbook collection comes bundled with the Malwarebytes connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malwarebytes connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Malwarebytes is an anti-malware software for Microsoft Windows, MacOS, Android, and iOS that finds and protects endpoints against malware, ransomware, and other advanced online threats.
This document provides information about the Malwarebytes connector, which facilitates automated interactions, with a Malwarebytes server using FortiSOAR™ playbooks. Add the Malwarebytes connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning specified endpoints or retrieving information for a specified endpoint or a list of endpoints connected to Malwarebytes.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the Malwarebytes Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-malwarebytes
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Malwarebytes connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
Parameter | Description |
---|---|
API Server URL | Specify the Malwarebytes API server URL to which you will connect and perform the automated operations. |
Account ID | Specify the ID of your Malwarebytes account using which you can connect to Malwarebytes and perform automated operations. |
Client ID | Specify the client ID using which you can connect to Malwarebytes and perform automated operations. |
Client Secret | Specify the client Secret using which you can connect to Malwarebytes and perform automated operations. |
Scope | Select the scope of access that you want to allow to FortiSOAR. You can choose one or more of the following options: Read, Write, or Execute. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Endpoints | Retrieves all endpoints or specific endpoints connected to Malwarebytes based on the input parameters you have specified. | get_endpoints Investigation |
Get Endpoint Details | Retrieves information about a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_details Investigation |
Get Endpoint Status | Retrieves the status of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_status Investigation |
Get Endpoint Agent Info | Retrieves agent information of a specified endpoint from Malwarebytes based on the endpoint ID you have specified. | get_endpoint_agent_info Investigation |
Get Endpoint Assets | Retrieves information about the assets of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified | get_endpoint_assets Investigation |
Get Endpoint Network Info | Retrieves the network information of a specific endpoint connected to Malwarebytes based on the endpoint ID you have specified. | get_endpoint_network_info Investigation |
Scan Endpoints | Scans one or more specific endpoints connected to Malwarebytes based on the action and endpoint ID you have specified | scan_endpoints Investigation |
Get Scan Result | Retrieves the scan history of a specific endpoint connected to Malwarebytes based on the endpoint ID and other input parameters you have specified. | get_scan_result Investigation |
Quarantine Endpoints | Quarantines specified endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | quarantine_endpoints Investigation |
Unquarantine Endpoints | Unquarantines specified endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | unquarantine_endpoints Investigation |
Get Endpoint Suspicious Activities | Retrieves suspicious activities of the specified endpoint from Malwarebytes based on the endpoint ID and other input parameters you have specified. | get_endpoint_suspicious_activities Investigation |
Remediate Endpoint Suspicious Activity | Remediates the suspicious activity on the specified endpoint connected to Malwarebytes based on the endpoint ID and suspicious activity ID you have specified. | remediate_endpoint_suspicious_activity Investigation |
Update Endpoint Suspicious Activity | Updates the status of the specified suspicious activity of the specified endpoint to either Open or Close based on the endpoint ID, suspicious activity ID, and status you have specified. | update_endpoint_suspicious_activity Investigation |
Get Endpoint Quarantined Items | Retrieves quarantined items of the specified endpoint from Malwarebytes based on the endpoint ID you have specified. | get_endpoint_quarantined_items Investigation |
Assign Group to Endpoints | Assigns specific group to endpoints connected to Malwarebytes based on the group ID and other input parameters you have specified. | assign_group_to_endpoints Investigation |
Delete Endpoints | Deletes endpoints connected to Malwarebytes based on the comma-separated list of endpoint IDs you have specified. | delete_endpoints Investigation |
Get Events | Retrieves a list of all events or specific events from Malwarebytes based on the input parameters you have specified. | get_events Investigation |
Get Tasks | Retrieves a list of all tasks or specific tasks from Malwarebytes based on the input parameters you have specified. | get_tasks Investigation |
Create Group | Creates a policy group in Malwarebytes based on the name of the policy group, policy ID to be applied to the group, and other input parameters you have specified. | create_group Investigation |
Get Groups | Retrieves a list of all policy groups or specific policy groups, which are associated with endpoints connected to Malwarebytes, from Malwarebytes based on the input parameters you have specified. | get_groups Investigation |
Delete Group | Deletes a policy group associated with endpoints connected to Malwarebytes based on the group ID you have specified. | delete_group Investigation |
Create Policy | Creates a new policy in Malwarebytes based on the policy name and contents you have specified. | create_policy Investigation |
Get Policies | Retrieves a list of all policies or specific policies, which are associated with endpoints connected to Malwarebytes, from Malwarebytes based on the policy ID you have specified. | get_policies Investigation |
Delete Policy | Deletes a specific policy from Malwarebytes based on the policy ID you have specified. | delete_policy Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of endpoints) is returned.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID using which you want to filter endpoints retrieved from Malwarebytes. |
Isolated | Select this option to filter endpoints retrieved from Malwarebytes to only isolated endpoints. |
Has Alerts | Select this option to filter endpoints retrieved from Malwarebytes to only those endpoints that have associated alerts. |
Policy ID | Specify the policy ID using which you want to filter endpoints retrieved from Malwarebytes. |
Policy Name | Specify the policy name using which you want to filter endpoints retrieved from Malwarebytes. |
Host Name | Specify the hostname using which you want to filter endpoints retrieved from Malwarebytes. |
OS Platform | Specify the OS platform type using which you want to filter endpoints retrieved from Malwarebytes. |
Domain Name | Specify the domain name using which you want to filter endpoints retrieved from Malwarebytes. |
Group Name | Specify the group name using which you want to filter endpoints retrieved from Malwarebytes. |
Endpoint IP Address | Specify the endpoint IP address using which you want to filter endpoints retrieved from Malwarebytes. |
Page Size | Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
Extra Query Params | Specify any additional query parameters, in the JSON format, using which you want to filter endpoints retrieved from Malwarebytes. For more information, see https://api.malwarebytes.com/nebula/v1/docs#operation/api.v2.nebula.post.endpoints. |
The output contains the following populated JSON schema:
{
"aggregations": {},
"endpoints": [
{
"link": "",
"protection_status": "",
"display_name": "",
"agent": {
"is_software_update_available": "",
"has_alerts": "",
"last_user": "",
"at": "",
"machine_id": "",
"account_id": "",
"group_id": "",
"nics": [
{
"ips": [],
"description": "",
"mac_address": ""
}
],
"os_info": {
"os_type": "",
"os_version": "",
"os_platform": "",
"os_architecture": "",
"os_release_name": ""
},
"domain_name": "",
"host_name": "",
"fully_qualified_host_name": "",
"object_guid": "",
"plugins": {
"incident_response": {
"product_name": "",
"plugin_version": "",
"update_package_version": "",
"component_package_version": "",
"alerts": {
"codes": []
}
},
"endpoint_protection": {
"sdk_version": "",
"product_name": "",
"plugin_version": "",
"update_package_version": "",
"component_package_version": "",
"alerts": {
"codes": []
}
},
"asset_manager": {
"product_name": "",
"plugin_version": "",
"alerts": {
"codes": []
}
},
"endpoint_detection_and_response": {
"product_name": "",
"plugin_version": "",
"alerts": {
"codes": []
}
}
},
"engine_version": "",
"policy_etag": "",
"version": "",
"document_id": "",
"machine_ip": "",
"source_location": {
"city": "",
"country": "",
"country_iso": "",
"continent": "",
"accuracy_radius": "",
"point": {
"lat": "",
"lon": ""
},
"time_zone": "",
"postal_code": "",
"subdivisions": [],
"anonymous_proxy": ""
},
"serial_number": ""
},
"machine": {
"id": "",
"job": {},
"account": {},
"online": "",
"account_id": "",
"group_id": "",
"root_group_id": "",
"group_name": "",
"policy_id": "",
"policy_name": "",
"last_day_seen": "",
"isolated": "",
"scan_age_days": "",
"suspicious_activity_count": "",
"infection_count": "",
"reboot_required": "",
"last_scanned_at": "",
"is_deleted": "",
"version": "",
"document_id": "",
"created_at": ""
},
"machineVersion": ""
}
],
"total_count": "",
"next_cursor": "",
"after": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve details from Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"policy_id": "",
"group_id": "",
"name": "",
"online": "",
"is_deleted": "",
"os_architecture": "",
"os_platform": "",
"os_release_name": "",
"last_seen_at": "",
"tags": {},
"stats": {}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose status you want to retrieve from Malwarebytes. |
The output contains the following populated JSON schema:
{
"remediation_required": {
"status": "",
"infection_count": "",
"job_state": ""
},
"reboot_required": {
"status": "",
"reasons": "",
"job_id": "",
"job_state": ""
},
"suspicious_activity": {
"status": "",
"count": ""
},
"isolation": {
"status": "",
"process": "",
"network": "",
"desktop": ""
},
"scan_needed": {
"status": "",
"last_scanned_at": ""
}
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose agent information you want to retrieve from Malwarebytes. |
The output contains the following populated JSON schema:
{
"agent_info": "",
"last_seen_at": "",
"agent_info_last_updated_at": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve asset information from Malwarebytes. |
The output contains the following populated JSON schema:
{
"startups": [
{
"key": "",
"name": ""
}
],
"os_info": {
"os_platform": "",
"os_architecture": "",
"os_version": "",
"os_release_name": "",
"os_type": ""
},
"computer_info": {
"manufacturer": "",
"model": ""
},
"software_installed": [
{
"vendor": "",
"product": "",
"version": ""
}
],
"nics": [
{
"mac_address": "",
"description": "",
"ips": []
}
],
"updates_installed": [
{
"title": ""
}
],
"culture": "",
"dhcp_scope_name": "",
"time_zone": "",
"host_name": "",
"fully_qualified_host_name": "",
"plugin_version": "",
"updates_available": [
{
"category": "",
"date": "",
"description": "",
"kb_id": "",
"product": "",
"reboot_required": "",
"security_update_id": "",
"severity": "",
"size": "",
"title": "",
"vendor": ""
}
]
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve network information from Malwarebytes. |
The output contains the following populated JSON schema:
{
"nics": [
{
"ips": [],
"description": "",
"mac_address": ""
}
],
"host_name": "",
"fully_qualified_host_name": "",
"last_seen_at": "",
"agent_info_last_updated_at": ""
}
Parameter | Description |
---|---|
Action | Select the action that you want to perform on the specified endpoints. You can choose between Scan + Report, Scan + Quarantine, Refresh Assets, or Check for Protection Updated. |
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to scan. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose scan history you want to retrieve from Malwarebytes |
From | Select the DateTime from when you want to retrieve the scan history from Malwarebytes. |
Next Cursor | (Optional) Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"id": "",
"deleted_count": "",
"duration_seconds": "",
"found_count": "",
"from_cloud": "",
"machine_id": "",
"machine_name": "",
"ondemand": "",
"os_platform": "",
"quarantined_count": "",
"reported_at": "",
"scan_type": "",
"started_at": "",
"started_at_local": "",
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to quarantine. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to unquarantine. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"machine_id": "",
"job_id": ""
}
],
"total_count": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve suspicious activities from Malwarebytes. |
From | Select the DateTime from when you want to retrieve suspicious activities from Malwarebytes. |
Page Size | (Optional) Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | (Optional) Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"sa": [
{
"detection_id_list": [
""
],
"status": "",
"timestamp": "",
"path": "",
"pc_hostname": "",
"machine_id": "",
"account_id": "",
"closed": "",
"level": "",
"detected_by_count": ""
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose suspicious activity you want to remediate. |
Suspicious Activity ID | Specify the ID of the suspicious activity ID you want to remediate. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID whose suspicious activity status you want to update. |
Suspicious Activity ID | Specify the ID of the suspicious activity ID whose status you want to update |
Status | Select the status that you want to set for the specified suspicious activity. You can choose between Open or Close. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Endpoint ID | Specify the endpoint ID for which you want to retrieve quarantined items from Malwarebytes. |
The output contains the following populated JSON schema:
{
"quarantined_threats": [
{
"id": "",
"scan_id": "",
"machine_id": "",
"machine_name": "",
"group_id": "",
"detection_id": "",
"scanned_at": "",
"scanned_at_local": "",
"reported_at": "",
"threat_name": "",
"type": [],
"path": "",
"category": "",
"ip_address": "",
"url": "",
"port": ""
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Group ID | Specify the group ID that you want to assign to the endpoints connected to Malwarebytes. |
Endpoint IDs | (Optional) Specify a comma-separated list of endpoints that you want to assign to the specified group. |
Filter Query | (Optional) Specify a query to filter endpoints connected to Malwarebytes. For more information, see https://api.malwarebytes.com/nebula/v1/docs#operation/api.v2.nebula.post.groups.bulk. |
The output contains the following populated JSON schema:
{
"moved": [],
"errors": [
{
"id": "",
"account_id": "",
"account_ids": []
}
]
}
Parameter | Description |
---|---|
Endpoint IDs | Specify a comma-separated list of endpoint IDs that you want to delete from Malwarebytes. |
The output contains the following populated JSON schema:
{
"result": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Search String | Specify a search string using which you want to filter events retrieved from Malwarebytes. |
Endpoint ID | Specify the endpoint ID (machine_id/endpoint_id) using which you want to filter events retrieved from Malwarebytes. |
From | Select the DateTime from when you want to filter events retrieved from Malwarebytes. |
To | Select the DateTime till when you want to filter events retrieved from Malwarebytes. |
Severity | Select the severity using which you want to filter events retrieved from Malwarebytes. You can choose from the following options: All, Audit, Info, Severe, or Warning. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"events": [
{
"id": "",
"machine_id": "",
"user_id": "",
"source": "",
"source_name": "",
"type": "",
"type_name": "",
"friendly_type": "",
"severity": "",
"severity_name": "",
"details": {
"message": "",
"filename": "",
"name": "",
"user_email": "",
"user_name": "",
"user_role": ""
},
"timestamp": ""
}
],
"total_count": "",
"next_cursor": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Task ID | Specify a single job ID using which you want to filter events retrieved from Malwarebytes. |
Endpoint Name | Specify the endpoint name using which you want to filter events retrieved from Malwarebytes. |
Endpoint ID | Specify the endpoint ID (machine_id/endpoint_id) using which you want to filter tasks retrieved from Malwarebytes. |
Status | Select the status using which you want to filter tasks retrieved from Malwarebytes. You can choose from the following options: All, Created, Sent, Received, Started, Timed Out, Complete, Expired, or Failed. |
Result Size | Specify the page size, i.e., the number of endpoints, per request, you want to retrieve from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"jobs": [
{
"id": "",
"account_id": "",
"account_name": "",
"command": "",
"data": "",
"expires_at": "",
"issued_at": "",
"issued_by": "",
"issued_by_email": "",
"issued_by_name": "",
"machine_id": "",
"machine_name": "",
"status": "",
"updated_at": "",
"relay_state": "",
"tags": {
"alias": ""
}
}
],
"total_count": "",
"next_cursor": ""
}
Parameter | Description |
---|---|
Group Name | Specify the name of the policy group that you want to create in Malwarebytes. |
Policy ID | Specify the ID of the policy to be applied to the group that you want to create in Malwarebytes. |
Parent ID | Specify the ID of the parent group to be applied to the group that you want to create in Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of events) is returned.
Parameter | Description |
---|---|
Group Name | Specify the name of the policy group using which you want to filter groups retrieved from Malwarebytes. |
Parent ID | Specify the ID of the parent group using which you want to filter groups retrieved from Malwarebytes. |
Next Cursor | Specify the pagination cursor for the next set of results. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
Parameter | Description |
---|---|
Group ID | Specify the ID of the policy group that you want to delete from Malwarebytes. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Policy Name | Specify the name of the policy that you want to create in Malwarebytes. |
Contents | Specify the contents of the policy (in the JSON format) that you want to create in Malwarebytes. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"etag": "",
"name": "",
"expire_endpoints": "",
"contents": {},
"created_at": "",
"updated_at": "",
"migrated_at": "",
"is_default": "",
"deny_edit": "",
"groups": [
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
],
"exclusions": [
{
"id": "",
"etag": "",
"type": "",
"value": "",
"enabled": "",
"comment": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"updated_by": "",
"exclude_from": {},
"friendly_name": "",
"account_level": "",
"policies": [
{
"id": "",
"name": ""
}
]
}
],
"secret_hash": ""
}
Parameter | Description |
---|---|
Policy ID | Specify the ID of the policy associated with endpoints connected to Malwarebytes whose details you want to retrieve from Malwarebytes. Note: If you do not specify any policy ID then all the policies associated with endpoints connected to Malwarebytes are retrieved. |
The output contains the following populated JSON schema:
{
"id": "",
"account_id": "",
"etag": "",
"name": "",
"expire_endpoints": "",
"contents": {},
"created_at": "",
"updated_at": "",
"migrated_at": "",
"is_default": "",
"deny_edit": "",
"groups": [
{
"id": "",
"account_id": "",
"name": "",
"machines_count": "",
"policy_id": "",
"policy_name": "",
"updated_at": "",
"is_default": "",
"schedule_ids": [],
"parent_id": "",
"root_id": "",
"child_group_count": ""
}
],
"exclusions": [
{
"id": "",
"etag": "",
"type": "",
"value": "",
"enabled": "",
"comment": "",
"created_at": "",
"updated_at": "",
"created_by": "",
"updated_by": "",
"exclude_from": {},
"friendly_name": "",
"account_level": "",
"policies": [
{
"id": "",
"name": ""
}
]
}
],
"secret_hash": ""
}
Parameter | Description |
---|---|
Policy ID | Specify the ID of the policy that you want to delete from Malwarebytes |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Malwarebytes - 2.0.0
playbook collection comes bundled with the Malwarebytes connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malwarebytes connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.