Malwarebytes EDR Monitoring

Step 1: Log into your OneView.

Step 2: Find the specific customer you are trying to set up EDR SOC Monitoring for, and enter the Nebula portal for that customer.

Step 3: Once you have entered the Nebula portal for that customer, go to the menu on the left and click “Configure”. Choose the bottom drop-down option called “Syslog Logging”

Step 4: Click the box up top that says “Add” to begin adding the intended remote configuration (IP Address, Port, Protocol, Severity, Log Format, Communication interval). XeneX will send you the correct information to fill out in these fields.

Step 5: The final configuration step is to select the host within the customer site that you wish to act as the forwarder, since Malwarebytes does not send from the cloud as other services do, it uses one of the hosts to act as a relay. This should be a host that is online and available at all times or as much as possible, since if the relay is down no data will be sent. 

Step 6: The final step is to look up the outbound public IP of the host you chose as the forwarder. There are many ways to determine this if it is not readily known, including public websites such as whatsmyip.org. Remember we must receive the public IP of the host you chose in step 5.

Other EDR Monitoring

Step 1: Configure EDR log forwarding for monitoring.  Since the sensor installation is completed within your environment, you can set up your EDR platform settings (for this specific customer) to send the logs to the internal IP address of the sensor. 

Important Note: If you do not know how to do this, contact your support resource with your EDR provider and tell them you need to configure forwarding of logs for a specific customer to our sensor IP address for monitoring.

Let them know what you are trying to accomplish. They show you how to do it on their platform.

In many cases, the sensor is deployed on the customer's LAN, and we configure one of the hosts to forward logs to the sensor’s internal IP using UDP port 514 through the EDR platform.

Since we do not yet know how your specific EDR provider works, and some syslog forwarding may originate from a cloud-based source, the customer may need to open firewall ports to allow traffic to reach the sensor. The exact implementation depends on the customer’s environment and how the sensor was set up.

Please send us an email at support@xenexsupport.com at this point in the process, informing us to how your EDR provider does log forwarding, so we can provide you with additional steps, if needed.