Collect ThreatDown EDR logs
This document explains how to configure ThreatDown EDR (Nebula and OneView) to push logs to Google Security Operations using webhooks.
ThreatDown EDR, powered by Malwarebytes, provides endpoint detection and response capabilities including threat detection, suspicious activity monitoring, and endpoint protection. The Nebula platform serves single-tenant environments, while OneView is the multi-tenant management console for MSPs. Both platforms support a native integration with Google Security Operations that exports detection and suspicious activity data as Unified Data Model (UDM) events using the MALWAREBYTES_EDR log type.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- ThreatDown EDR (Nebula or OneView) supports webhook for log delivery
- Access to Google Cloud Console (for API key creation)
- For Nebula: Super Admin access in the Nebula console and an active Nebula account with an active subscription for Endpoint Detection and Response
- For OneView: Global Administrator access in the OneView console and a site with an active subscription for Endpoint Detection and Response
- Admin access to Google Cloud Project to generate a Google Cloud Platform API Key
- Admin access to Google Chronicle SIEM
Create webhook feed in Google SecOps
Create the feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Malwarebytes). - Select Webhook as the Source type.
- Select Malwarebytes EDR as the Log type.
- Click Next.
- Specify values for the following input parameters:
- Split delimiter (optional): Leave empty. Each webhook request from ThreatDown contains structured event data.
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
- Click Next.
- Review your new feed configuration in the Finalize screen, and then click Submit.
Get the feed endpoint URL
- Go to the Details tab of the feed.
- In the Endpoint Information section, copy the Feed endpoint URL.
The URL format is:
https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreateor
https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreateSave this URL for the next steps.
Generate and save secret key
After creating the feed, you must generate a secret key for authentication:
- Go to the Secret Key tab of the feed.
- Click Generate Secret Key.
- A dialog displays the secret key.
Copy and save the secret key securely.
Important: The secret key is displayed only once and cannot be retrieved later. If you lose it, you must generate a new secret key.
Click Done.
Create Google Cloud API key
The ThreatDown integration with Google SecOps requires a Google Cloud Platform (GCP) API Key.
Create the API key
- Go to the Google Cloud Console Credentials page.
- Select your project (the project associated with your Chronicle instance).
- Click Create credentials > API key.
- An API key is created and displayed in a dialog.
- Copy the API key and store it securely.
- In the pop-up, click Edit API key.
Restrict the API key
- In the API key settings page:
- Name: Enter a descriptive name (for example,
Chronicle Webhook API Key)
- Name: Enter a descriptive name (for example,
- Select Restrict Key.
In the drop-down menu, select Chronicle API.
Click Save.
Configure ThreatDown EDR webhook
ThreatDown provides a native Google Chronicle SIEM integration on the Integrate page in both Nebula and OneView consoles. Choose the section below that matches your platform.
Option A: Configure Nebula
- Sign in to the ThreatDown Nebula console at cloud.malwarebytes.com with Super Admin credentials.
- Go to the Integrate page in the left navigation menu.
- Locate Google Chronicle SIEM and click Configure.
- Provide the following configuration details:
- Webhook URL: Paste the URL copied from the Endpoint Information field of the Google SecOps Feed Details page.
- Webhook Secret: Paste the secret key generated from the Google SecOps Feed Secret Key tab.
- GCP API Key: Paste the API key obtained from Google Cloud.
- Click Save.
After saving, Nebula begins exporting detection and suspicious activity logs directly to Google SecOps.
Option B: Configure OneView
- Sign in to the ThreatDown OneView console at cloud.malwarebytes.com with Global Administrator credentials.
- Go to the Integrate page in the left navigation menu.
- Locate Google Chronicle SIEM and click Configure.
- Toggle on Enable Setup.
- Provide the following configuration details:
- Webhook URL: Paste the URL copied from the Endpoint Information field of the Google SecOps Feed Details page.
- Webhook Secret: Paste the secret key generated from the Google SecOps Feed Secret Key tab.
- GCP API Key: Paste the API key obtained from Google Cloud.
- Site Selection: Select the site(s) to ingest data from.
- Click Save.
After saving, OneView begins exporting detection and suspicious activity logs from the selected sites directly to Google SecOps.
Verify log ingestion
After configuring the integration, verify that ThreatDown EDR logs are being ingested into Google SecOps:
- In Google SecOps, go to Investigation > SIEM Search.
Enter the following UDM search query:
metadata.vendor_name = "Malwarebytes" and metadata.log_type = "MALWAREBYTES_EDR"Select the desired date range.
Click Run Search.
Click on the Events tab. The data ingested from ThreatDown EDR is displayed using a Unified Data Model (UDM).
Webhook limits and best practices
Request limits
| Limit | Value |
|---|---|
| Max request size | 4 MB |
| Max QPS (queries per second) | 15,000 |
| Request timeout | 30 seconds |
| Retry behavior | Automatic with exponential backoff |
Need more help?
- Enable Nebula integration with Google Chronicle SIEM - support.threatdown.com
- Enable OneView integration with Google Chronicle SIEM - support.threatdown.com
- Requirements for Nebula integration with Google Chronicle SIEM - support.threatdown.com
- Requirements for OneView integration with Google Chronicle SIEM - support.threatdown.com
- ThreatDown Nebula and OneView with Google Chronicle SIEM blog post - threatdown.com
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| payload.payload.sa_details.data.list.0.details.0.detected_by.0.description | metadata.description | Value copied directly |
| has_principal | metadata.event_type | Set to "GENERIC_EVENT" initially, then "SCAN_FILE" if has_principal and has_target_file, "STATUS_UPDATE" if has_principal, "USER_UNCATEGORIZED" if has_user, else "GENERIC_EVENT" |
| has_user | metadata.event_type | |
| has_target_file | metadata.event_type | |
| type | metadata.product_event_type | Value copied directly |
| id | metadata.product_log_id | Value copied directly |
| machine.id | principal.asset.asset_id | Concatenated from "MACHINE:" and machine.id |
| machine.name | principal.asset.hostname | Value copied directly |
| payload.payload.group_name | principal.group.group_display_name | Value copied directly |
| account.default_group_id | principal.group.product_object_id | Value copied directly |
| machine.name | principal.hostname | Value copied directly |
| account.id | principal.user.product_object_id | Value copied directly |
| account.name | principal.user.user_display_name | Value copied directly |
| account.owner_user_id | principal.user.userid | Value copied directly |
| payload.payload.category | security_result.category_details | Value copied directly |
| payload.payload.sa_details.data.mitre_attack_mapping.hosts file change.0.tactic.name | security_result.detection_fields | Each set as label with key, then merged |
| payload.payload.sa_details.data.mitre_attack_mapping.hosts file change.0.tactic.description | security_result.detection_fields | |
| payload.payload.sa_details.data.mitre_attack_mapping.hosts file change.0.tactic.hyperlink | security_result.detection_fields | |
| payload.payload.sa_details.data.mitre_attack_mapping.hosts file change.0.tactic.tag | security_result.detection_fields | |
| payload.payload.policy_id | security_result.detection_fields | |
| payload.payload.policy_name | security_result.detection_fields | |
| payload.id | security_result.detection_fields | |
| payload.payload.sa_details.data.list.0.details.0.detected_by.0.tag | security_result.summary | Value copied directly |
| payload.payload.threat_name | security_result.threat_name | Value copied directly |
| payload.payload.sa_details.data.list.0.user | target.administrative_domain | Extracted using grok pattern to get domain |
| payload.payload.path | target.file.full_path | Value copied directly |
| payload.payload.sa_process_graph.data.children.0.children.0.node_info.process_path | target.process.file.full_path | Value copied directly |
| payload.payload.sa_process_graph.data.children.0.node_info.process_path | target.process.parent_process.file.full_path | Value copied directly |
| payload.payload.sa_process_graph.data.children.0.node_info.process_id | target.process.parent_process.pid | Value copied directly |
| payload.payload.sa_process_graph.data.children.0.children.0.node_info.process_id | target.process.pid | Value copied directly |
| payload.payload.sa_details.data.list.0.user | target.user.userid | Extracted using grok pattern to get tar_user |
| metadata.product_name | metadata.product_name | Set to "Malwarebytes EDR" |
| metadata.vendor_name | metadata.vendor_name | Set to "Malwarebytes" |
Need more help? Get answers from Community members and Google SecOps professionals.