MalwareBytes ThreatDown Integration Setup
This guide walks you through integrating MalwareBytes ThreatDown with RAD Security for advanced malware detection, ransomware protection, and exploit mitigation, enabling you to correlate endpoint security events with container and cloud runtime activity. MalwareBytes ThreatDown provides comprehensive protection against malware, ransomware, exploits, and advanced threats with real-time threat intelligence.Prerequisites
Before you begin, ensure you have:- Access to MalwareBytes Cloud Console
- Administrator privileges in MalwareBytes
- Access to RAD Security workspace with integration permissions
Administrator Required: You must have administrator privileges in the MalwareBytes Cloud Console to create API clients and access the Integrate section.
Step 1: Access MalwareBytes Cloud Console
1
Log in to MalwareBytes Console
Log in to your MalwareBytes Cloud Console with administrator privileges
2
Navigate to Integrate Section
Click on the Integrate section in the console navigation
Step 2: Create API Client
1
Add New Client
In the Integrate section, click the Add Client button
2
Configure Client Permissions
Configure the API client with the following permissions:
- ☑️ Read - Access to query endpoint data and detections
- ☑️ Write - Ability to create or modify data
- ☑️ Execute - Permission to perform actions
All three permissions are required for the integration to function properly. Missing any permission will result in limited or non-functional integration.
3
Save API Client
Click Save to generate the API client
4
Copy OAuth2.0 Credentials
Immediately copy and save the following values:
- Client ID
- Client Secret
Save these values now! The Client Secret may only be displayed once. If you lose it, you’ll need to create a new API client.
Step 3: Get Account ID
The Account ID is required to identify your MalwareBytes tenant for API calls.1
Navigate to Dashboard
From the MalwareBytes Cloud Console, navigate to your tenant Dashboard
2
Copy Dashboard URL
Copy the URL from your browser’s address bar. The URL will be in the format:Example:
3
Extract Account ID
Extract the Account ID (UUID) from the URL:
- The Account ID is the UUID between
cloud.malwarebytes.com/and/dashboard - In the example above, the Account ID is:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The Account ID is a UUID in the format:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (8-4-4-4-12 hexadecimal characters separated by hyphens)4
Save Account ID
Copy and save the Account ID for use in the integration configuration
Flexible Format: The RAD Security integration accepts either the raw UUID Account ID or the full dashboard URL. Both formats work correctly.
Step 4: Configure in RAD Security
Navigate to your RAD Security workspace and configure the MalwareBytes ThreatDown integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Client ID | OAuth2.0 Client ID from Step 2 | abc123-def456-ghi789 |
| Client Secret | OAuth2.0 Client Secret from Step 2 | your-client-secret-here |
| Account ID | Account ID (UUID) from Step 3 or full URL | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Base URL | Provide the complete dashboard URL | https://cloud.malwarebytes.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dashboard |
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > EDR in RAD Security
- Locate your MalwareBytes ThreatDown integration
- Check the connection status shows as Connected
- Verify endpoint data is being synced
Your MalwareBytes ThreatDown integration is now configured! RAD Security can now correlate endpoint malware detections with container and cloud runtime events.
What Data is Synced
Once configured, RAD Security will sync the following data from MalwareBytes ThreatDown:Endpoint Information
Endpoint Information
- Endpoint inventory and status
- Operating system details
- Agent version and health
- Protection status
- Last seen timestamps
- Endpoint groups and policies
Malware Detections
Malware Detections
- Malware detections and alerts
- Threat classifications
- File hashes and indicators
- Detection timestamps
- Remediation actions taken
- Quarantined items
Ransomware Protection
Ransomware Protection
- Ransomware behavior detections
- Protected files and folders
- Ransomware mitigation events
- Recovery actions
- Blocked encryption attempts
Exploit Prevention
Exploit Prevention
- Exploit prevention events
- Application behavior monitoring
- Memory protection events
- Blocked exploit attempts
- Vulnerability mitigations
Threat Intelligence
Threat Intelligence
- Real-time threat intelligence
- Known bad indicators
- Threat actor attributions
- Emerging threat data
- Malicious IP and domain lists
Security Events
Security Events
- Security policy events
- Configuration changes
- User actions
- Administrative activities
- Integration status
Use Cases
Malware Correlation
Correlate MalwareBytes malware detections on endpoints with container activity to detect supply chain attacks.
Ransomware Protection
Identify ransomware behavior across endpoints and containerized infrastructure for coordinated response.
Exploit Detection
Detect exploit attempts that span endpoints and cloud workloads with unified visibility.
Threat Intelligence
Leverage MalwareBytes threat intelligence with RAD Security’s runtime context for enhanced detection accuracy.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Client ID or Client Secret is incorrect
- API client was deleted or disabled
- Credentials expired or revoked
- Verify Client ID and Secret are copied correctly (no extra spaces)
- Check that the API client still exists in MalwareBytes Console
- Ensure the client has Read, Write, and Execute permissions
- Create a new API client if the current one is invalid
Invalid Account ID
Invalid Account ID
Possible causes:
- Account ID format is incorrect
- Wrong Account ID copied
- Account ID from different tenant
- Verify Account ID is a valid UUID format (8-4-4-4-12)
- Re-extract Account ID from dashboard URL
- Ensure you’re copying from the correct tenant
- Try providing the full dashboard URL instead of just the UUID
Insufficient Permissions
Insufficient Permissions
Possible causes:
- API client missing Read, Write, or Execute permission
- Permissions were modified after creation
- User creating client doesn’t have admin privileges
- Verify all three permissions (Read, Write, Execute) are enabled
- Recreate the API client with all required permissions
- Ensure you have administrator privileges in MalwareBytes
- Check API client settings in the Integrate section
No Data Syncing
No Data Syncing
Possible causes:
- No endpoints reporting to MalwareBytes
- Initial sync still in progress
- API rate limits reached
- Network connectivity issues
- Verify MalwareBytes agents are installed and reporting
- Check endpoint status in MalwareBytes Console
- Allow up to 15 minutes for initial data sync
- Review integration logs in RAD Security for errors
- Monitor API usage to ensure you’re within rate limits
API Client Not Found
API Client Not Found
Possible causes:
- API client was deleted
- Viewing wrong tenant
- Client creation failed
- Log in to MalwareBytes Console
- Navigate to Integrate section
- Verify the API client exists in the list
- Check you’re logged into the correct tenant
- Create a new API client if needed
URL Format Issues
URL Format Issues
Possible causes:
- Incorrect URL format
- Extra characters in URL
- Partial URL copied
- Ensure URL includes
https:// - Verify format is:
https://cloud.malwarebytes.com/{uuid}/dashboard - Remove any trailing slashes or extra parameters
- Alternatively, use just the UUID Account ID
Security Best Practices
Use Dedicated Clients
Create dedicated API clients for each integration rather than sharing credentials across services.
Least Privilege Access
Only assign the three required permissions (Read, Write, Execute). Avoid granting additional unnecessary permissions.
Rotate Credentials Regularly
Periodically create new API clients and delete old ones to maintain security.
Secure Credential Storage
Store Client ID and Secret in a secure password manager or secrets vault. Never commit to version control.
Monitor API Usage
Regularly review API client activity in MalwareBytes Console to detect anomalous behavior.
Audit Client Access
Periodically review all API clients and remove unused or outdated ones from the Integrate section.
API Client Management
To manage your MalwareBytes API clients:1
View Existing Clients
Navigate to Integrate section in MalwareBytes Console to view all active API clients
2
Rotate Credentials
- Create a new API client with the same permissions
- Update RAD Security with the new Client ID and Secret
- Verify the integration works
- Delete the old API client
3
Revoke Compromised Credentials
If credentials are compromised, immediately delete the API client in MalwareBytes and create a new one
Additional Resources
MalwareBytes Documentation
Official MalwareBytes support and documentation
MalwareBytes Cloud Console
Access your MalwareBytes Cloud Console