> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# MalwareBytes ThreatDown

> Configure MalwareBytes ThreatDown integration with RAD Security for advanced malware detection and removal.

# MalwareBytes ThreatDown Integration Setup

This guide walks you through integrating MalwareBytes ThreatDown with RAD Security for advanced malware detection, ransomware protection, and exploit mitigation, enabling you to correlate endpoint security events with container and cloud runtime activity.

MalwareBytes ThreatDown provides comprehensive protection against malware, ransomware, exploits, and advanced threats with real-time threat intelligence.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Access to MalwareBytes Cloud Console
  * **Administrator privileges** in MalwareBytes
  * Access to RAD Security workspace with integration permissions
</Check>

<Warning>
  **Administrator Required:** You must have administrator privileges in the MalwareBytes Cloud Console to create API clients and access the Integrate section.
</Warning>

***

## Step 1: Access MalwareBytes Cloud Console

<Steps>
  <Step title="Log in to MalwareBytes Console">
    Log in to your MalwareBytes Cloud Console with administrator privileges
  </Step>

  <Step title="Navigate to Integrate Section">
    Click on the **Integrate** section in the console navigation
  </Step>
</Steps>

***

## Step 2: Create API Client

<Steps>
  <Step title="Add New Client">
    In the Integrate section, click the **Add Client** button
  </Step>

  <Step title="Configure Client Permissions">
    Configure the API client with the following permissions:

    * ☑️ **Read** - Access to query endpoint data and detections
    * ☑️ **Write** - Ability to create or modify data
    * ☑️ **Execute** - Permission to perform actions

    <Warning>
      **All three permissions are required** for the integration to function properly. Missing any permission will result in limited or non-functional integration.
    </Warning>
  </Step>

  <Step title="Save API Client">
    Click **Save** to generate the API client
  </Step>

  <Step title="Copy OAuth2.0 Credentials">
    **Immediately copy and save** the following values:

    * **Client ID**
    * **Client Secret**

    <Warning>
      **Save these values now!** The Client Secret may only be displayed once. If you lose it, you'll need to create a new API client.
    </Warning>
  </Step>
</Steps>

***

## Step 3: Get Account ID

The Account ID is required to identify your MalwareBytes tenant for API calls.

<Steps>
  <Step title="Navigate to Dashboard">
    From the MalwareBytes Cloud Console, navigate to your tenant **Dashboard**
  </Step>

  <Step title="Copy Dashboard URL">
    Copy the URL from your browser's address bar. The URL will be in the format:

    ```
    https://cloud.malwarebytes.com/{account_identifier}/dashboard
    ```

    **Example:**

    ```
    https://cloud.malwarebytes.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dashboard
    ```
  </Step>

  <Step title="Extract Account ID">
    Extract the Account ID (UUID) from the URL:

    * The Account ID is the UUID between `cloud.malwarebytes.com/` and `/dashboard`
    * In the example above, the Account ID is: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`

    <Note>
      The Account ID is a UUID in the format: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` (8-4-4-4-12 hexadecimal characters separated by hyphens)
    </Note>
  </Step>

  <Step title="Save Account ID">
    Copy and save the Account ID for use in the integration configuration
  </Step>
</Steps>

<Info>
  **Flexible Format:** The RAD Security integration accepts either the raw UUID Account ID or the full dashboard URL. Both formats work correctly.
</Info>

***

## Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the MalwareBytes ThreatDown integration with the following parameters:

### Required Parameters

| Parameter         | Description                               | Example                                                                         |
| ----------------- | ----------------------------------------- | ------------------------------------------------------------------------------- |
| **Client ID**     | OAuth2.0 Client ID from Step 2            | `abc123-def456-ghi789`                                                          |
| **Client Secret** | OAuth2.0 Client Secret from Step 2        | `your-client-secret-here`                                                       |
| **Account ID**    | Account ID (UUID) from Step 3 or full URL | `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`                                          |
| **Base URL**      | Provide the complete dashboard URL        | `https://cloud.malwarebytes.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dashboard` |

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > EDR** in RAD Security
2. Locate your MalwareBytes ThreatDown integration
3. Check the connection status shows as **Connected**
4. Verify endpoint data is being synced

<Check>
  Your MalwareBytes ThreatDown integration is now configured! RAD Security can now correlate endpoint malware detections with container and cloud runtime events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from MalwareBytes ThreatDown:

<AccordionGroup>
  <Accordion title="Endpoint Information" icon="computer">
    * Endpoint inventory and status
    * Operating system details
    * Agent version and health
    * Protection status
    * Last seen timestamps
    * Endpoint groups and policies
  </Accordion>

  <Accordion title="Malware Detections" icon="shield-virus">
    * Malware detections and alerts
    * Threat classifications
    * File hashes and indicators
    * Detection timestamps
    * Remediation actions taken
    * Quarantined items
  </Accordion>

  <Accordion title="Ransomware Protection" icon="shield-halved">
    * Ransomware behavior detections
    * Protected files and folders
    * Ransomware mitigation events
    * Recovery actions
    * Blocked encryption attempts
  </Accordion>

  <Accordion title="Exploit Prevention" icon="shield-check">
    * Exploit prevention events
    * Application behavior monitoring
    * Memory protection events
    * Blocked exploit attempts
    * Vulnerability mitigations
  </Accordion>

  <Accordion title="Threat Intelligence" icon="brain">
    * Real-time threat intelligence
    * Known bad indicators
    * Threat actor attributions
    * Emerging threat data
    * Malicious IP and domain lists
  </Accordion>

  <Accordion title="Security Events" icon="bell">
    * Security policy events
    * Configuration changes
    * User actions
    * Administrative activities
    * Integration status
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Malware Correlation" icon="shield-virus">
    Correlate MalwareBytes malware detections on endpoints with container activity to detect supply chain attacks.
  </Card>

  <Card title="Ransomware Protection" icon="lock">
    Identify ransomware behavior across endpoints and containerized infrastructure for coordinated response.
  </Card>

  <Card title="Exploit Detection" icon="shield-exclamation">
    Detect exploit attempts that span endpoints and cloud workloads with unified visibility.
  </Card>

  <Card title="Threat Intelligence" icon="lightbulb">
    Leverage MalwareBytes threat intelligence with RAD Security's runtime context for enhanced detection accuracy.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID or Client Secret is incorrect
    * API client was deleted or disabled
    * Credentials expired or revoked

    **Solution:**

    * Verify Client ID and Secret are copied correctly (no extra spaces)
    * Check that the API client still exists in MalwareBytes Console
    * Ensure the client has Read, Write, and Execute permissions
    * Create a new API client if the current one is invalid
  </Accordion>

  <Accordion title="Invalid Account ID" icon="hashtag">
    **Possible causes:**

    * Account ID format is incorrect
    * Wrong Account ID copied
    * Account ID from different tenant

    **Solution:**

    * Verify Account ID is a valid UUID format (8-4-4-4-12)
    * Re-extract Account ID from dashboard URL
    * Ensure you're copying from the correct tenant
    * Try providing the full dashboard URL instead of just the UUID
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * API client missing Read, Write, or Execute permission
    * Permissions were modified after creation
    * User creating client doesn't have admin privileges

    **Solution:**

    * Verify all three permissions (Read, Write, Execute) are enabled
    * Recreate the API client with all required permissions
    * Ensure you have administrator privileges in MalwareBytes
    * Check API client settings in the Integrate section
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * No endpoints reporting to MalwareBytes
    * Initial sync still in progress
    * API rate limits reached
    * Network connectivity issues

    **Solution:**

    * Verify MalwareBytes agents are installed and reporting
    * Check endpoint status in MalwareBytes Console
    * Allow up to 15 minutes for initial data sync
    * Review integration logs in RAD Security for errors
    * Monitor API usage to ensure you're within rate limits
  </Accordion>

  <Accordion title="API Client Not Found" icon="magnifying-glass-minus">
    **Possible causes:**

    * API client was deleted
    * Viewing wrong tenant
    * Client creation failed

    **Solution:**

    * Log in to MalwareBytes Console
    * Navigate to Integrate section
    * Verify the API client exists in the list
    * Check you're logged into the correct tenant
    * Create a new API client if needed
  </Accordion>

  <Accordion title="URL Format Issues" icon="link-slash">
    **Possible causes:**

    * Incorrect URL format
    * Extra characters in URL
    * Partial URL copied

    **Solution:**

    * Ensure URL includes `https://`
    * Verify format is: `https://cloud.malwarebytes.com/{uuid}/dashboard`
    * Remove any trailing slashes or extra parameters
    * Alternatively, use just the UUID Account ID
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use Dedicated Clients" icon="robot">
    Create dedicated API clients for each integration rather than sharing credentials across services.
  </Card>

  <Card title="Least Privilege Access" icon="shield-halved">
    Only assign the three required permissions (Read, Write, Execute). Avoid granting additional unnecessary permissions.
  </Card>

  <Card title="Rotate Credentials Regularly" icon="rotate">
    Periodically create new API clients and delete old ones to maintain security.
  </Card>

  <Card title="Secure Credential Storage" icon="lock">
    Store Client ID and Secret in a secure password manager or secrets vault. Never commit to version control.
  </Card>

  <Card title="Monitor API Usage" icon="chart-line">
    Regularly review API client activity in MalwareBytes Console to detect anomalous behavior.
  </Card>

  <Card title="Audit Client Access" icon="clipboard-list">
    Periodically review all API clients and remove unused or outdated ones from the Integrate section.
  </Card>
</CardGroup>

## API Client Management

To manage your MalwareBytes API clients:

<Steps>
  <Step title="View Existing Clients">
    Navigate to Integrate section in MalwareBytes Console to view all active API clients
  </Step>

  <Step title="Rotate Credentials">
    1. Create a new API client with the same permissions
    2. Update RAD Security with the new Client ID and Secret
    3. Verify the integration works
    4. Delete the old API client
  </Step>

  <Step title="Revoke Compromised Credentials">
    If credentials are compromised, immediately delete the API client in MalwareBytes and create a new one
  </Step>
</Steps>

## Additional Resources

<CardGroup cols={2}>
  <Card title="MalwareBytes Documentation" icon="book" href="https://support.malwarebytes.com/">
    Official MalwareBytes support and documentation
  </Card>

  <Card title="MalwareBytes Cloud Console" icon="cloud" href="https://cloud.malwarebytes.com/">
    Access your MalwareBytes Cloud Console
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="EDR Integrations Overview" icon="shield-check" href="/rad-security/integrations/edr/overview">
    Explore other EDR integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn about RAD's container runtime security
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure correlated alerts and incident management
  </Card>

  <Card title="Threat Models" icon="crosshairs" href="/rad-security/security-and-compliance/overview">
    Understand how threats are detected across platforms
  </Card>
</CardGroup>