Skip to content
Find out how we support MDR.

Malwarebytes Endpoint Protection

Log collector

This feature might not be available for all customers yet.

See threat-related events from Malwarebytes Endpoint Protection, a cloud-hosted security platform that protects endpoints and resources, in Sophos Central.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Malwarebytes Endpoint Protection to send data to the log collector.

Add an integration

To integrate Endpoint Protection with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Malwarebytes Endpoint Protection.

    If you've already set up connections to Endpoint Protection, you see them here.

  3. Click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Endpoint Protection. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Endpoint Protection to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It may take a few minutes for the OVA file to be ready for download.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Endpoint Protection

Endpoint Protection gets event data and forwards it as follows:

  • Endpoints report threat detection, quarantine, and other events to Malwarebytes Endpoint Protection.
  • A Malwarebytes syslog communicator endpoint pulls events from Malwarebytes Endpoint Protection.
  • The communication endpoint forwards events to syslog server in CEF format.

Your log collector acts as the syslog server.

Before you start

You need the following:

  • An active subscription or trial for one of the following Malwarebytes Endpoint Protection platform products:
    • Malwarebytes Endpoint Detection and Response
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response
  • The IP address of your virtual machine.
  • Network access between one of your Malwarebytes syslog communication endpoints and a SIEM or syslog server. TCP over port 514 is used by default.


  1. Go to Settings > Syslog Logging.
  2. Click Add > Syslog Settings.
  3. Fill in the following information about your virtual machine:

    • IP Address/Host: IP address or hostname of your virtual machine.
    • Port: Port on your virtual machine.
    • Protocol: Choose TCP or UDP protocol.
    • Severity: Choose a Severity from the list. This determines the severity of all Malwarebytes events sent to syslog.
    • Communication Interval: Determines how often the communication endpoint gathers syslog data from the Malwarebytes server, in minutes.

    If the endpoint is unable to contact Malwarebytes, it buffers data from the previous 24 hours. Data older than 24 hours isn't sent.

  4. Click Save.

  5. Go to Endpoints.
  6. Click on your virtual machine.

In the Agent Information section you see the SIEM version number. This confirms the SIEM plugin is active on the endpoint.

The endpoint now sends data to your log collector. It should appear in the Sophos Data Lake after validation.

Change syslog settings

If you need to change your log collector, do as follows:

  1. Go to Settings > Syslog Logging.
  2. Click Remove to demote your virtual machine.
  3. Click Add to promote a new virtual machine. See the steps in the Configuration section.

You can temporarily demote a communication endpoint using the On/Off toggle. Temporarily demoting a communication endpoint can be useful when troubleshooting your syslog settings.