Minerva Labs
Version: 2.0.0
Minerva Labs is cyber security company that offers a unique low footprint endpoint prevention platform.
Connect Minerva Labs with LogicHub
- Navigate to Automations > Integrations.
- Search for Minerva Labs.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Base URL: Base URL to connect to the Minerva Labs.
- Username: Username to connect to the Minerva Labs.
- Password: Password to connect to the Minerva Labs.
- After you've entered all the details, click Connect.
Actions for Minerva Labs
Get Events
Retrieves the list of events according to the search query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query | Jinja-templated query containing the query. Example: {{column1}} {{column2}}. | Required |
| Start Time | Enter the value for start time in yyyy-mm-dd format (Default is Batch start time).Example: 2020-12-01". | Optional |
| End Time | Enter the value for end time in yyyy-mm-dd format (Default is Batch end time).Example: 2020-12-02. | Optional |
| Max Results | The maximum number of results to return per call (Default is 100000). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of events.
{
"additionalAction": null,
"additionalInformation": "",
"affectedItems": null,
"application": "wmiadap.exe",
"archived": false,
"armorVersion": "3.4.5.5801",
"certificateInfo": "N/A",
"certificateOriginalFileName": "",
"certificateProductName": "",
"description": "Process WMIADAP.exe queried an Endpoint Security Bypass Technique artifact",
"endpoint": "gdvf87-05.dsa.mot-mobility.com",
"error": null,
"eventTypeSpecificInformation": {
"loadedModules": "****.EXE, ***.dll, ***.DLL"
},
"fileHash": "db844f69381751g8dbtb8c8a0c3b5d4e1c59491a203191ef283563c539a887",
"firstReceivedTime": "2020-11-30T11:49:30.8197291",
"fullAdditionalInformation": "{\r\n\n \"loadedModules\": \"**.EXE, **.dll\"\r\n\n}",
"fwLink": null,
"generationTime": "2020-11-30T08:49:29.53",
"groupName": "Default Group",
"has_error": false,
"id": "8839eccf-a881-4q93-9ae3-ad505d56a121",
"isCertificateValid": true,
"isFlagged": false,
"localIp": "192.168.15.131",
"md5": "0a3efbad56h5971ed36287d8e8829f55",
"mitreTechniques": [],
"new": true,
"note": "",
"parentProcessFullPath": "C:\\Windows\\System32\\***.exe",
"processCommandLine": "**.exe /F /T",
"processId": 14768,
"processName": "\\\\?\\C:\\Windows\\System32\\**\\***.exe",
"receivedIp": "200.158.46.62",
"repeatsCounter": 1,
"ruleCategory": "Endpoint Security Bypass Technique",
"ruleName": "RES-1997_1_3",
"serverReceivedTime": "2020-11-30T11:49:30.8197291",
"severity": null,
"simulated": false,
"source": null,
"threatId": null,
"threatStatus": null,
"type": "EvasionTechnique",
"userName": "aaaa@aaaa nt"
}
Get Single Event by ID
Retrieves a single event by ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Event ID | Column name from the parent table to lookup value for event ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Event details.
{
"firstSeenOnline": null,
"operatingSystem": null,
"agentType": null,
"processHierarchy": [
{
"processId": 3408,
"processName": "C:\\Program Files (x86)\\LANDesk\\Shared Files\\residentAgent.exe",
"processHash": "892f32a4f6d4e2c69cd0d7f393b1989784df5db1e641716d21b9d343f47b14efc5da6",
"processCommandLine": "",
"startTime": "2020-12-02T14:27:36.654Z",
"username": "***@NT AUTHORITY"
},
{
"processId": 14392,
"processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\SDCLIENT.EXE",
"processHash": "1dd171687a9cdfa9db8557170ac30fed6eb17707e744380bda20e464c667cf96",
"processCommandLine": "",
"startTime": "2020-12-04T00:59:46.755Z",
"username": ""
},
{
"processId": 1005667,
"processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\**.exe",
"processHash": "ffdeb16bebfa5ab5f8ba30d5e34281a6330a4e968d7efb5b8c637b58017217bb",
"processCommandLine": "\"C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe\"",
"startTime": "2020-12-04T10:18:13.706",
"username": "***@NT AUTHORITY"
}
],
"id": "62c79697-011f-4d69-ac0b-e6ca1bbf3046",
"description": "Process sdistps1.exe queried an Abusing Windows tools artifact",
"new": true,
"type": "MaliciousProcessRelationship",
"endpoint": "TIMHAHN-0.lenovo.com",
"processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe",
"fileHash": "ffdeb16bebfa5ab5f8ba30hj4d9d5e34281a6330a4e968d7efb5b8c637b58017217bb",
"md5": "bdb3dab1a768c5b40214bc47bb65f102",
"generationTime": "2020-12-04T10:18:13.706",
"serverReceivedTime": "2020-12-04T16:18:15.3837948",
"userName": "****@NT AUTHORITY",
"simulated": true,
"ruleName": "RES-1981_07_1086_0",
"armorVersion": "3.6.1.6153",
"archived": false,
"ruleCategory": "Abusing Windows tools",
"parentProcessFullPath": "C:\\Program Files (x86)\\LANDesk\\LDClient\\SDCLIENT.EXE",
"processId": 10056,
"receivedIp": "144.***.**(.1",
"localIp": "10.0.2.15",
"additionalInformation": "",
"processCommandLine": "\"C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe\"",
"certificateInfo": "O=\"LANDESK SOFTWARE, INC.\", L=SOUTH AS, S=UTAH, C=US",
"isCertificateValid": true,
"certificateProductName": "",
"certificateOriginalFileName": "",
"eventTypeSpecificInformation": {
"blockedCommandLine": "powershell -NonInteractive -EncodedCommand PAAjAAoAQwByAGUAYQB0AGUAIABmAHUAytbABsACAAZABpAHIAZQBjAHQAbwByAHkAIABwAGEAdABo\r\nAAoAIwA+AAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUA\r\nYwB0AG8AcgB5ACAALQBQAGEAdABoACAAIgBjADoAXABwAHIAbwBnAHIAYQBtACAAZgBpAGwAZQBz\r\nAFwAbABvAGMAawBzAGMAcgBlAGUAbgBcACIAIAAtGAGkA\r\nbABlAHMAIAAoAHgAOAA2ACkAXABMAEEATgBEAGUAcwgyBrAFwATABEAEMAbABpAGUAbgB0AC8AcwBk\r\nAG0AYwBhAGMAaABlAC8AYQBwAHAALwBEAEMARwBMAG8AYwBrAFMAYwByAGUAZQBuAC8AQwBoAGEA\r\nbgBnAGUATABvAGMAawBTAGMAcgBlAGUAbgAuAGUAeABlACIAIAAKAAoAaQBmACAAKAAkAD8AIAAt\r\nAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAAgACAAZQB4AGkAdAAgADEACgB9AAoADQAKADsA\r\nIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQA="
},
"repeatsCounter": 6,
"firstReceivedTime": "2020-12-04T01:00:13.5505131",
"groupName": "sssss-Sepcial",
"fullAdditionalInformation": "{\r\n\n \"blockedCommandLine\": \"powershell -NonInteractive -EncodedCommand PAAjAAoAQwByAGUAYQB0AGUAIABmAHUAbABsACAAZABpAHIAZQBjAHQAbwByAHkAIABwAGEAdABo\\r\\nAAoAIwA+AAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUA\\r\\nYwB0AG8AcgB5ACAALQBQAGEAdABoACAAIgBjADoAXABwAHIAbwBnAHIAYQBtACAAZgBpAGwAZQBz\\r\\nAFwAbABvAGMAawBzAGMAcgBlAGUAbgBcACIAIAAtAEYAbwByAGMAZQAKAAoAaQBmACAAKAAkAD8A\\r\\nIAAtAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAFMAYwByAGUAZQBuAC8AQwBoAGEA\\r\\nbgBnAGUATABvAGMAawBTAGMAcgBlAGUAbgAuAGUAeABlACIAIAAKAAoAaQBmACAAKAAkAD8AIAAt\\r\\nAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAAgACAAZQB4AGkAdAAgADEACgB9AAoADQAKADsA\\r\\nIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQA=\"\r\n\n}",
"source": null,
"threatId": null,
"threatStatus": null,
"affectedItems": null,
"severity": null,
"fwLink": null,
"additionalAction": null,
"mitreTechniques": [
{
"Name": "ATT&CK",
"Url": "https://attack.mitre.org/",
"Categories": [
{
"Name": "Execution",
"Url": "https://attack.mitre.org/tactics/TA0002/",
"Techniques": [
{
"Name": "PowerShell",
"Url": "https://attack.mitre.org/techniques/T1086"
}
]
}
]
}
],
"application": "sdistps1.exe",
"note": "",
"isFlagged": false,
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago