Minerva Labs

Minerva Labs is cyber security company that offers a unique low footprint endpoint prevention platform.

Integration with LogicHub

Connecting with Minerva Labs

To connect to Minerva Labs following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • Base URL: Base URL to connect to the Minerva Labs.
  • Username: Username to connect to the Minerva Labs.
  • Password: Password to connect to the Minerva Labs.

Actions with Minerva Labs

Get Events

Retrieves the list of events according to the search query.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Jinja Template Query (Optional): Jinja-templated query containing the query. Example: {{column1}} {{column2}}.
  • Start Time (Optional): Enter the value for start time in yyyy-mm-dd format (Default is Batch start time). Example: 2020-12-01".
  • End Time (Optional): Enter the value for end time in yyyy-mm-dd format (Default is Batch end time). Example: 2020-12-02.
  • Max Results (Optional): The maximum number of results to return per call (Default is 100000).

Output of Action
json containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of events.
{
  "additionalAction": null,
  "additionalInformation": "",
  "affectedItems": null,
  "application": "wmiadap.exe",
  "archived": false,
  "armorVersion": "3.4.5.5801",
  "certificateInfo": "N/A",
  "certificateOriginalFileName": "",
  "certificateProductName": "",
  "description": "Process WMIADAP.exe queried an Endpoint Security Bypass Technique artifact",
  "endpoint": "gdvf87-05.dsa.mot-mobility.com",
  "error": null,
  "eventTypeSpecificInformation": {
    "loadedModules": "****.EXE, ***.dll, ***.DLL"
  },
  "fileHash": "db844f69381751g8dbtb8c8a0c3b5d4e1c59491a203191ef283563c539a887",
  "firstReceivedTime": "2020-11-30T11:49:30.8197291",
  "fullAdditionalInformation": "{\r\n\n  \"loadedModules\": \"**.EXE, **.dll\"\r\n\n}",
  "fwLink": null,
  "generationTime": "2020-11-30T08:49:29.53",
  "groupName": "Default Group",
  "has_error": false,
  "id": "8839eccf-a881-4q93-9ae3-ad505d56a121",
  "isCertificateValid": true,
  "isFlagged": false,
  "localIp": "192.168.15.131",
  "md5": "0a3efbad56h5971ed36287d8e8829f55",
  "mitreTechniques": [],
  "new": true,
  "note": "",
  "parentProcessFullPath": "C:\\Windows\\System32\\***.exe",
  "processCommandLine": "**.exe /F /T",
  "processId": 14768,
  "processName": "\\\\?\\C:\\Windows\\System32\\**\\***.exe",
  "receivedIp": "200.158.46.62",
  "repeatsCounter": 1,
  "ruleCategory": "Endpoint Security Bypass Technique",
  "ruleName": "RES-1997_1_3",
  "serverReceivedTime": "2020-11-30T11:49:30.8197291",
  "severity": null,
  "simulated": false,
  "source": null,
  "threatId": null,
  "threatStatus": null,
  "type": "EvasionTechnique",
  "userName": "[email protected] nt"
}

Get Single Event by ID

Retrieves a single event by ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Event ID: Column name from the parent table to lookup value for event ID.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Event details.
{
  "firstSeenOnline": null,
  "operatingSystem": null,
  "agentType": null,
  "processHierarchy": [
    {
      "processId": 3408,
      "processName": "C:\\Program Files (x86)\\LANDesk\\Shared Files\\residentAgent.exe",
      "processHash": "892f32a4f6d4e2c69cd0d7f393b1989784df5db1e641716d21b9d343f47b14efc5da6",
      "processCommandLine": "",
      "startTime": "2020-12-02T14:27:36.654Z",
      "username": "***@NT AUTHORITY"
    },
    {
      "processId": 14392,
      "processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\SDCLIENT.EXE",
      "processHash": "1dd171687a9cdfa9db8557170ac30fed6eb17707e744380bda20e464c667cf96",
      "processCommandLine": "",
      "startTime": "2020-12-04T00:59:46.755Z",
      "username": ""
    },
    {
      "processId": 1005667,
      "processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\**.exe",
      "processHash": "ffdeb16bebfa5ab5f8ba30d5e34281a6330a4e968d7efb5b8c637b58017217bb",
      "processCommandLine": "\"C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe\"",
      "startTime": "2020-12-04T10:18:13.706",
      "username": "***@NT AUTHORITY"
    }
  ],
  "id": "62c79697-011f-4d69-ac0b-e6ca1bbf3046",
  "description": "Process sdistps1.exe queried an Abusing Windows tools artifact",
  "new": true,
  "type": "MaliciousProcessRelationship",
  "endpoint": "TIMHAHN-0.lenovo.com",
  "processName": "C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe",
  "fileHash": "ffdeb16bebfa5ab5f8ba30hj4d9d5e34281a6330a4e968d7efb5b8c637b58017217bb",
  "md5": "bdb3dab1a768c5b40214bc47bb65f102",
  "generationTime": "2020-12-04T10:18:13.706",
  "serverReceivedTime": "2020-12-04T16:18:15.3837948",
  "userName": "****@NT AUTHORITY",
  "simulated": true,
  "ruleName": "RES-1981_07_1086_0",
  "armorVersion": "3.6.1.6153",
  "archived": false,
  "ruleCategory": "Abusing Windows tools",
  "parentProcessFullPath": "C:\\Program Files (x86)\\LANDesk\\LDClient\\SDCLIENT.EXE",
  "processId": 10056,
  "receivedIp": "144.***.**(.1",
  "localIp": "10.0.2.15",
  "additionalInformation": "",
  "processCommandLine": "\"C:\\Program Files (x86)\\LANDesk\\LDClient\\sdistps1.exe\"",
  "certificateInfo": "O=\"LANDESK SOFTWARE, INC.\", L=SOUTH AS, S=UTAH, C=US",
  "isCertificateValid": true,
  "certificateProductName": "",
  "certificateOriginalFileName": "",
  "eventTypeSpecificInformation": {
    "blockedCommandLine": "powershell -NonInteractive -EncodedCommand PAAjAAoAQwByAGUAYQB0AGUAIABmAHUAytbABsACAAZABpAHIAZQBjAHQAbwByAHkAIABwAGEAdABo\r\nAAoAIwA+AAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUA\r\nYwB0AG8AcgB5ACAALQBQAGEAdABoACAAIgBjADoAXABwAHIAbwBnAHIAYQBtACAAZgBpAGwAZQBz\r\nAFwAbABvAGMAawBzAGMAcgBlAGUAbgBcACIAIAAtGAGkA\r\nbABlAHMAIAAoAHgAOAA2ACkAXABMAEEATgBEAGUAcwgyBrAFwATABEAEMAbABpAGUAbgB0AC8AcwBk\r\nAG0AYwBhAGMAaABlAC8AYQBwAHAALwBEAEMARwBMAG8AYwBrAFMAYwByAGUAZQBuAC8AQwBoAGEA\r\nbgBnAGUATABvAGMAawBTAGMAcgBlAGUAbgAuAGUAeABlACIAIAAKAAoAaQBmACAAKAAkAD8AIAAt\r\nAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAAgACAAZQB4AGkAdAAgADEACgB9AAoADQAKADsA\r\nIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQA="
  },
  "repeatsCounter": 6,
  "firstReceivedTime": "2020-12-04T01:00:13.5505131",
  "groupName": "sssss-Sepcial",
  "fullAdditionalInformation": "{\r\n\n  \"blockedCommandLine\": \"powershell -NonInteractive -EncodedCommand PAAjAAoAQwByAGUAYQB0AGUAIABmAHUAbABsACAAZABpAHIAZQBjAHQAbwByAHkAIABwAGEAdABo\\r\\nAAoAIwA+AAoACgBOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUA\\r\\nYwB0AG8AcgB5ACAALQBQAGEAdABoACAAIgBjADoAXABwAHIAbwBnAHIAYQBtACAAZgBpAGwAZQBz\\r\\nAFwAbABvAGMAawBzAGMAcgBlAGUAbgBcACIAIAAtAEYAbwByAGMAZQAKAAoAaQBmACAAKAAkAD8A\\r\\nIAAtAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAFMAYwByAGUAZQBuAC8AQwBoAGEA\\r\\nbgBnAGUATABvAGMAawBTAGMAcgBlAGUAbgAuAGUAeABlACIAIAAKAAoAaQBmACAAKAAkAD8AIAAt\\r\\nAG4AZQAgACQAdAByAHUAZQApAAoAewAKACAAIAAgACAAZQB4AGkAdAAgADEACgB9AAoADQAKADsA\\r\\nIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQA=\"\r\n\n}",
  "source": null,
  "threatId": null,
  "threatStatus": null,
  "affectedItems": null,
  "severity": null,
  "fwLink": null,
  "additionalAction": null,
  "mitreTechniques": [
    {
      "Name": "ATT&CK",
      "Url": "https://attack.mitre.org/",
      "Categories": [
        {
          "Name": "Execution",
          "Url": "https://attack.mitre.org/tactics/TA0002/",
          "Techniques": [
            {
              "Name": "PowerShell",
              "Url": "https://attack.mitre.org/techniques/T1086"
            }
          ]
        }
      ]
    }
  ],
  "application": "sdistps1.exe",
  "note": "",
  "isFlagged": false,
  "error": null,
  "has_error": false
}

Did this page help you?