Minerva Labs Anti-Evasion Platform
This Integration is part of the Minerva Labs Anti-Evasion Platform Pack.#
Minervaâs Threat Prevention Platform is an agent based solution that protects servers and workstations from real-world threats that evade existing security controls, protecting both modern operating systems and embedded low-resources operating systems as well.
Minerva modular design enables customers and partners to use Minerva-provided solutions or customize their Minerva deployment to fit their existing defense architecture.
Using the Cortex XSOAR platform, enterprises and service providers can now have automated visibility into prevented anomalies across endpoints and servers in the network, while processing them using built-in playbooks.
Minerva Labsâ Endpoint Malware Vaccination enables incident response teams to immunize endpoints in seconds and neutralize attacks by simulating infection markers, rather than creating them, allowing Minerva to contain outbreaks without impacting performance. The combined interlock of Cortex XSOAR and Minerva offers orchestration of an instant deployment of malware vaccinations thus preventing outbreaks of known network worms, by simulating their infection markers and preventing the malicious code installation.
This integration was integrated and tested with version 3.0 of Minerva Labs Anti-Evasion Platform.
Use Cases
- Fetch events from Minerva platform into Cortex XSOAR Playground
- List, add and delete vaccination artifacts to Minerva platform
- List, add and delete exclusions in order to handle FPs
- Search for events according to criteria
- Search for endpoints according to criteria
Configure Minerva Labs Anti-Evasion Platform on Cortex XSOAR
-
Navigate to Settings > Integrations > Servers & Services .
-
Search for Minerva Labs Anti-Evasion Platform.
-
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Minerva Management Console URL , for example: https://SERVER/OWL
- Username
- Trust any certificate (not secure)
- Fetch incidents
-
Click Test to validate the URLs, token, and connection.
Fetched Incidents Data
The integration imports events from Minerva Management Console as incidents in Cortex XSOAR.
As each incident represents malicious activity, it contains all the available information gathered by Minerva for further analysis.
To use Fetch Incidents, configure a new instance and select the âFetch-incidentsâ option in the instance settings.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Add exclusions: minerva-add-exclusion
- Add a vaccination: minerva-add-vaccine
- Search for processes: minerva-search-process
- Search for an endpoint: minerva-search-endpoint
- Get all groups: minerva-get-groups
- Get mutex vaccines: minerva-get-vaccines
- Delete a vaccine: minerva-delete-vaccine
- Get all exclusions: minerva-get-exclusions
- Delete an exclusion: minerva-delete-exclusion
- Move all events from Archive to New event state: minerva-unarchive-events
1. Add exclusions
Adds exclusions to Minerva Console.
Base Command
minerva-add-exclusion
Input
| Argument Name | Description | Required |
|---|---|---|
| data | Exclusion data. | Required |
| type | The exclusion type. | Required |
| appliedGroupsIds | A list of group IDs to which this exclusion applies. | Optional |
| description | A description of the exclusion. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Exclusion.Id | string | Exclusion ID. |
| Minerva.Exclusion.Type | string | Exclusion type. |
| Minerva.Exclusion.Data | string | Exclusion data. |
| Minerva.Exclusion.Description | string | A description of the exclusion. |
| Minerva.Exclusion.lastModifiedBy | string | The user that last modified this exclusion. |
| Minerva.Exclusion.lastModifiedOn | date | The date this exclusion was last modified. |
| Minerva.Exclusion.appliedGroupsIds | string | Group IDs to which this exclusion applies. |
Command Example
!minerva-add-exclusion type="hash" description="cmd.exe hash" data="d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5" appliedGroupsIds="All Groups"
Human Readable Output
| Last Modified On | Description | Type | Applied Groups Ids | Last Modified By | Data | Id |
|---|---|---|---|---|---|---|
| 2019-04-04T08:43:51.9441116Z | cmd.exe hash | hash | All Groups | admin | d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5 | 86238d3e-dc99-4f62-b580-92fc4deb0184 |
2. Add a vaccination
Adds a vaccination.
Base Command
minerva-add-vaccine
Input
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the mutex. | Required |
| description | A description of the vaccination. | Optional |
| isMonitorOnly | Whether it is only monitored. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Vaccine.Name | string | Name of the mutex vaccination. |
| Minerva.Vaccine.Description | string | A description of the mutex vaccination. |
| Minerva.Vaccine.isMonitorOnly | boolean | Whether this mutex vaccination is only monitored. |
| Minerva.Vaccine.lastModifiedBy | string | The user that last modified this mutex vaccination. |
| Minerva.Vaccine.lastModifiedOn | date | The date this mutex vaccination was last modified. |
| Minerva.Vaccine.Id | string | Mutex vaccination ID. |
| Minerva.Vaccine.Type | string | Vaccine type, for example: Mutex. |
Command Example
!minerva-add-vaccine name="Local\SomeMaliciousMutex" description="Made up mutex name" isMonitorOnly=True
Human Readable Output
| Last Modified On | Is Monitor Only | Name | Last Modified By | Type | Id | Description |
|---|---|---|---|---|---|---|
| 2019-05-13T09:48:51.6194895Z | true | Local\SomeMaliciousMutex | admin | Mutex | 711db7ed-d4c9-459b-a4bd-e23c077d4acc | Made up mutex name |
3. Search for processes
Search processes with Minerva.
Base Command
minerva-search-process
Input
| Argument Name | Description | Required |
|---|---|---|
| param | Parameter to search for. | Required |
| condition | A condition to apply to the search (âequalToâ, ânotEqualToâ, âcontainâ,ânotContainâ, âstartWithâ, âendWithâ). | Required |
| value | Value. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Process.Endpoint | string | The name of the endpoint on which the process was run. |
| Minerva.Process.SHA256 | string | The SHA256 hash of the process. |
| Minerva.Process.CommandLine | string | The process command line. |
| Minerva.Process.Username | string | The user name with which the process was executed. |
| Minerva.Process.Createtime | date | The time the process was created. |
| Minerva.Process.Pid | number | The process ID. |
| Minerva.Process.Name | string | The process name. |
Command Example
!minerva-search-process param="processName" condition="endWith" value="explorer.exe"
Human Readable Output
| Username | Process Id | Endpoint | File Hash | Process Command Line | Process Name | Depth | Start Time | Id |
|---|---|---|---|---|---|---|---|---|
| DaniK@MVDEV | 21736 | danik.MVDev.local | cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486 | C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding | C:\Windows\explorer.exe | 0 | 2019-05-08T07:28:29.009 | f502aede-f4f6-4397-a760-0e08248506dc |
4. Search for an endpoint
Search Minerva for an endpoint.
Base Command
minerva-search-endpoint
Input
| Argument Name | Description | Required |
|---|---|---|
| param | Parameter to search for. | Required |
| condition | A condition to apply to the search (âequalToâ, ânotEqualToâ, âcontainâ, ânotContainâ, âstartWithâ, âendWithâ). | Required |
| value | Value. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Endpoint.Group | string | The group to which the endpoint belongs. |
| Minerva.Endpoint.Name | string | The endpoint name. |
| Minerva.Endpoint.Users | string | The list of logged-on users. |
| Minerva.Endpoint.IP | string | The reported IP address. |
| Minerva.Endpoint.OS | string | The endpoint operating system. |
Command Example
!minerva-search-endpoint param="operatingSystem" condition="equalTo" value="Windows"
Human Readable Output
| Is Armor Version Supported | First Seen Online | Updated | Endpoint | Group | Operating System | Reported Ip Address | Anti Virus Signature Age | Logged On Users | Last Seen Online | Armor Version | Anti Virus Status | Agent Status | Days Registered | Id | Received Ip Address |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| true | 2019-05-07T11:18:38.2782338 | false | WIN2k16-ELIR-OWL | Default Group | Windows | 172.16.0.182 | Administrator | 2019-05-13T09:48:48.6032188 | 2.8.0.5173 | N/A | Online | 5 | {6368a324-139b-4765-98f5-5f8417fb296c} | 172.16.0.182 |
5. Get all groups
Fetches all the groups defined in Minerva Management Console.
Base Command
minerva-get-groups
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Group.Id | string | The ID of the group. |
| Minerva.Group.Name | string | The name of the group. |
| Minerva.Group.Policy | string | The policy applied to the group. |
| Minerva.Group.PolicyVersion | string | The policy version applied to the group. |
| Minerva.Group.EndpointSettings | string | The settings applied to the group. |
| Minerva.Group.Endpoints | number | The number of endpoints in the group. |
| Minerva.Group.Comment | string | The comment the group creator added. |
| Minerva.Group.CreationTime | date | The time the group was created. |
Command Example
!minerva-get-groups
Human Readable Output
| Name | Creation Time | Events | Endpoint Settings | Policy | Endpoints | Id | Policy Version |
|---|---|---|---|---|---|---|---|
| Default Group | 0001-01-01T00:00:00+00:00 | 0 | Fully Simulating | Main | 2 | DefaultAgentGroup | Version-946 |
6. Get mutex vaccines
Retrieves the mutex vaccines.
Base Command
minerva-get-vaccines
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Vaccine.Name | string | Mutex vaccination name. |
| Minerva.Vaccine.Description | string | Mutex vaccination description. |
| Minerva.Vaccine.isMonitorOnly | boolean | Whether this mutex vaccination is only monitored without simulation. |
| Minerva.Vaccine.lastModifiedBy | string | The user that last modified this mutex vaccination. |
| Minerva.Vaccine.lastModifiedOn | date | The date this mutex vaccination was last modified. |
| Minerva.Vaccine.Id | string | Mutex vaccination ID. |
Command Example
minerva-get-vaccines
Human Readable Output
| Last Modified On | Is Monitor Only | Name | Last Modified By | Type | Id | Description |
|---|---|---|---|---|---|---|
| 2019-05-14T07:36:21.6655031Z | true | Local\SomeVaccination | admin | Mutex | 9fef012d-b066-4dc3-a912-8f6613e5bef0 | A sample vaccination with local scope |
7. Delete a vaccine
Deletes a vaccine by the vaccine ID.
Base Command
minerva-delete-vaccine
Input
| Argument Name | Description | Required |
|---|---|---|
| vaccine_id | The ID of the specified vaccine. | Required |
Context Output
There is no context output for this command.
Command Example
!minerva-delete-vaccine vaccine_id=VACCINE_ID
Human Readable Output
Cortex XSOAR outputs:
"Vaccine '9fef012d-b066-4dc3-a912-8f6613e5bef0' was deleted"
8. Get all exclusions
Retrieves all exclusions.
Base Command
minerva-get-exclusions
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Minerva.Exclusion.Id | string | Exclusion ID. |
| Minerva.Exclusion.Type | string | Exclusion type. |
| Minerva.Exclusion.Data | string | Exclusion data. |
| Minerva.Exclusion.Description | string | Exclusion description. |
| Minerva.Exclusion.lastModifiedBy | string | The user that last modified this exclusion. |
| Minerva.Exclusion.lastModifiedOn | date | The date this exclusion was last modified. |
| Minerva.Exclusion.appliedGroupsIds | string | Group IDs to which this exclusion applies. |
Command Example
!minerva-get-exclusions
Human Readable Output
| Last Modified On | Description | Type | Applied Groups Ids | Last Modified By | Data | Id |
|---|---|---|---|---|---|---|
| 2019-05-13T09:39:38.2410566Z | Excluding explorer.exe by hash | hash | All Groups | admin | [âcef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486â,âcef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486â,âcef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486â] | a2ea76c5-95f5-4f40-88f6-bac40ce6d685 |
9. Delete an exclusion
Deletes an exclusion by the exclusion ID.
Base Command
minerva-delete-exclusion
Input
| Argument Name | Description | Required |
|---|---|---|
| id | Exclusion ID. | Required |
| type | Exclusion type. | Required |
Context Output
There is no context output for this command.
Command Example
!minerva-delete-exclusion id=EXCLUSION_ID type=hash
Human Readable Output
Cortex XSOAR outputs:
"Exclusion a2ea76c5-95f5-4f40-88f6-bac40ce6d685 was deleted"
10. Move all events from Archive to New event state
Moves all the events from Archive state to New event state.
Base Command
minerva-unarchive-events
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!minerva-unarchive-events
Human Readable Output
Cortex XSOAR outputs:
"Events were un-archived"
Known Limitations
- Users canât add an already existing vaccination.
- Fetched events are archived in Minerva Console.