Minerva Labs Anti-Evasion Platform

Minerva’s Threat Prevention Platform is an agent based solution that protects servers and workstations from real-world threats that evade existing security controls, protecting both modern operating systems and embedded low-resources operating systems as well.

Minerva modular design enables customers and partners to use Minerva-provided solutions or customize their Minerva deployment to fit their existing defense architecture.

Using the Demisto platform, enterprises and service providers can now have automated visibility into prevented anomalies across endpoints and servers in the network, while processing them using built-in playbooks.


Minerva Labs’ Endpoint Malware Vaccination enables incident response teams to immunize endpoints in seconds and neutralize attacks by simulating infection markers, rather than creating them, allowing Minerva to contain outbreaks without impacting performance. The combined interlock of Demisto and Minerva offers orchestration of an instant deployment of malware vaccinations thus preventing outbreaks of known network worms, by simulating their infection markers and preventing the malicious code installation.

This integration was integrated and tested with version 3.0 of Minerva Labs Anti-Evasion Platform.

Use Cases

  • Fetch events from Minerva platform into Demisto Playground
  • List, add and delete vaccination artifacts to Minerva platform
  • List, add and delete exclusions in order to handle FPs
  • Search for events according to criteria
  • Search for endpoints according to criteria

Configure Minerva Labs Anti-Evasion Platform on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .

  2. Search for Minerva Labs Anti-Evasion Platform.

  3. Click Add instance to create and configure a new integration instance.

    • Name : a textual name for the integration instance.
    • Minerva Management Console URL , for example: https://SERVER/OWL
    • Username
    • Trust any certificate (not secure)
    • Fetch incidents
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

The integration imports events from Minerva Management Console as incidents in Demisto.
As each incident represents malicious activity, it contains all the available information gathered by Minerva for further analysis.

To use Fetch Incidents, configure a new instance and select the ‘Fetch-incidents’ option in the instance settings.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Add exclusions: minerva-add-exclusion
  2. Add a vaccination: minerva-add-vaccine
  3. Search for processes: minerva-search-process
  4. Search for an endpoint: minerva-search-endpoint
  5. Get all groups: minerva-get-groups
  6. Get mutex vaccines: minerva-get-vaccines
  7. Delete a vaccine: minerva-delete-vaccine
  8. Get all exclusions: minerva-get-exclusions
  9. Delete an exclusion: minerva-delete-exclusion
  10. Move all events from Archive to New event state: minerva-unarchive-events

1. Add exclusions


Adds exclusions to Minerva Console.

Base Command

minerva-add-exclusion

Input
Argument Name Description Required
data Exclusion data. Required
type The exclusion type. Required
appliedGroupsIds A list of group IDs to which this exclusion applies. Optional
description A description of the exclusion. Required

Context Output
Path Type Description
Minerva.Exclusion.Id string Exclusion ID.
Minerva.Exclusion.Type string Exclusion type.
Minerva.Exclusion.Data string Exclusion data.
Minerva.Exclusion.Description string A description of the exclusion.
Minerva.Exclusion.lastModifiedBy string The user that last modified this exclusion.
Minerva.Exclusion.lastModifiedOn date The date this exclusion was last modified.
Minerva.Exclusion.appliedGroupsIds string Group IDs to which this exclusion applies.

Command Example
!minerva-add-exclusion type="hash" description="cmd.exe hash" data="d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5" appliedGroupsIds="All Groups"
Human Readable Output
Last Modified On Description Type Applied Groups Ids Last Modified By Data Id
2019-04-04T08:43:51.9441116Z cmd.exe hash hash All Groups admin d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5 86238d3e-dc99-4f62-b580-92fc4deb0184

2. Add a vaccination


Adds a vaccination.

Base Command

minerva-add-vaccine

Input
Argument Name Description Required
name Name of the mutex. Required
description A description of the vaccination. Optional
isMonitorOnly Whether it is only monitored. Optional

Context Output
Path Type Description
Minerva.Vaccine.Name string Name of the mutex vaccination.
Minerva.Vaccine.Description string A description of the mutex vaccination.
Minerva.Vaccine.isMonitorOnly boolean Whether this mutex vaccination is only monitored.
Minerva.Vaccine.lastModifiedBy string The user that last modified this mutex vaccination.
Minerva.Vaccine.lastModifiedOn date The date this mutex vaccination was last modified.
Minerva.Vaccine.Id string Mutex vaccination ID.
Minerva.Vaccine.Type string Vaccine type, for example: Mutex.

Command Example
!minerva-add-vaccine name="Local\SomeMaliciousMutex" description="Made up mutex name" isMonitorOnly=True
Human Readable Output
Last Modified On Is Monitor Only Name Last Modified By Type Id Description
2019-05-13T09:48:51.6194895Z true Local\SomeMaliciousMutex admin Mutex 711db7ed-d4c9-459b-a4bd-e23c077d4acc Made up mutex name

3. Search for processes


Search processes with Minerva.

Base Command

minerva-search-process

Input
Argument Name Description Required
param Parameter to search for. Required
condition A condition to apply to the search (“equalTo”, “notEqualTo”, “contain”,“notContain”, “startWith”, “endWith”). Required
value Value. Required

Context Output
Path Type Description
Minerva.Process.Endpoint string The name of the endpoint on which the process was run.
Minerva.Process.SHA256 string The SHA256 hash of the process.
Minerva.Process.CommandLine string The process command line.
Minerva.Process.Username string The user name with which the process was executed.
Minerva.Process.Createtime date The time the process was created.
Minerva.Process.Pid number The process ID.
Minerva.Process.Name string The process name.

Command Example
!minerva-search-process param="processName" condition="endWith" value="explorer.exe"
Human Readable Output
Username Process Id Endpoint File Hash Process Command Line Process Name Depth Start Time Id
DaniK@MVDEV 21736 danik.MVDev.local cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486 C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding C:\Windows\explorer.exe 0 2019-05-08T07:28:29.009 f502aede-f4f6-4397-a760-0e08248506dc

4. Search for an endpoint


Search Minerva for an endpoint.

Base Command

minerva-search-endpoint

Input
Argument Name Description Required
param Parameter to search for. Required
condition A condition to apply to the search (“equalTo”, “notEqualTo”, “contain”, “notContain”, “startWith”, “endWith”). Required
value Value. Required

Context Output
Path Type Description
Minerva.Endpoint.Group string The group to which the endpoint belongs.
Minerva.Endpoint.Name string The endpoint name.
Minerva.Endpoint.Users string The list of logged-on users.
Minerva.Endpoint.IP string The reported IP address.
Minerva.Endpoint.OS string The endpoint operating system.

Command Example
!minerva-search-endpoint param="operatingSystem" condition="equalTo" value="Windows"
Human Readable Output
Is Armor Version Supported First Seen Online Updated Endpoint Group Operating System Reported Ip Address Anti Virus Signature Age Logged On Users Last Seen Online Armor Version Anti Virus Status Agent Status Days Registered Id Received Ip Address
true 2019-05-07T11:18:38.2782338 false WIN2k16-ELIR-OWL Default Group Windows 172.16.0.182 Administrator 2019-05-13T09:48:48.6032188 2.8.0.5173 N/A Online 5 {6368a324-139b-4765-98f5-5f8417fb296c} 172.16.0.182

5. Get all groups


Fetches all the groups defined in Minerva Management Console.

Base Command

minerva-get-groups

Input

There are no input arguments for this command.

Context Output
Path Type Description
Minerva.Group.Id string The ID of the group.
Minerva.Group.Name string The name of the group.
Minerva.Group.Policy string The policy applied to the group.
Minerva.Group.PolicyVersion string The policy version applied to the group.
Minerva.Group.EndpointSettings string The settings applied to the group.
Minerva.Group.Endpoints number The number of endpoints in the group.
Minerva.Group.Comment string The comment the group creator added.
Minerva.Group.CreationTime date The time the group was created.

Command Example
!minerva-get-groups
Human Readable Output
Name Creation Time Events Endpoint Settings Policy Endpoints Id Policy Version
Default Group 0001-01-01T00:00:00+00:00 0 Fully Simulating Main 2 DefaultAgentGroup Version-946

6. Get mutex vaccines


Retrieves the mutex vaccines.

Base Command

minerva-get-vaccines

Input

There are no input arguments for this command.

Context Output
Path Type Description
Minerva.Vaccine.Name string Mutex vaccination name.
Minerva.Vaccine.Description string Mutex vaccination description.
Minerva.Vaccine.isMonitorOnly boolean Whether this mutex vaccination is only monitored without simulation.
Minerva.Vaccine.lastModifiedBy string The user that last modified this mutex vaccination.
Minerva.Vaccine.lastModifiedOn date The date this mutex vaccination was last modified.
Minerva.Vaccine.Id string Mutex vaccination ID.

Command Example
minerva-get-vaccines
Human Readable Output
Last Modified On Is Monitor Only Name Last Modified By Type Id Description
2019-05-14T07:36:21.6655031Z true Local\SomeVaccination admin Mutex 9fef012d-b066-4dc3-a912-8f6613e5bef0 A sample vaccination with local scope

7. Delete a vaccine


Deletes a vaccine by the vaccine ID.

Base Command

minerva-delete-vaccine

Input
Argument Name Description Required
vaccine_id The ID of the specified vaccine. Required

Context Output

There is no context output for this command.

Command Example
!minerva-delete-vaccine vaccine_id=VACCINE_ID
Human Readable Output

Demisto outputs: "Vaccine '9fef012d-b066-4dc3-a912-8f6613e5bef0' was deleted"

8. Get all exclusions


Retrieves all exclusions.

Base Command

minerva-get-exclusions

Input

There are no input arguments for this command.

Context Output
Path Type Description
Minerva.Exclusion.Id string Exclusion ID.
Minerva.Exclusion.Type string Exclusion type.
Minerva.Exclusion.Data string Exclusion data.
Minerva.Exclusion.Description string Exclusion description.
Minerva.Exclusion.lastModifiedBy string The user that last modified this exclusion.
Minerva.Exclusion.lastModifiedOn date The date this exclusion was last modified.
Minerva.Exclusion.appliedGroupsIds string Group IDs to which this exclusion applies.

Command Example
!minerva-get-exclusions
Human Readable Output
Last Modified On Description Type Applied Groups Ids Last Modified By Data Id
2019-05-13T09:39:38.2410566Z Excluding explorer.exe by hash hash All Groups admin [“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”,“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”,“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”] a2ea76c5-95f5-4f40-88f6-bac40ce6d685

9. Delete an exclusion


Deletes an exclusion by the exclusion ID.

Base Command

minerva-delete-exclusion

Input
Argument Name Description Required
id Exclusion ID. Required
type Exclusion type. Required

Context Output

There is no context output for this command.

Command Example
!minerva-delete-exclusion id=EXCLUSION_ID type=hash
Human Readable Output

Demisto outputs: "Exclusion a2ea76c5-95f5-4f40-88f6-bac40ce6d685 was deleted"

10. Move all events from Archive to New event state


Moves all the events from Archive state to New event state.

Base Command

minerva-unarchive-events

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!minerva-unarchive-events
Human Readable Output

Demisto outputs: "Events were un-archived"

Known Limitations

  • Users can’t add an already existing vaccination.
  • Fetched events are archived in Minerva Console.