Minerva’s Threat Prevention Platform is an agent based solution that protects servers and workstations from real-world threats that evade existing security controls, protecting both modern operating systems and embedded low-resources operating systems as well.
Minerva modular design enables customers and partners to use Minerva-provided solutions or customize their Minerva deployment to fit their existing defense architecture.
Using the Cortex XSOAR platform, enterprises and service providers can now have automated visibility into prevented anomalies across endpoints and servers in the network, while processing them using built-in playbooks.
Minerva Labs’ Endpoint Malware Vaccination enables incident response teams to immunize endpoints in seconds and neutralize attacks by simulating infection markers, rather than creating them, allowing Minerva to contain outbreaks without impacting performance. The combined interlock of Cortex XSOAR and Minerva offers orchestration of an instant deployment of malware vaccinations thus preventing outbreaks of known network worms, by simulating their infection markers and preventing the malicious code installation.
This integration was integrated and tested with version 3.0 of Minerva Labs Anti-Evasion Platform.
- Fetch events from Minerva platform into Cortex XSOAR Playground
- List, add and delete vaccination artifacts to Minerva platform
- List, add and delete exclusions in order to handle FPs
- Search for events according to criteria
- Search for endpoints according to criteria
-
Navigate to Settings > Integrations > Servers & Services.
-
Search for Minerva Labs Anti-Evasion Platform.
-
Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Minerva Management Console URL, for example: https://SERVER/OWL
- Username
- Trust any certificate (not secure)
- Fetch incidents
-
Click Test to validate the URLs, token, and connection.
The integration imports events from Minerva Management Console as incidents in Cortex XSOAR.
As each incident represents malicious activity, it contains all the available information gathered by Minerva for further analysis.
To use Fetch Incidents, configure a new instance and select the ‘Fetch-incidents’ option in the instance settings.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Add exclusions: minerva-add-exclusion
- Add a vaccination: minerva-add-vaccine
- Search for processes: minerva-search-process
- Search for an endpoint: minerva-search-endpoint
- Get all groups: minerva-get-groups
- Get mutex vaccines: minerva-get-vaccines
- Delete a vaccine: minerva-delete-vaccine
- Get all exclusions: minerva-get-exclusions
- Delete an exclusion: minerva-delete-exclusion
- Move all events from Archive to New event state: minerva-unarchive-events
Adds exclusions to Minerva Console.
minerva-add-exclusion
Argument Name | Description | Required |
---|---|---|
data | Exclusion data. | Required |
type | The exclusion type. | Required |
appliedGroupsIds | A list of group IDs to which this exclusion applies. | Optional |
description | A description of the exclusion. | Required |
Path | Type | Description |
---|---|---|
Minerva.Exclusion.Id | string | Exclusion ID. |
Minerva.Exclusion.Type | string | Exclusion type. |
Minerva.Exclusion.Data | string | Exclusion data. |
Minerva.Exclusion.Description | string | A description of the exclusion. |
Minerva.Exclusion.lastModifiedBy | string | The user that last modified this exclusion. |
Minerva.Exclusion.lastModifiedOn | date | The date this exclusion was last modified. |
Minerva.Exclusion.appliedGroupsIds | string | Group IDs to which this exclusion applies. |
!minerva-add-exclusion type="hash" description="cmd.exe hash" data="d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5" appliedGroupsIds="All Groups"
Last Modified On | Description | Type | Applied Groups Ids | Last Modified By | Data | Id |
---|---|---|---|---|---|---|
2019-04-04T08:43:51.9441116Z | cmd.exe hash | hash | All Groups | admin | d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5 | 86238d3e-dc99-4f62-b580-92fc4deb0184 |
Adds a vaccination.
minerva-add-vaccine
Argument Name | Description | Required |
---|---|---|
name | Name of the mutex. | Required |
description | A description of the vaccination. | Optional |
isMonitorOnly | Whether it is only monitored. | Optional |
Path | Type | Description |
---|---|---|
Minerva.Vaccine.Name | string | Name of the mutex vaccination. |
Minerva.Vaccine.Description | string | A description of the mutex vaccination. |
Minerva.Vaccine.isMonitorOnly | boolean | Whether this mutex vaccination is only monitored. |
Minerva.Vaccine.lastModifiedBy | string | The user that last modified this mutex vaccination. |
Minerva.Vaccine.lastModifiedOn | date | The date this mutex vaccination was last modified. |
Minerva.Vaccine.Id | string | Mutex vaccination ID. |
Minerva.Vaccine.Type | string | Vaccine type, for example: Mutex. |
!minerva-add-vaccine name="Local\SomeMaliciousMutex" description="Made up mutex name" isMonitorOnly=True
Last Modified On | Is Monitor Only | Name | Last Modified By | Type | Id | Description |
---|---|---|---|---|---|---|
2019-05-13T09:48:51.6194895Z | true | Local\SomeMaliciousMutex | admin | Mutex | 711db7ed-d4c9-459b-a4bd-e23c077d4acc | Made up mutex name |
Search processes with Minerva.
minerva-search-process
Argument Name | Description | Required |
---|---|---|
param | Parameter to search for. | Required |
condition | A condition to apply to the search (“equalTo”, “notEqualTo”, “contain”,“notContain”, “startWith”, “endWith”). | Required |
value | Value. | Required |
Path | Type | Description |
---|---|---|
Minerva.Process.Endpoint | string | The name of the endpoint on which the process was run. |
Minerva.Process.SHA256 | string | The SHA256 hash of the process. |
Minerva.Process.CommandLine | string | The process command line. |
Minerva.Process.Username | string | The user name with which the process was executed. |
Minerva.Process.Createtime | date | The time the process was created. |
Minerva.Process.Pid | number | The process ID. |
Minerva.Process.Name | string | The process name. |
!minerva-search-process param="processName" condition="endWith" value="explorer.exe"
Username | Process Id | Endpoint | File Hash | Process Command Line | Process Name | Depth | Start Time | Id |
---|---|---|---|---|---|---|---|---|
DaniK@MVDEV | 21736 | danik.MVDev.local | cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486 | C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding | C:\Windows\explorer.exe | 0 | 2019-05-08T07:28:29.009 | f502aede-f4f6-4397-a760-0e08248506dc |
Search Minerva for an endpoint.
minerva-search-endpoint
Argument Name | Description | Required |
---|---|---|
param | Parameter to search for. | Required |
condition | A condition to apply to the search (“equalTo”, “notEqualTo”, “contain”, “notContain”, “startWith”, “endWith”). | Required |
value | Value. | Required |
Path | Type | Description |
---|---|---|
Minerva.Endpoint.Group | string | The group to which the endpoint belongs. |
Minerva.Endpoint.Name | string | The endpoint name. |
Minerva.Endpoint.Users | string | The list of logged-on users. |
Minerva.Endpoint.IP | string | The reported IP address. |
Minerva.Endpoint.OS | string | The endpoint operating system. |
!minerva-search-endpoint param="operatingSystem" condition="equalTo" value="Windows"
Is Armor Version Supported | First Seen Online | Updated | Endpoint | Group | Operating System | Reported Ip Address | Anti Virus Signature Age | Logged On Users | Last Seen Online | Armor Version | Anti Virus Status | Agent Status | Days Registered | Id | Received Ip Address |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
true | 2019-05-07T11:18:38.2782338 | false | WIN2k16-ELIR-OWL | Default Group | Windows | 172.16.0.182 | Administrator | 2019-05-13T09:48:48.6032188 | 2.8.0.5173 | N/A | Online | 5 | {6368a324-139b-4765-98f5-5f8417fb296c} | 172.16.0.182 |
Fetches all the groups defined in Minerva Management Console.
minerva-get-groups
There are no input arguments for this command.
Path | Type | Description |
---|---|---|
Minerva.Group.Id | string | The ID of the group. |
Minerva.Group.Name | string | The name of the group. |
Minerva.Group.Policy | string | The policy applied to the group. |
Minerva.Group.PolicyVersion | string | The policy version applied to the group. |
Minerva.Group.EndpointSettings | string | The settings applied to the group. |
Minerva.Group.Endpoints | number | The number of endpoints in the group. |
Minerva.Group.Comment | string | The comment the group creator added. |
Minerva.Group.CreationTime | date | The time the group was created. |
!minerva-get-groups
Name | Creation Time | Events | Endpoint Settings | Policy | Endpoints | Id | Policy Version |
---|---|---|---|---|---|---|---|
Default Group | 0001-01-01T00:00:00+00:00 | 0 | Fully Simulating | Main | 2 | DefaultAgentGroup | Version-946 |
Retrieves the mutex vaccines.
minerva-get-vaccines
There are no input arguments for this command.
Path | Type | Description |
---|---|---|
Minerva.Vaccine.Name | string | Mutex vaccination name. |
Minerva.Vaccine.Description | string | Mutex vaccination description. |
Minerva.Vaccine.isMonitorOnly | boolean | Whether this mutex vaccination is only monitored without simulation. |
Minerva.Vaccine.lastModifiedBy | string | The user that last modified this mutex vaccination. |
Minerva.Vaccine.lastModifiedOn | date | The date this mutex vaccination was last modified. |
Minerva.Vaccine.Id | string | Mutex vaccination ID. |
minerva-get-vaccines
Last Modified On | Is Monitor Only | Name | Last Modified By | Type | Id | Description |
---|---|---|---|---|---|---|
2019-05-14T07:36:21.6655031Z | true | Local\SomeVaccination | admin | Mutex | 9fef012d-b066-4dc3-a912-8f6613e5bef0 | A sample vaccination with local scope |
Deletes a vaccine by the vaccine ID.
minerva-delete-vaccine
Argument Name | Description | Required |
---|---|---|
vaccine_id | The ID of the specified vaccine. | Required |
There is no context output for this command.
!minerva-delete-vaccine vaccine_id=VACCINE_ID
Cortex XSOAR outputs: "Vaccine '9fef012d-b066-4dc3-a912-8f6613e5bef0' was deleted"
Retrieves all exclusions.
minerva-get-exclusions
There are no input arguments for this command.
Path | Type | Description |
---|---|---|
Minerva.Exclusion.Id | string | Exclusion ID. |
Minerva.Exclusion.Type | string | Exclusion type. |
Minerva.Exclusion.Data | string | Exclusion data. |
Minerva.Exclusion.Description | string | Exclusion description. |
Minerva.Exclusion.lastModifiedBy | string | The user that last modified this exclusion. |
Minerva.Exclusion.lastModifiedOn | date | The date this exclusion was last modified. |
Minerva.Exclusion.appliedGroupsIds | string | Group IDs to which this exclusion applies. |
!minerva-get-exclusions
Last Modified On | Description | Type | Applied Groups Ids | Last Modified By | Data | Id |
---|---|---|---|---|---|---|
2019-05-13T09:39:38.2410566Z | Excluding explorer.exe by hash | hash | All Groups | admin | [“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”,“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”,“cef64201a97e08834f5c8952907a1719531a7d99b53309cb2e2956f40cff3486”] | a2ea76c5-95f5-4f40-88f6-bac40ce6d685 |
Deletes an exclusion by the exclusion ID.
minerva-delete-exclusion
Argument Name | Description | Required |
---|---|---|
id | Exclusion ID. | Required |
type | Exclusion type. | Required |
There is no context output for this command.
!minerva-delete-exclusion id=EXCLUSION_ID type=hash
Cortex XSOAR outputs: "Exclusion a2ea76c5-95f5-4f40-88f6-bac40ce6d685 was deleted"
Moves all the events from Archive state to New event state.
minerva-unarchive-events
There are no input arguments for this command.
There is no context output for this command.
!minerva-unarchive-events
Cortex XSOAR outputs: "Events were un-archived"
- Users can’t add an already existing vaccination.
- Fetched events are archived in Minerva Console.