...
| Table of Contents | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
The edr.minervalabs.events tag is used to identify all log events generated by the Minerva Labs Anti-Evasion Platform.
...
This technology has just one tag used to send all events to Devo: edr.minervalabs.events. Once the events are flowing to Devo, they can be found in a data table of the same name.
...
You will need to set up just one rule that receives the events on a port, applies the Devo tag, then forwards the events securely to the Devo cloud. In this example we're using port 13007, but you should use any port you can dedicate to receiving the Minerva events.
Source Port → port → 13007
Target Tag → tag →
edr.minervalabs.eventsSelect the Stop Processingprocessing and Sent without syslog tag checkboxes
Click Add Rulerule to save and activate the rule. Now the relay is ready to receive the Minerva Labs events.
...
Login into your Minerva Management Console.
Click the Administration page in the Navigation Panel.
Click the Forwarding tab.
Select the syslog checkbox to enable syslog forwarding. Then set the server address and port. This will be the IP address of your Devo relay and the port you specified when setting up the relay rule.
Table structure
These are the fields displayed in this table:
edr.minervalabs.events
Field | Type | Extra fields |
|---|---|---|
eventdate |
|
|
cefVersion |
|
|
embDeviceVendor |
|
|
embDeviceProduct |
|
|
deviceVersion |
|
|
signatureID |
|
|
name |
|
|
severity |
|
|
_cefVer |
|
|
act |
|
|
ruleName |
|
|
armorVersion |
|
|
parentProcessId |
|
|
parentProcessPath |
|
|
additionalInfo |
|
|
processCommandLine |
|
|
deviceFacility |
|
|
fileHash |
|
|
msg |
|
|
rt |
|
|
spid |
|
|
sproc |
|
|
src |
|
|
suid |
|
|
shost |
|
|
MinervaLabsArmorReceivedIPAddress |
|
|
MinervaLabsArmorEventUrl |
|
|
MinervaLabsArmorCertificate |
|
|
MinervaLabsArmorIsCertificateValid |
|
|
MinervaLabsGroupName |
|
|
rawMessage |
| ✓ |
hostchain |
| ✓ |