Document toolboxDocument toolbox

edr.minervalabs

Introduction

The edr.minervalabs.events tag is used to identify all log events generated by the Minerva Labs Anti-Evasion Platform.

Tag structure

This technology has just one tag used to send all events to Devo: edr.minervalabs.events. Once the events are flowing to Devo, they can be found in a data table of the same name.

Set up the Devo relay rule

You will need to set up just one rule that receives the events on a port, applies the Devo tag, then forwards the events securely to the Devo cloud. In this example we're using port 13007, but you should use any port you can dedicate to receiving the Minerva events.

  • Source port → 13007

  • Target tag → edr.minervalabs.events

  • Select the Stop processing and Sent without syslog tag checkboxes

  • Click Add rule to save and activate the rule. Now the relay is ready to receive the Minerva Labs events.

Forward events from Minerva Anti-Evasion Platform to the Devo relay

Logs should be sent via syslog in CEF format.

  1. Login into your Minerva Management Console.

  2. Click the Administration page in the Navigation Panel.

  3. Click the Forwarding tab.

  4. Select the syslog checkbox to enable syslog forwarding. Then set the server address and port. This will be the IP address of your Devo relay and the port you specified when setting up the relay rule.

Table structure

These are the fields displayed in this table:

edr.minervalabs.events

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

cefVersion

str

 

embDeviceVendor

str

 

embDeviceProduct

str

 

deviceVersion

str

 

signatureID

str

 

name

str

 

severity

str

 

_cefVer

str

 

act

str

 

ruleName

str

 

armorVersion

str

 

parentProcessId

str

 

parentProcessPath

str

 

additionalInfo

str

 

processCommandLine

str

 

deviceFacility

str

 

fileHash

str

 

msg

str

 

rt

timestamp

 

spid

int4

 

sproc

str

 

src

ip4

 

suid

str

 

shost

str

 

MinervaLabsArmorReceivedIPAddress

ip4

 

MinervaLabsArmorEventUrl

str

 

MinervaLabsArmorCertificate

str

 

MinervaLabsArmorIsCertificateValid

bool

 

MinervaLabsGroupName

str

 

rawMessage

str

 ✓

hostchain

str

 ✓