HarfangLab EDR
HarfangLab EDR Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
HarfangLab EDR Connector, Compatible version 2.13.7+ This integration was integrated and tested with version 2.13.7+ of Hurukai
#
Configure HarfangLab EDR in CortexParameter | Description | Required |
---|---|---|
API URL | True | |
Fetch incidents | False | |
Incident type | False | |
API Key | False | |
Incidents Fetch Interval | False | |
Fetch alerts with type | Comma-separated list of types of alerts to fetch (sigma, yara, hlai, vt, ransom, ioc, glimps, orion...). | False |
Minimum severity of alerts to fetch | True | |
Fetch alerts with status (ACTIVE, CLOSED) | False | |
Maximum number of incidents to fetch per call | Fetch maximum <max_fetch> security events and/or threats per call (leave empty if unlimited). | False |
First fetch time | Start fetching alerts and/or threats whose creation date is higher than now minus <first_fetch> days. | True |
Mirroring Direction | Choose the direction to mirror the detection: Incoming (from HarfangLab EDR to Cortex XSOAR), Outgoing (from Cortex XSOAR to HarfangLab EDR), or Incoming and Outgoing (to/from HarfangLab EDR and Cortex XSOAR). | False |
Fetch types | True | |
Close Mirrored security event or threat in the XSOAR | When selected, closes the XSOAR incident, which is mirrored from the HarfangLab EDR. | False |
Close Mirrored security event or threat in HarfangLab EDR | When selected, closes the HarfangLab EDR security event or threat in the HarfangLab EDR. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fetch-incidentsAllows to retrieve incidents from the HarfangLab EDR API
#
Base Commandfetch-incidents
#
InputArgument Name | Description | Required |
---|
#
Context OutputThere is no context output for this command.
#
harfanglab-get-endpoint-infoGet endpoint information from agent_id
#
Base Commandharfanglab-get-endpoint-info
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Agent | unknown | Agent information |
#
Command example!harfanglab-get-endpoint-info agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
Endpoint information for agent_id : 0fae71cf-ebde-4533-a50c-b3c0290378db
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy effective_policy_id effective_policy_revision external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false e96699ef-3dd9-4718-90ef-c7e5646fd466 5 (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0
#
harfanglab-endpoint-searchSearch for endpoint information from a hostname
#
Base Commandharfanglab-endpoint-search
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Agent | unknown | Agent information. |
Harfanglab.Agent.id | string | agent id (DEPRECATED) |
Harfanglab.status | string | Status (DEPRECATED) |
#
Command example!harfanglab-endpoint-search hostname="DC-01"
#
Context Example#
Human Readable Output#
Endpoint information for Hostname : DC-01
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0 additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null0.6 125627596.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-14T22:23:08.393381Z 0 DC-01 706d4524-dc2d-4438-bfef-3b620646db7f 2022/06/14 21:56:49 (REDACTED) (REDACTED) false false 2022-06-15T06:33:46.544505Z 2022-06-15T06:39:16.544505Z 2022-06-15T06:35:58.544505Z 2022-06-14T22:00:23Z 20348 00454-40000-00001-AA081 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-14T22:02:32Z offline 2133962752.0 0 false 0 2.15.0
#
harfanglab-api-callPerform a generic API call
#
Base Commandharfanglab-api-call
#
InputArgument Name | Description | Required |
---|---|---|
api_method | API method (GET, POST...). | Required |
api_endpoint | API endpoint (/api/version, /api/data/alert/alert/Alert/...). | Optional |
parameters | URL parameters. | Optional |
data | Posted data. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.API | unknown | API call result |
#
Command example!harfanglab-api-call api_method=GET api_endpoint=/api/version
#
Context Example#
Human Readable Output#
Results
version 2.29.7
#
harfanglab-telemetry-processesSearch processes
#
Base Commandharfanglab-telemetry-processes
#
InputArgument Name | Description | Required |
---|---|---|
hash | filehash to search (md5, sha1, sha256). | Optional |
hostname | Endpoint hostname. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetryprocesses.processes | unknown | Provides a list of processes |
agent.agentid | unknown | DEPRECATED |
current_directory | unknown | DEPRECATED |
hashes.sha256 | unknown | DEPRECATED |
#
Command example!harfanglab-telemetry-processes hostname="DC-01" hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:28:57.663000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:58:57.147000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:28:56.585000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
Command example!harfanglab-telemetry-processes hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:45:44.942000Z DC-01 MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource scheduler System C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p NT AUTHORITY\SYSTEM true Microsoft Corporation bef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042 2022-07-28T07:45:44.711000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:45:44.704000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0 2022-07-28T07:44:40.370000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:44:40.363000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0
#
Command example!harfanglab-telemetry-processes hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:46:16.086000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:29:25.127000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:59:24.716000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
Command example!harfanglab-telemetry-processes hostname="DC-01" from_date="2022-07-22T20:26:10" to_date="2022-07-22T20:26:20" limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-22T20:26:19.645000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
harfanglab-job-pipelistStart a job to get the list of pipes from a host (Windows)
#
Base Commandharfanglab-job-pipelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-pipelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-downloadfileStart a job to download a file from a host (Windows / Linux)
#
Base Commandharfanglab-job-artifact-downloadfile
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
filename | Path of the file to download. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-downloadfile agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="C:\\Program Files\\HarfangLab\\agent.ini"
#
Context Example#
Human Readable Output#
harfanglab-job-prefetchlistStart a job to get the list of prefetches from a host (Windows)
#
Base Commandharfanglab-job-prefetchlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-prefetchlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-runkeylistStart a job to get the list of run keys from a host (Windows)
#
Base Commandharfanglab-job-runkeylist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-runkeylist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-scheduledtasklistStart a job to get the list of scheduled tasks from a host (Windows)
#
Base Commandharfanglab-job-scheduledtasklist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-scheduledtasklist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-driverlistStart a job to get the list of drivers from a host (Windows)
#
Base Commandharfanglab-job-driverlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-driverlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-servicelistStart a job to get the list of services from a host (Windows)
#
Base Commandharfanglab-job-servicelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-servicelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-processlistStart a job to get the list of processes from a host (Windows / Linux)
#
Base Commandharfanglab-job-processlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-processlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-networkconnectionlistStart a job to get the list of network connections from a host (Windows / Linux)
#
Base Commandharfanglab-job-networkconnectionlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-networkconnectionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-networksharelistStart a job to get the list of network shares from a host (Windows)
#
Base Commandharfanglab-job-networksharelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-networksharelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-sessionlistStart a job to get the list of sessions from a host (Windows)
#
Base Commandharfanglab-job-sessionlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-sessionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-persistencelistStart a job to get the list of persistence items from a host (Linux)
#
Base Commandharfanglab-job-persistencelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-persistencelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-iocStart a job to search for IOCs on a host (Windows / Linux)
#
Base Commandharfanglab-job-ioc
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
filename | exact filename to search. | Optional |
filepath | exact filepath to search. | Optional |
hash | filehash to search (md5, sha1, sha256). | Optional |
search_in_path | restrict searchs for filename or filepath or filepath_regex to a given path. | Optional |
hash_filesize | size of the file associated to the 'hash' parameters (DEPRECATED, rather use the 'filesize' parameter). If known, it will speed up the search process. | Optional |
filesize | size of the file to search (can be used when searching a file from a hash or from a filename). If known, it will speed up the search process. | Optional |
registry | regex to search in registry (key or value). | Optional |
filepath_regex | search a regex on a filepath . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" search_in_path="C:\\Program Files"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" filesize=1688
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath="C:\\windows\\system32\\calc.exe"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath_regex="System32\\\\calc\\.exe"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" hash=4208893c871d2499f184e3f0f2554da89f451fa9e98d95fc9516c5ae8f2b3bbd filesize=45056
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="DLLPath"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="hmmapi"
#
Context Example#
Human Readable Output#
harfanglab-job-startuplistStart a job to get the list of startup items from a host (Windows)
#
Base Commandharfanglab-job-startuplist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-startuplist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-wmilistStart a job to get the list of WMI items from a host (Windows)
#
Base Commandharfanglab-job-wmilist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-wmilist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-mftStart a job to download the MFT from a host (Windows)
#
Base Commandharfanglab-job-artifact-mft
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-mft agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-hivesStart a job to download the hives from a host (Windows)
#
Base Commandharfanglab-job-artifact-hives
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-hives agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-evtxStart a job to download the event logs from a host (Windows)
#
Base Commandharfanglab-job-artifact-evtx
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-evtx agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-logsStart a job to download Linux log files from a host (Linux)
#
Base Commandharfanglab-job-artifact-logs
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-logs agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-filesystemStart a job to download Linux filesystem entries from a host (Linux)
#
Base Commandharfanglab-job-artifact-filesystem
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-filesystem agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-allStart a job to download all artifacts from a host (Windows MFT, Hives, evt/evtx, Prefetch, USN, Linux logs and file list)
#
Base Commandharfanglab-job-artifact-all
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-all agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-ramdumpStart a job to get the entine RAM from a host (Windows / Linux)
#
Base Commandharfanglab-job-artifact-ramdump
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-ramdump agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-telemetry-networkSearch network connections
#
Base Commandharfanglab-telemetry-network
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
source_address | Source IP address. | Optional |
source_port | Source port. | Optional |
destination_address | Destination IP address. | Optional |
destination_port | Destination port. | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetrynetwork.network | unknown | Provides a list of network connections |
#
Command example!harfanglab-telemetry-network hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-06-29T22:33:42.434000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 50000 (REDACTED) 443 out 2022-06-29T22:24:08.088000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49998 (REDACTED) 80 out 2022-06-29T22:23:08.037000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49997 (REDACTED) 443 out 2022-06-29T22:08:07.550000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49996 (REDACTED) 443 out 2022-06-29T22:04:42.848000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49995 (REDACTED) 80 out
#
Command example!harfanglab-telemetry-network destination_address="(REDACTED)" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-07-27T14:59:56.114000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62787 (REDACTED) 80 out 2022-07-27T14:58:43.590000Z WORKSTATION-3752 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 64593 (REDACTED) 80 out 2022-07-27T14:49:54.374000Z WORKSTATION-6852 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61571 (REDACTED) 80 out 2022-07-27T14:49:14.813000Z WORKSTATION-4321 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61605 (REDACTED) 80 out 2022-07-27T07:59:49.780000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62472 (REDACTED) 80 out
#
Command example!harfanglab-telemetry-network destination_address="(REDACTED)" from_date="2022-07-21T12:34:05" to_date="2022-07-21T12:34:15" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-07-21T12:34:09.265000Z WORKSTATION-4812 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 50363 (REDACTED) 80 out
#
harfanglab-telemetry-eventlogSearch event logs
#
Base Commandharfanglab-telemetry-eventlog
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
event_id | Event id. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetryeventlog.eventlog | unknown | Provides a list of event logs |
#
Command example!harfanglab-telemetry-eventlog hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-28T07:29:29.327000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: stopped
Binary: 7300700070007300760063002F0031000000Information 2022-07-28T07:29:29.311000Z DC-01 16384 Microsoft-Windows-Security-SPP Application Classic param1: 2022-11-12T06:42:29Z
param2: RulesEngineInformation 2022-07-28T07:28:58.905000Z DC-01 16394 Microsoft-Windows-Security-SPP Application Classic Information 2022-07-28T07:28:58.795000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: running
Binary: 7300700070007300760063002F0034000000Information 2022-07-28T07:26:50.139000Z DC-01 7036 Service Control Manager System Classic param1: Windows Modules Installer
param2: stopped
Binary: 540072007500730074006500640049006E007300740061006C006C00650072002F0031000000Information
#
Command example!harfanglab-telemetry-eventlog hostname="DC-01" event_id=4624 limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-28T07:24:48.105000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:34:06.425000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:24:48.107000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T05:24:47.496000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T04:24:46.833000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
#
Command example!harfanglab-telemetry-eventlog event_id=4624 from_date="2022-07-21T21:25:34" to_date="2022-07-23T21:25:34" limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-23T21:25:18.159000Z WORKSTATION-1234 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-123$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x280
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:25:10.765000Z WEBSERVER 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WEBSERVER$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:23:53.410000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:55.338000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:53.324000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
#
harfanglab-telemetry-binarySearch for binaries
#
Base Commandharfanglab-telemetry-binary
#
InputArgument Name | Description | Required |
---|---|---|
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
hash | filehash to search (md5, sha1, sha256). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetrybinary.binary | unknown | Provides a list of binaries with associated download links. |
#
Command example!harfanglab-telemetry-binary hash=2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5
#
Context Example#
Human Readable Output#
Binary list
name path size sha256 download link hurukai /opt/hurukai/hurukai 5882824 2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5 https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef
#
harfanglab-telemetry-dnsSearch DNS resolutions
#
Base Commandharfanglab-telemetry-dns
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
requested_name | Requested domain name. | Optional |
query_type | DNS type (A, AAAA, TXT...). | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryDNS.resolutions | unknown | Provides a list of DNS resolutions |
#
Command example!harfanglab-telemetry-dns requested_name=download.windowsupdate.com hostname=webserver
#
Context Example#
Human Readable Output#
harfanglab-telemetry-authentication-windowsSearch Windows authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-windows
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
logon_title | Logon title. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryWindowsAuthentications.authentications | unknown | Provides a list of Windows authentications |
#
Command example!harfanglab-telemetry-authentication-windows limit=5 target_username=vagrant
#
Context Example#
Human Readable Output#
harfanglab-telemetry-authentication-linuxSearch Linux authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-linux
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryLinuxAuthentications.authentications | unknown | Provides a list of Linux authentications |
#
harfanglab-telemetry-authentication-macosSearch Macos authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-macos
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryMacosAuthentications.authentications | unknown | Provides a list of Macos authentications |
#
harfanglab-telemetry-authentication-usersGet the top N users who successfully authenticated on the host
#
Base Commandharfanglab-telemetry-authentication-users
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Required |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Fetch only the top N users who successfully authenticated on the host. Default is 3. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Authentications.Users | unknown | Provides a list of users who successfully authenticated on the host with interactive logon (sorted per decreasing occurrence) |
#
Command example!harfanglab-telemetry-authentication-users hostname=CL-Ep2-Win11 limit=4
#
Context Example#
Human Readable Output#
Top None authentications
Username Authentication attempts CL-EP2-WIN11\hladmin 4 hladmin 2
#
harfanglab-telemetry-process-graphGet a process graph
#
Base Commandharfanglab-telemetry-process-graph
#
InputArgument Name | Description | Required |
---|---|---|
process_uuid | Process UUID. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.ProcessGraph | unknown | Process Graph |
#
Command example!harfanglab-telemetry-process-graph process_uuid=37d378de-b558-4597-e820-009fa44c4c03