Skip to main content

HarfangLab EDR

This Integration is part of the HarfangLab EDR Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

HarfangLab EDR Connector, Compatible version 2.13.7+ This integration was integrated and tested with version 2.13.7+ of Hurukai

Configure HarfangLab EDR on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for HarfangLab EDR.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URLTrue
    Fetch incidentsFalse
    Incident typeFalse
    API KeyFalse
    Incidents Fetch IntervalFalse
    Fetch alerts with typeComma-separated list of types of alerts to fetch (sigma, yara, hlai, vt, ransom, ioc, glimps, orion...).False
    Minimum severity of alerts to fetchTrue
    Fetch alerts with status (ACTIVE, CLOSED)False
    Maximum number of incidents to fetch per callFetch maximum <max_fetch> security events and/or threats per call (leave empty if unlimited).False
    First fetch timeStart fetching alerts and/or threats whose creation date is higher than now minus <first_fetch> days.True
    Mirroring DirectionChoose the direction to mirror the detection: Incoming (from HarfangLab EDR to Cortex XSOAR), Outgoing (from Cortex XSOAR to HarfangLab EDR), or Incoming and Outgoing (to/from HarfangLab EDR and Cortex XSOAR).False
    Fetch typesTrue
    Close Mirrored security event or threat in the XSOARWhen selected, closes the XSOAR incident, which is mirrored from the HarfangLab EDR.False
    Close Mirrored security event or threat in HarfangLab EDRWhen selected, closes the HarfangLab EDR security event or threat in the HarfangLab EDR.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fetch-incidents#


Allows to retrieve incidents from the HarfangLab EDR API

Base Command#

fetch-incidents

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

harfanglab-get-endpoint-info#


Get endpoint information from agent_id

Base Command#

harfanglab-get-endpoint-info

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Optional

Context Output#

PathTypeDescription
Harfanglab.AgentunknownAgent information

Command example#

!harfanglab-get-endpoint-info agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Agent": {
"additional_info": {
"additional_info1": null,
"additional_info2": null,
"additional_info3": null,
"additional_info4": null
},
"avg_cpu": 1,
"avg_memory": 183558144,
"bitness": "x64",
"cpu_count": 2,
"cpu_frequency": 3192,
"distroid": null,
"dnsdomainname": null,
"domain": null,
"domainname": "WORKGROUP",
"driver_enabled": true,
"driver_policy": false,
"effective_policy_id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"effective_policy_revision": 5,
"external_ipaddress": "(REDACTED)",
"firstseen": "2022-06-15T06:42:50.008015Z",
"group_count": 0,
"groups": [],
"hostname": "DC-01",
"id": "0fae71cf-ebde-4533-a50c-b3c0290378db",
"installdate": "2022/06/15 06:38:58",
"ipaddress": "(REDACTED)",
"ipmask": "(REDACTED)",
"isolation_policy": false,
"isolation_state": true,
"lastseen": "2022-07-28T07:41:32.197641Z",
"lastseen_error": "2022-07-28T07:47:02.197641Z",
"lastseen_warning": "2022-07-28T07:43:44.197641Z",
"machine_boottime": "2022-06-28T14:18:31Z",
"osbuild": 20348,
"osid": "00454-40000-00001-AA596",
"osmajor": 10,
"osminor": 0,
"osproducttype": "Windows Server 2022 Standard Evaluation",
"ostype": "windows",
"osversion": "10.0.20348",
"policy": {
"binary_download_enabled": true,
"description": "",
"hibou_minimum_level": "critical",
"hibou_mode": 0,
"hibou_skip_signed_ms": false,
"hibou_skip_signed_others": false,
"hlai_minimum_level": "critical",
"hlai_mode": 1,
"hlai_skip_signed_ms": true,
"hlai_skip_signed_others": false,
"id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"ioc_mode": 2,
"ioc_ruleset": null,
"loglevel": "ERROR",
"name": "No psexec",
"ransomguard_alert_only": false,
"revision": 5,
"self_protection": false,
"sigma_ruleset": 1,
"sleepjitter": 10,
"sleeptime": 60,
"telemetry_alerts_limit": false,
"telemetry_alerts_limit_value": 1000,
"telemetry_log": true,
"telemetry_log_limit": false,
"telemetry_log_limit_value": 1000,
"telemetry_network": true,
"telemetry_network_limit": false,
"telemetry_network_limit_value": 1000,
"telemetry_process": true,
"telemetry_process_limit": false,
"telemetry_process_limit_value": 1000,
"telemetry_remotethread": true,
"telemetry_remotethread_limit": false,
"telemetry_remotethread_limit_value": 1000,
"tenant": null,
"use_driver": true,
"use_isolation": true,
"use_process_block": true,
"use_ransomguard": true,
"use_sigma": true,
"use_sigma_process_block": false,
"yara_mode": 1,
"yara_ruleset": null,
"yara_skip_signed_ms": true,
"yara_skip_signed_others": false
},
"producttype": "server",
"servicepack": null,
"starttime": "2022-06-28T14:18:47Z",
"status": "online",
"tenant": null,
"total_memory": 2133962752,
"uninstall_status": 0,
"update_experimental": false,
"update_status": 0,
"version": "2.15.0"
}
}
}

Human Readable Output#

Endpoint information for agent_id : 0fae71cf-ebde-4533-a50c-b3c0290378db#

additional_infoavg_cpuavg_memorybitnesscpu_countcpu_frequencydomainnamedriver_enableddriver_policyeffective_policy_ideffective_policy_revisionexternal_ipaddressfirstseengroup_counthostnameidinstalldateipaddressipmaskisolation_policyisolation_statelastseenlastseen_errorlastseen_warningmachine_boottimeosbuildosidosmajorosminorosproducttypeostypeosversionpolicyproducttypestarttimestatustotal_memoryuninstall_statusupdate_experimentalupdate_statusversion
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null
1.0183558144.0x6423192WORKGROUPtruefalsee96699ef-3dd9-4718-90ef-c7e5646fd4665(REDACTED)2022-06-15T06:42:50.008015Z0DC-010fae71cf-ebde-4533-a50c-b3c0290378db2022/06/15 06:38:58(REDACTED)(REDACTED)falsetrue2022-07-28T07:41:32.197641Z2022-07-28T07:47:02.197641Z2022-07-28T07:43:44.197641Z2022-06-28T14:18:31Z2034800454-40000-00001-AA596100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null
server2022-06-28T14:18:47Zonline2133962752.00false02.15.0

harfanglab-endpoint-search#


Search for endpoint information from a hostname

Base Command#

harfanglab-endpoint-search

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional

Context Output#

PathTypeDescription
Harfanglab.AgentunknownAgent information.
Harfanglab.Agent.idstringagent id (DEPRECATED)
Harfanglab.statusstringStatus (DEPRECATED)

Command example#

!harfanglab-endpoint-search hostname="DC-01"

Context Example#

{
"Harfanglab": {
"Agent": {
"additional_info": {
"additional_info1": null,
"additional_info2": null,
"additional_info3": null,
"additional_info4": null
},
"avg_cpu": 0.6,
"avg_memory": 125627596,
"bitness": "x64",
"cpu_count": 2,
"cpu_frequency": 3192,
"distroid": null,
"dnsdomainname": null,
"domain": null,
"domainname": "WORKGROUP",
"driver_enabled": true,
"driver_policy": false,
"external_ipaddress": "(REDACTED)",
"firstseen": "2022-06-14T22:23:08.393381Z",
"group_count": 0,
"groups": [],
"hostname": "DC-01",
"id": "706d4524-dc2d-4438-bfef-3b620646db7f",
"installdate": "2022/06/14 21:56:49",
"ipaddress": "(REDACTED)",
"ipmask": "(REDACTED)",
"isolation_policy": false,
"isolation_state": false,
"lastseen": "2022-06-15T06:33:46.544505Z",
"lastseen_error": "2022-06-15T06:39:16.544505Z",
"lastseen_warning": "2022-06-15T06:35:58.544505Z",
"machine_boottime": "2022-06-14T22:00:23Z",
"osbuild": 20348,
"osid": "00454-40000-00001-AA081",
"osmajor": 10,
"osminor": 0,
"osproducttype": "Windows Server 2022 Standard Evaluation",
"ostype": "windows",
"osversion": "10.0.20348",
"policy": {
"binary_download_enabled": true,
"description": "",
"hibou_minimum_level": "critical",
"hibou_mode": 0,
"hibou_skip_signed_ms": false,
"hibou_skip_signed_others": false,
"hlai_minimum_level": "critical",
"hlai_mode": 1,
"hlai_skip_signed_ms": true,
"hlai_skip_signed_others": false,
"id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"ioc_mode": 2,
"ioc_ruleset": null,
"loglevel": "ERROR",
"name": "No psexec",
"ransomguard_alert_only": false,
"revision": 5,
"self_protection": false,
"sigma_ruleset": 1,
"sleepjitter": 10,
"sleeptime": 60,
"telemetry_alerts_limit": false,
"telemetry_alerts_limit_value": 1000,
"telemetry_log": true,
"telemetry_log_limit": false,
"telemetry_log_limit_value": 1000,
"telemetry_network": true,
"telemetry_network_limit": false,
"telemetry_network_limit_value": 1000,
"telemetry_process": true,
"telemetry_process_limit": false,
"telemetry_process_limit_value": 1000,
"telemetry_remotethread": true,
"telemetry_remotethread_limit": false,
"telemetry_remotethread_limit_value": 1000,
"tenant": null,
"use_driver": true,
"use_isolation": true,
"use_process_block": true,
"use_ransomguard": true,
"use_sigma": true,
"use_sigma_process_block": false,
"yara_mode": 1,
"yara_ruleset": null,
"yara_skip_signed_ms": true,
"yara_skip_signed_others": false
},
"producttype": "server",
"servicepack": null,
"starttime": "2022-06-14T22:02:32Z",
"status": "offline",
"tenant": null,
"total_memory": 2133962752,
"uninstall_status": 0,
"update_experimental": false,
"update_status": 0,
"version": "2.15.0"
}
}
}

Human Readable Output#

Endpoint information for Hostname : DC-01#

additional_infoavg_cpuavg_memorybitnesscpu_countcpu_frequencydomainnamedriver_enableddriver_policyexternal_ipaddressfirstseengroup_counthostnameidinstalldateipaddressipmaskisolation_policyisolation_statelastseenlastseen_errorlastseen_warningmachine_boottimeosbuildosidosmajorosminorosproducttypeostypeosversionpolicyproducttypestarttimestatustotal_memoryuninstall_statusupdate_experimentalupdate_statusversion
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null
1.0183558144.0x6423192WORKGROUPtruefalse(REDACTED)2022-06-15T06:42:50.008015Z0DC-010fae71cf-ebde-4533-a50c-b3c0290378db2022/06/15 06:38:58(REDACTED)(REDACTED)falsetrue2022-07-28T07:41:32.197641Z2022-07-28T07:47:02.197641Z2022-07-28T07:43:44.197641Z2022-06-28T14:18:31Z2034800454-40000-00001-AA596100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null
server2022-06-28T14:18:47Zonline2133962752.00false02.15.0
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null
0.6125627596.0x6423192WORKGROUPtruefalse(REDACTED)2022-06-14T22:23:08.393381Z0DC-01706d4524-dc2d-4438-bfef-3b620646db7f2022/06/14 21:56:49(REDACTED)(REDACTED)falsefalse2022-06-15T06:33:46.544505Z2022-06-15T06:39:16.544505Z2022-06-15T06:35:58.544505Z2022-06-14T22:00:23Z2034800454-40000-00001-AA081100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null
server2022-06-14T22:02:32Zoffline2133962752.00false02.15.0

harfanglab-api-call#


Perform a generic API call

Base Command#

harfanglab-api-call

Input#

Argument NameDescriptionRequired
api_methodAPI method (GET, POST...).Required
api_endpointAPI endpoint (/api/version, /api/data/alert/alert/Alert/...).Optional
parametersURL parameters.Optional
dataPosted data.Optional

Context Output#

PathTypeDescription
Harfanglab.APIunknownAPI call result

Command example#

!harfanglab-api-call api_method=GET api_endpoint=/api/version

Context Example#

{
"Harfanglab": {
"API": {
"version": "2.29.7"
}
}
}

Human Readable Output#

Results#

version
2.29.7

harfanglab-telemetry-processes#


Search processes

Base Command#

harfanglab-telemetry-processes

Input#

Argument NameDescriptionRequired
hashfilehash to search (md5, sha1, sha256).Optional
hostnameEndpoint hostname.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetryprocesses.processesunknownProvides a list of processes
agent.agentidunknownDEPRECATED
current_directoryunknownDEPRECATED
hashes.sha256unknownDEPRECATED

Command example#

!harfanglab-telemetry-processes hostname="DC-01" hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:28:58.757000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:58:58.227000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:28:57.663000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T05:58:57.147000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T05:28:56.585000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:28:58.757000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:58:58.227000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:28:57.663000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T05:58:57.147000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T05:28:56.585000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

Command example#

!harfanglab-telemetry-processes hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe /ua /installsource scheduler",
"create date": "2022-07-28T07:45:44.942000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"parent image": "C:\\Windows\\System32\\svchost.exe",
"process name": "MicrosoftEdgeUpdate.exe",
"sha256": "bef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042",
"signed": true,
"signer": "Microsoft Corporation",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"create date": "2022-07-28T07:45:44.711000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\conhost.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "conhost.exe",
"sha256": "6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}",
"create date": "2022-07-28T07:45:44.704000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "hurukai.exe",
"sha256": "9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0",
"signed": true,
"signer": "HARFANGLAB SAS",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"create date": "2022-07-28T07:44:40.370000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\conhost.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "conhost.exe",
"sha256": "6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}",
"create date": "2022-07-28T07:44:40.363000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "hurukai.exe",
"sha256": "9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0",
"signed": true,
"signer": "HARFANGLAB SAS",
"username": "NT AUTHORITY\\SYSTEM"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:45:44.942000ZDC-01MicrosoftEdgeUpdate.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource schedulerSystemC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEMtrueMicrosoft Corporationbef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042
2022-07-28T07:45:44.711000ZDC-01conhost.exeC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}NT AUTHORITY\SYSTEMtrueMicrosoft Windows6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733
2022-07-28T07:45:44.704000ZDC-01hurukai.exeC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exeNT AUTHORITY\SYSTEMtrueHARFANGLAB SAS9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0
2022-07-28T07:44:40.370000ZDC-01conhost.exeC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}NT AUTHORITY\SYSTEMtrueMicrosoft Windows6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733
2022-07-28T07:44:40.363000ZDC-01hurukai.exeC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exeNT AUTHORITY\SYSTEMtrueHARFANGLAB SAS9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0

Command example#

!harfanglab-telemetry-processes hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:46:16.086000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:29:25.127000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:28:58.757000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:59:24.716000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:58:58.227000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:46:16.086000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T07:29:25.127000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T07:28:58.757000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:59:24.716000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:58:58.227000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

Command example#

!harfanglab-telemetry-processes hostname="DC-01" from_date="2022-07-22T20:26:10" to_date="2022-07-22T20:26:20" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-22T20:26:19.645000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-22T20:26:19.645000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

harfanglab-job-pipelist#


Start a job to get the list of pipes from a host (Windows)

Base Command#

harfanglab-job-pipelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-pipelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getPipeList",
"ID": "974d7732-481b-444e-8f30-37db662d23d5"
}
}
}

Human Readable Output#

{
"Action": "getPipeList",
"ID": "974d7732-481b-444e-8f30-37db662d23d5"
}

harfanglab-job-artifact-downloadfile#


Start a job to download a file from a host (Windows / Linux)

Base Command#

harfanglab-job-artifact-downloadfile

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required
filenamePath of the file to download.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-downloadfile agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="C:\\Program Files\\HarfangLab\\agent.ini"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "downloadFile",
"ID": "7c5a2c3c-0455-4b4e-a7ee-acf7737f86f8"
}
}
}

Human Readable Output#

{
"Action": "downloadFile",
"ID": "7c5a2c3c-0455-4b4e-a7ee-acf7737f86f8"
}

harfanglab-job-prefetchlist#


Start a job to get the list of prefetches from a host (Windows)

Base Command#

harfanglab-job-prefetchlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-prefetchlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getPrefetch",
"ID": "153d0791-7eef-4d7e-b1be-61fec1e5a140"
}
}
}

Human Readable Output#

{
"Action": "getPrefetch",
"ID": "153d0791-7eef-4d7e-b1be-61fec1e5a140"
}

harfanglab-job-runkeylist#


Start a job to get the list of run keys from a host (Windows)

Base Command#

harfanglab-job-runkeylist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-runkeylist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getHives",
"ID": "eadc130a-fa7f-41e6-a1bb-e9022b232b32"
}
}
}

Human Readable Output#

{
"Action": "getHives",
"ID": "eadc130a-fa7f-41e6-a1bb-e9022b232b32"
}

harfanglab-job-scheduledtasklist#


Start a job to get the list of scheduled tasks from a host (Windows)

Base Command#

harfanglab-job-scheduledtasklist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-scheduledtasklist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getScheduledTasks",
"ID": "e81e3105-5f8e-4caf-9947-b252721b4196"
}
}
}

Human Readable Output#

{
"Action": "getScheduledTasks",
"ID": "e81e3105-5f8e-4caf-9947-b252721b4196"
}

harfanglab-job-driverlist#


Start a job to get the list of drivers from a host (Windows)

Base Command#

harfanglab-job-driverlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-driverlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getLoadedDriverList",
"ID": "a4ce02be-38f0-4782-8d2d-0da99fd318db"
}
}
}

Human Readable Output#

{
"Action": "getLoadedDriverList",
"ID": "a4ce02be-38f0-4782-8d2d-0da99fd318db"
}

harfanglab-job-servicelist#


Start a job to get the list of services from a host (Windows)

Base Command#

harfanglab-job-servicelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-servicelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getHives",
"ID": "fcd8d44c-109f-43e9-8b9a-7268121a46a7"
}
}
}

Human Readable Output#

{
"Action": "getHives",
"ID": "fcd8d44c-109f-43e9-8b9a-7268121a46a7"
}

harfanglab-job-processlist#


Start a job to get the list of processes from a host (Windows / Linux)

Base Command#

harfanglab-job-processlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-processlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getProcessList",
"ID": "45696894-17c5-4304-9198-9084aa1f6847"
}
}
}

Human Readable Output#

{
"Action": "getProcessList",
"ID": "45696894-17c5-4304-9198-9084aa1f6847"
}

harfanglab-job-networkconnectionlist#


Start a job to get the list of network connections from a host (Windows / Linux)

Base Command#

harfanglab-job-networkconnectionlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-networkconnectionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getProcessList",
"ID": "ac1cbd6c-ac39-4940-8c4b-85071be7c878"
}
}
}

Human Readable Output#

{
"Action": "getProcessList",
"ID": "ac1cbd6c-ac39-4940-8c4b-85071be7c878"
}

harfanglab-job-networksharelist#


Start a job to get the list of network shares from a host (Windows)

Base Command#

harfanglab-job-networksharelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-networksharelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getNetworkShare",
"ID": "b663d820-029b-414d-8bf3-5c7b973c7954"
}
}
}

Human Readable Output#

{
"Action": "getNetworkShare",
"ID": "b663d820-029b-414d-8bf3-5c7b973c7954"
}

harfanglab-job-sessionlist#


Start a job to get the list of sessions from a host (Windows)

Base Command#

harfanglab-job-sessionlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-sessionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getSessions",
"ID": "2b48e4aa-fa28-4b21-b1a7-f70bde1c59c7"
}
}
}

Human Readable Output#

{
"Action": "getSessions",
"ID": "2b48e4aa-fa28-4b21-b1a7-f70bde1c59c7"
}

harfanglab-job-persistencelist#


Start a job to get the list of persistence items from a host (Linux)

Base Command#

harfanglab-job-persistencelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-persistencelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "persistanceScanner",
"ID": "30a54484-c359-4220-bb5c-6e07c7a9359e"
}
}
}

Human Readable Output#

{
"Action": "persistanceScanner",
"ID": "30a54484-c359-4220-bb5c-6e07c7a9359e"
}

harfanglab-job-ioc#


Start a job to search for IOCs on a host (Windows / Linux)

Base Command#

harfanglab-job-ioc

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required
filenameexact filename to search.Optional
filepathexact filepath to search.Optional
hashfilehash to search (md5, sha1, sha256).Optional
search_in_pathrestrict searchs for filename or filepath or filepath_regex to a given path.Optional
hash_filesizesize of the file associated to the 'hash' parameters (DEPRECATED, rather use the 'filesize' parameter). If known, it will speed up the search process.Optional
filesizesize of the file to search (can be used when searching a file from a hash or from a filename). If known, it will speed up the search process.Optional
registryregex to search in registry (key or value).Optional
filepath_regexsearch a regex on a filepath .Optional

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "0751d384-601a-40a4-afc6-7574f80f72bf"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "0751d384-601a-40a4-afc6-7574f80f72bf"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" search_in_path="C:\\Program Files"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "56a9b602-e6e5-4130-8b51-861a383f42bc"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "56a9b602-e6e5-4130-8b51-861a383f42bc"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" filesize=1688

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "1e68fb44-843e-445b-a926-755da0ce2321"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "1e68fb44-843e-445b-a926-755da0ce2321"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath="C:\\windows\\system32\\calc.exe"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "f78d2479-9651-488f-9b94-e9019b918b26"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "f78d2479-9651-488f-9b94-e9019b918b26"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath_regex="System32\\\\calc\\.exe"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "cbe0239e-3297-4cbb-a06b-75df2f5608d2"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "cbe0239e-3297-4cbb-a06b-75df2f5608d2"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" hash=4208893c871d2499f184e3f0f2554da89f451fa9e98d95fc9516c5ae8f2b3bbd filesize=45056

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "574b6d2a-4621-4883-bd0e-7bf603566a94"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "574b6d2a-4621-4883-bd0e-7bf603566a94"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="DLLPath"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "b69dd316-4c47-479a-bd0f-46bfedd01180"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "b69dd316-4c47-479a-bd0f-46bfedd01180"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="hmmapi"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "89290f68-33a1-4335-a221-5bc163fa1270"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "89290f68-33a1-4335-a221-5bc163fa1270"
}

harfanglab-job-startuplist#


Start a job to get the list of startup items from a host (Windows)

Base Command#

harfanglab-job-startuplist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-startuplist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getStartupFileList",
"ID": "d9d6b338-75ce-4ab6-8223-531e29c07ae6"
}
}
}

Human Readable Output#

{
"Action": "getStartupFileList",
"ID": "d9d6b338-75ce-4ab6-8223-531e29c07ae6"
}

harfanglab-job-wmilist#


Start a job to get the list of WMI items from a host (Windows)

Base Command#

harfanglab-job-wmilist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-wmilist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getWMI",
"ID": "e51124be-7720-4a0d-868f-3521a5ce0e9f"
}
}
}

Human Readable Output#

{
"Action": "getWMI",
"ID": "e51124be-7720-4a0d-868f-3521a5ce0e9f"
}

harfanglab-job-artifact-mft#


Start a job to download the MFT from a host (Windows)

Base Command#

harfanglab-job-artifact-mft

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-mft agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "57c3da8c-a68f-4f1d-b521-cd811e97f62b"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "57c3da8c-a68f-4f1d-b521-cd811e97f62b"
}

harfanglab-job-artifact-hives#


Start a job to download the hives from a host (Windows)

Base Command#

harfanglab-job-artifact-hives

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-hives agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "36bc0da2-a557-4576-af8e-344d91364c70"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "36bc0da2-a557-4576-af8e-344d91364c70"
}

harfanglab-job-artifact-evtx#


Start a job to download the event logs from a host (Windows)

Base Command#

harfanglab-job-artifact-evtx

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-evtx agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "707ab8c7-e2e9-4921-ad1e-0823def79d83"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "707ab8c7-e2e9-4921-ad1e-0823def79d83"
}

harfanglab-job-artifact-logs#


Start a job to download Linux log files from a host (Linux)

Base Command#

harfanglab-job-artifact-logs

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-logs agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "8989756f-1947-4fd1-9734-8fecb58d6f64"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "8989756f-1947-4fd1-9734-8fecb58d6f64"
}

harfanglab-job-artifact-filesystem#


Start a job to download Linux filesystem entries from a host (Linux)

Base Command#

harfanglab-job-artifact-filesystem

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-filesystem agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "d351e9be-3f0e-4ccc-876f-8b28f208ffa7"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "d351e9be-3f0e-4ccc-876f-8b28f208ffa7"
}

harfanglab-job-artifact-all#


Start a job to download all artifacts from a host (Windows MFT, Hives, evt/evtx, Prefetch, USN, Linux logs and file list)

Base Command#

harfanglab-job-artifact-all

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-all agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "312a3857-935c-4b23-9d58-cc29bb9dda18"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "312a3857-935c-4b23-9d58-cc29bb9dda18"
}

harfanglab-job-artifact-ramdump#


Start a job to get the entine RAM from a host (Windows / Linux)

Base Command#

harfanglab-job-artifact-ramdump

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-ramdump agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "memoryDumper",
"ID": "27df9e9b-6201-4efe-9d86-986fe47739ee"
}
}
}

Human Readable Output#

{
"Action": "memoryDumper",
"ID": "27df9e9b-6201-4efe-9d86-986fe47739ee"
}

harfanglab-telemetry-network#


Search network connections

Base Command#

harfanglab-telemetry-network

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
source_addressSource IP address.Optional
source_portSource port.Optional
destination_addressDestination IP address.Optional
destination_portDestination port.Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetrynetwork.networkunknownProvides a list of network connections

Command example#

!harfanglab-telemetry-network hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-06-29T22:33:42.434000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 50000,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:24:08.088000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49998,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-06-29T22:23:08.037000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49997,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:08:07.550000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49996,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:04:42.848000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49995,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-06-29T22:33:42.434000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)50000(REDACTED)443out
2022-06-29T22:24:08.088000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)49998(REDACTED)80out
2022-06-29T22:23:08.037000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)49997(REDACTED)443out
2022-06-29T22:08:07.550000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)49996(REDACTED)443out
2022-06-29T22:04:42.848000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)49995(REDACTED)80out

Command example#

!harfanglab-telemetry-network destination_address="(REDACTED)" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-07-27T14:59:56.114000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-1879",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 62787,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:58:43.590000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-3752",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 64593,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:49:54.374000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-6852",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 61571,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:49:14.813000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-4321",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 61605,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T07:59:49.780000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-1879",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 62472,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-07-27T14:59:56.114000ZWORKSTATION-1879C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)62787(REDACTED)80out
2022-07-27T14:58:43.590000ZWORKSTATION-3752C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)64593(REDACTED)80out
2022-07-27T14:49:54.374000ZWORKSTATION-6852C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)61571(REDACTED)80out
2022-07-27T14:49:14.813000ZWORKSTATION-4321C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)61605(REDACTED)80out
2022-07-27T07:59:49.780000ZWORKSTATION-1879C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)62472(REDACTED)80out

Command example#

!harfanglab-telemetry-network destination_address="(REDACTED)" from_date="2022-07-21T12:34:05" to_date="2022-07-21T12:34:15" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-07-21T12:34:09.265000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-4812",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 50363,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-07-21T12:34:09.265000ZWORKSTATION-4812C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)50363(REDACTED)80out

harfanglab-telemetry-eventlog#


Search event logs

Base Command#

harfanglab-telemetry-eventlog

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
event_idEvent id.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetryeventlog.eventlogunknownProvides a list of event logs

Command example#

!harfanglab-telemetry-eventlog hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-28T07:29:29.327000Z",
"event data": {
"Binary": "7300700070007300760063002F0031000000",
"param1": "Software Protection",
"param2": "stopped"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
},
{
"create date": "2022-07-28T07:29:29.311000Z",
"event data": {
"param1": "2022-11-12T06:42:29Z",
"param2": "RulesEngine"
},
"event id": 16384,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "Application",
"source name": "Microsoft-Windows-Security-SPP"
},
{
"create date": "2022-07-28T07:28:58.905000Z",
"event data": null,
"event id": 16394,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "Application",
"source name": "Microsoft-Windows-Security-SPP"
},
{
"create date": "2022-07-28T07:28:58.795000Z",
"event data": {
"Binary": "7300700070007300760063002F0034000000",
"param1": "Software Protection",
"param2": "running"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
},
{
"create date": "2022-07-28T07:26:50.139000Z",
"event data": {
"Binary": "540072007500730074006500640049006E007300740061006C006C00650072002F0031000000",
"param1": "Windows Modules Installer",
"param2": "stopped"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-28T07:29:29.327000ZDC-017036Service Control ManagerSystemClassicparam1: Software Protection
param2: stopped
Binary: 7300700070007300760063002F0031000000
Information
2022-07-28T07:29:29.311000ZDC-0116384Microsoft-Windows-Security-SPPApplicationClassicparam1: 2022-11-12T06:42:29Z
param2: RulesEngine
Information
2022-07-28T07:28:58.905000ZDC-0116394Microsoft-Windows-Security-SPPApplicationClassicInformation
2022-07-28T07:28:58.795000ZDC-017036Service Control ManagerSystemClassicparam1: Software Protection
param2: running
Binary: 7300700070007300760063002F0034000000
Information
2022-07-28T07:26:50.139000ZDC-017036Service Control ManagerSystemClassicparam1: Windows Modules Installer
param2: stopped
Binary: 540072007500730074006500640049006E007300740061006C006C00650072002F0031000000
Information

Command example#

!harfanglab-telemetry-eventlog hostname="DC-01" event_id=4624 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-28T07:24:48.105000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T06:34:06.425000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T06:24:48.107000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T05:24:47.496000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T04:24:46.833000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-28T07:24:48.105000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-28T06:34:06.425000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-28T06:24:48.107000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-28T05:24:47.496000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-28T04:24:46.833000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information

Command example#

!harfanglab-telemetry-eventlog event_id=4624 from_date="2022-07-21T21:25:34" to_date="2022-07-23T21:25:34" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-23T21:25:18.159000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x280",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-123$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-1234",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:25:10.765000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WEBSERVER$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WEBSERVER",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:23:53.410000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:18:55.338000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-850$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-8501",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:18:53.324000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-850$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-8501",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-23T21:25:18.159000ZWORKSTATION-12344624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-123$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x280
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-23T21:25:10.765000ZWEBSERVER4624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WEBSERVER$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-23T21:23:53.410000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-23T21:18:55.338000ZWORKSTATION-85014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information
2022-07-23T21:18:53.324000ZWORKSTATION-85014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842
Information

harfanglab-telemetry-binary#


Search for binaries

Base Command#

harfanglab-telemetry-binary

Input#

Argument NameDescriptionRequired
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
hashfilehash to search (md5, sha1, sha256).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetrybinary.binaryunknownProvides a list of binaries with associated download links.

Command example#

!harfanglab-telemetry-binary hash=2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5

Context Example#

{
"Harfanglab": {
"Telemetrybinary": {
"binary": [
{
"download link": "https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef",
"name": "hurukai",
"path": "/opt/hurukai/hurukai",
"sha256": "2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5",
"signed": "",
"signer": null,
"size": 5882824
}
]
}
}
}

Human Readable Output#

Binary list#

namepathsizesha256download link
hurukai/opt/hurukai/hurukai58828242577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef

harfanglab-telemetry-dns#


Search DNS resolutions

Base Command#

harfanglab-telemetry-dns

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
requested_nameRequested domain name.Optional
query_typeDNS type (A, AAAA, TXT...).Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.TelemetryDNS.resolutionsunknownProvides a list of DNS resolutions

Command example#

!harfanglab-telemetry-dns requested_name=download.windowsupdate.com hostname=webserver

Context Example#

{
"Harfanglab": {
"Telemetrydns": {
"dns": [
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "2eabb3d4-2fe4-45c7-ba87-4fc486f37638",
"create date": "2023-07-20T08:14:28.306000Z",
"hostname": "WEBSERVER",
"pid": 5956,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-2fe4-45c7-4417-0026bd8eba8b",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "2eabb3d4-2fe4-45c7-ba87-4fc486f37638",
"create date": "2023-07-20T08:14:23.768000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-2fe4-45c7-1005-00d36589bf35",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "2eabb3d4-2fe4-45c7-ba87-4fc486f37638",
"create date": "2023-07-20T04:14:23.397000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-2fe4-45c7-1005-00d36589bf35",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-17T13:03:34.656000Z",
"hostname": "WEBSERVER",
"pid": 1900,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-6c07-000eac642d4f",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-17T13:03:28.608000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-16T13:03:36.331000Z",
"hostname": "WEBSERVER",
"pid": 2620,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-3c0a-008126fb9d08",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-16T13:03:28.944000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-15T13:03:37.980000Z",
"hostname": "WEBSERVER",
"pid": 5700,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-4416-009d6e609402",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-15T13:03:29.162000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-14T13:03:50.310000Z",
"hostname": "WEBSERVER",
"pid": 5908,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-1417-007dde4315d9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-14T13:03:42.865000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-14T02:14:55.276000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-13T13:03:34.668000Z",
"hostname": "WEBSERVER",
"pid": 5856,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-e016-008cbea6fa9a",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-13T13:03:29.584000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"create date": "2023-07-13T02:14:55.484000Z",
"hostname": "WEBSERVER",
"pid": 1276,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-c2c0-4b31-fc04-00c4827455f9",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-06T05:33:19.372000Z",
"hostname": "WEBSERVER",
"pid": 4876,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-0c13-005257b88fb6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-06T05:33:11.969000Z",
"hostname": "WEBSERVER",
"pid": 1216,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-c004-00cebeddc9bf",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-04T05:25:43.924000Z",
"hostname": "WEBSERVER",
"pid": 760,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-f802-00e6099364ff",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-04T05:25:37.176000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-02T05:25:42.501000Z",
"hostname": "WEBSERVER",
"pid": 4252,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-9c10-00a479475cc1",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-02T05:25:35.173000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-01T11:40:33.272000Z",
"hostname": "WEBSERVER",
"pid": 5656,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1816-00ba61e017c5",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-01T11:40:28.846000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-07-01T03:40:39.204000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-06-30T23:40:27.344000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
},
{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-06-30T15:40:28.177000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
}
]
}
}
}

Human Readable Output#

{
"IP addresses": [
"XXX.XXX.XXX.XXX"
],
"agentid": "5011b34e-183f-438a-a44c-a0e32a89719a",
"create date": "2023-06-30T15:40:28.177000Z",
"hostname": "WEBSERVER",
"pid": 1296,
"process image path": "C:\\Windows\\System32\\svchost.exe",
"process unique id": "67786071-183f-438a-1005-006ae872c8a6",
"query type": "AAAA",
"requested name": "download.windowsupdate.com",
"tenant": ""
}

harfanglab-telemetry-authentication-windows#


Search Windows authentication telemetry

Base Command#

harfanglab-telemetry-authentication-windows

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
source_addressSource IP address.Optional
successWhether authentication succeeded or not.Optional
source_usernameSource username.Optional
target_usernameTarget username.Optional
logon_titleLogon title.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.TelemetryWindowsAuthentications.authenticationsunknownProvides a list of Windows authentications

Command example#

!harfanglab-telemetry-authentication-windows limit=5 target_username=vagrant

Context Example#

{
"Harfanglab": {
"Telemetrywindows_authentications": {
"windows_authentications": [
{
"agentid": "147b2639-0427-40f3-9004-95cada686d15",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "DC-01",
"logon process name": null,
"logon title": "Network",
"logon type": 3,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-21T08:04:04.448200Z"
},
{
"agentid": "2eabb3d4-2fe4-45c7-ba87-4fc486f37638",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "WEBSERVER",
"logon process name": null,
"logon title": "Network",
"logon type": 3,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-20T12:26:58.076300Z"
},
{
"agentid": "2eabb3d4-2fe4-45c7-ba87-4fc486f37638",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "WEBSERVER",
"logon process name": null,
"logon title": "Unlock",
"logon type": 7,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-20T06:24:57.315374Z"
},
{
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "WEBSERVER",
"logon process name": null,
"logon title": "Network",
"logon type": 3,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-17T12:31:14.007910Z"
},
{
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "WEBSERVER",
"logon process name": null,
"logon title": "Unlock",
"logon type": 7,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-17T05:59:38.968596Z"
}
]
}
}
}

Human Readable Output#

{
"agentid": "524f8ab7-c2c0-4b31-893c-564acb8f857a",
"event id": 4634,
"event title": "An account was logged off",
"hostname": "WEBSERVER",
"logon process name": null,
"logon title": "Unlock",
"logon type": 7,
"process name": null,
"source address": null,
"source username": null,
"success": null,
"target username": "vagrant",
"timestamp": "2023-07-17T05:59:38.968596Z"
}

harfanglab-telemetry-authentication-linux#


Search Linux authentication telemetry

Base Command#

harfanglab-telemetry-authentication-linux

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
source_addressSource IP address.Optional
successWhether authentication succeeded or not.Optional
source_usernameSource username.Optional
target_usernameTarget username.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.TelemetryLinuxAuthentications.authenticationsunknownProvides a list of Linux authentications

harfanglab-telemetry-authentication-macos#


Search Macos authentication telemetry

Base Command#

harfanglab-telemetry-authentication-macos

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
source_addressSource IP address.Optional
successWhether authentication succeeded or not.Optional
source_usernameSource username.Optional
target_usernameTarget username.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.TelemetryMacosAuthentications.authenticationsunknownProvides a list of Macos authentications

harfanglab-telemetry-authentication-users#


Get the top N users who successfully authenticated on the host

Base Command#

harfanglab-telemetry-authentication-users

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Required
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitFetch only the top N users who successfully authenticated on the host. Default is 3.Optional

Context Output#

PathTypeDescription
Harfanglab.Authentications.UsersunknownProvides a list of users who successfully authenticated on the host with interactive logon (sorted per decreasing occurrence)

Command example#

!harfanglab-telemetry-authentication-users hostname=CL-Ep2-Win11 limit=4

Context Example#

{
"Harfanglab": {
"Authentications": {
"Users": [
{
"Authentication attempts": 4,
"Username": "CL-EP2-WIN11\\hladmin"
},
{
"Authentication attempts": 2,
"Username": "hladmin"
}
]
}
}
}

Human Readable Output#

Top None authentications#

UsernameAuthentication attempts
CL-EP2-WIN11\hladmin4
hladmin2

harfanglab-telemetry-process-graph#


Get a process graph

Base Command#

harfanglab-telemetry-process-graph

Input#

Argument NameDescriptionRequired
process_uuidProcess UUID.Optional

Context Output#

PathTypeDescription
Harfanglab.ProcessGraphunknownProcess Graph

Command example#

!harfanglab-telemetry-process-graph process_uuid=37d378de-b558-4597-e820-009fa44c4c03

Context Example#

{
"Harfanglab": {
"ProcessGraph": {
"calc_time": 0.2487087131012231,
"current_process_id": "37d378de-b558-4597-e820-009fa44c4c03",
"edges": [
{
"class": "edge-parent",
"source": "37d378de-b558-4597-a025-000bb895a6e4",
"target": "37d378de-b558-4597-e820-009fa44c4c03"
},
{
"class": "edge-parent",
"source": "37d378de-b558-4597-6c19-00c365029657",
"target": "37d378de-b558-4597-a025-000bb895a6e4"
},
{
"class": "edge-parent",
"source": "37d378de-b558-4597-0819-000ba55fbed4",
"target": "37d378de-b558-4597-6c19-00c365029657"
},
{
"class": "edge-parent",
"source": "37d378de-b558-4597-9002-007a09a922ae",
"target": "37d378de-b558-4597-0819-000ba55fbed4"
}
],
"missing_processes": {},
"nodes": [
{
"alertCount": 1,
"childProcessCount": 0,
"childProcessCountConfidence": "exact",
"class": "node",
"connectionCount": 0,
"dnsResolutionCount": 0,
"id": "37d378de-b558-4597-e820-009fa44c4c03",
"injectedThreadCount": 0,
"name": "calc.exe",
"parents": [
"37d378de-b558-4597-a025-000bb895a6e4"
],
"powershellCount": 0,
"signed": true,
"status": "complete",
"type": "exe"
},
{
"alertCount": 0,
"childProcessCount": 3,
"childProcessCountConfidence": "exact",
"class": "node",
"connectionCount": 0,
"dnsResolutionCount": 0,
"id": "37d378de-b558-4597-a025-000bb895a6e4",
"injectedThreadCount": 0,
"name": "cmd.exe",
"parents": [
"37d378de-b558-4597-6c19-00c365029657"
],
"powershellCount": 0,
"signed": true,
"status": "complete",
"type": "exe"
},
{
"alertCount": 0,
"childProcessCount": 5,
"childProcessCountConfidence": "exact",
"class": "node",
"connectionCount": 0,
"dnsResolutionCount": 0,
"id": "37d378de-b558-4597-6c19-00c365029657",
"injectedThreadCount": 0,
"name": "explorer.exe",
"parents": [
"37d378de-b558-4597-0819-000ba55fbed4"
],
"powershellCount": 0,
"signed": true,
"status": "complete",
"type": "exe"
},
{
"alertCount": 0,
"childProcessCount": 1,
"childProcessCountConfidence": "exact",
"class": "node",
"connectionCount": 0,
"dnsResolutionCount": 0,
"id": "37d378de-b558-4597-0819-000ba55fbed4",
"injectedThreadCount": 0,
"name": "userinit.exe",
"parents": [
"37d378de-b558-4597-9002-007a09a922ae"
],
"powershellCount": 0,
"signed": true,
"status": "complete",
"type": "exe"
},
{
"alertCount": 0,
"childProcessCount": 5,
"childProcessCountConfidence": "exact",
"class": "node",
"connectionCount": 0,
"dnsResolutionCount": 0,
"id": "37d378de-b558-4597-9002-007a09a922ae",
"injectedThreadCount": 0,
"name": "winlogon.exe",
"parents": [],
"powershellCount": 0,
"signed": true,
"status": "complete",
"type": "exe"
}
],
"processes": {
"37d378de-b558-4597-0819-000ba55fbed4": {
"@event_create_date": "2023-07-20T08:56:43.923000Z",
"@timestamp": "2023-07-20T08:56:47.885612Z",
"@version": "1",
"agent": {
"agentid": "f93af2e6-b558-4597-bb9f-d8288a510c45",
"domainname": "WORKGROUP",
"hostname": "martin-vbox-win10-first",
"osproducttype": "Windows 10 Enterprise",
"ostype": "windows",
"osversion": "10.0.19041",
"version": "2.29.0rc1-post0"
},
"ancestors": "C:\\Windows\\System32\\winlogon.exe",
"commandline": "C:\\Windows\\system32\\userinit.exe",
"current_directory": "C:\\Windows\\system32\\",
"fake_parent_commandline": "",
"fake_parent_image": "",
"fake_ppid": 0,
"grandparent_commandline": "",
"grandparent_image": "",
"grandparent_integrity_level": "Unknown",
"groups": [
{
"id": "41761a0c-c691-49f4-88a0-188dcdcc5d40",
"name": "le groupe de la marmotte"
}
],
"hashes": {
"md5": "582a919ca5f944aa83895a5c633c122c",
"sha1": "6d0c6aea6bce05166761085b1d612558f81d877a",
"sha256": "eda7ee39d4db8142a1e0788e205e80ae798035d60273e74981e09e98c8d0e740"
},
"id": "oVOEcokBVudtObjXHC6o",
"image_name": "C:\\Windows\\System32\\userinit.exe",
"integrity_level": "Medium",
"log_platform_flag": 0,
"log_type": "process",
"logonid": 182681,
"parent_commandline": "winlogon.exe",
"parent_image": "C:\\Windows\\System32\\winlogon.exe",
"parent_integrity_level": "System",
"parent_unique_id": "37d378de-b558-4597-9002-007a09a922ae",
"pe_imphash": "DE7486657F39757C768DEE3094E10FF8",
"pe_info": {
"company_name": "Microsoft Corporation",
"file_description": "Userinit Logon Application",
"file_version": "10.0.19041.1 (WinBuild.160101.0800)",
"internal_name": "userinit",
"legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
"original_filename": "USERINIT.EXE",
"pe_timestamp": "2086-04-07T12:35:36Z",
"product_name": "Microsoft\u00ae Windows\u00ae Operating System",
"product_version": "10.0.19041.1"
},
"pe_timestamp": "2086-04-07T12:35:36Z",
"pe_timestamp_int": 3669021336,
"pid": 6408,
"ppid": 656,
"process_name": "userinit.exe",
"process_unique_id": "37d378de-b558-4597-0819-000ba55fbed4",
"session": 1,
"signature_info": {
"root_info": {
"display_name": "Microsoft Root Certificate Authority 2010",
"issuer_name": "Microsoft Root Certificate Authority 2010",
"serial_number": "28cc3a25bfba44ac449a9b586b4339aa",
"thumbprint": "3b1efd3a66ea28b16697394703a72ca340a05bd5",
"thumbprint_sha256": "df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"
},
"signed_authenticode": false,
"signed_catalog": true,
"signer_info": {
"display_name": "Microsoft Windows",
"issuer_name": "Microsoft Windows Production PCA 2011",
"serial_number": "330000023241fb59996dcc4dff000000000232",
"thumbprint": "ff82bc38e1da5e596df374c53e3617f7eda36b06",
"thumbprint_sha256": "e866d202865ed3d83c35dff4cde3a2d0fc1d2b17c084e8b26dd0ca28a8c75cfb"
}
},
"signed": true,
"size": 34816,
"tenant": "",
"username": "MARTIN-VBOX-WIN\\root",
"usersid": "S-1-5-21-2977311633-4124872198-649243625-1000"
},
"37d378de-b558-4597-6c19-00c365029657": {
"@event_create_date": "2023-07-20T08:56:44.030000Z",
"@timestamp": "2023-07-20T08:56:47.885767Z",
"@version": "1",
"agent": {
"agentid": "f93af2e6-b558-4597-bb9f-d8288a510c45",
"domainname": "WORKGROUP",
"hostname": "martin-vbox-win10-first",
"osproducttype": "Windows 10 Enterprise",
"ostype": "windows",
"osversion": "10.0.19041",
"version": "2.29.0rc1-post0"
},
"ancestors": "C:\\Windows\\System32\\userinit.exe|C:\\Windows\\System32\\winlogon.exe",
"commandline": "C:\\Windows\\Explorer.EXE",
"current_directory": "C:\\Windows\\system32\\",
"fake_parent_commandline": "",
"fake_parent_image": "",
"fake_ppid": 0,
"grandparent_commandline": "winlogon.exe",
"grandparent_image": "C:\\Windows\\System32\\winlogon.exe",
"grandparent_integrity_level": "System",
"groups": [
{
"id": "41761a0c-c691-49f4-88a0-188dcdcc5d40",
"name": "le groupe de la marmotte"
}
],
"hashes": {
"md5": "fde2638e4a80b507e683d973474168da",
"sha1": "7cdd581ae59dae0564e421d3b46683c7b2c50571",
"sha256": "23165139c2a7d2d75df54b8fbac69fa37462c43ff971b78f8cbf99be2613655e"
},
"id": "pVOEcokBVudtObjXHC6y",
"image_name": "C:\\Windows\\explorer.exe",
"integrity_level": "Medium",
"log_platform_flag": 0,
"log_type": "process",
"logonid": 182681,
"parent_commandline": "C:\\Windows\\system32\\userinit.exe",
"parent_image": "C:\\Windows\\System32\\userinit.exe",
"parent_integrity_level": "Medium",
"parent_unique_id": "37d378de-b558-4597-0819-000ba55fbed4",
"pe_imphash": "1B23FD932A3AEF7DBAACECEC28FAB72F",
"pe_info": {
"company_name": "Microsoft Corporation",
"file_description": "Windows Explorer",
"file_version": "10.0.19041.1 (WinBuild.160101.0800)",
"internal_name": "explorer",
"legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
"original_filename": "EXPLORER.EXE",
"pe_timestamp": "2035-04-10T22:40:03Z",
"product_name": "Microsoft\u00ae Windows\u00ae Operating System",
"product_version": "10.0.19041.1"
},
"pe_timestamp": "2035-04-10T22:40:03Z",
"pe_timestamp_int": 2059857603,
"pid": 6508,
"ppid": 6408,
"process_name": "explorer.exe",
"process_unique_id": "37d378de-b558-4597-6c19-00c365029657",
"session": 1,
"signature_info": {
"root_info": {
"display_name": "Microsoft Root Certificate Authority 2010",
"issuer_name": "Microsoft Root Certificate Authority 2010",
"serial_number": "28cc3a25bfba44ac449a9b586b4339aa",
"thumbprint": "3b1efd3a66ea28b16697394703a72ca340a05bd5",
"thumbprint_sha256": "df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"
},
"signed_authenticode": true,
"signed_catalog": false,
"signer_info": {
"display_name": "Microsoft Windows",
"issuer_name": "Microsoft Windows Production PCA 2011",
"serial_number": "330000023241fb59996dcc4dff000000000232",
"thumbprint": "ff82bc38e1da5e596df374c53e3617f7eda36b06",
"thumbprint_sha256": "e866d202865ed3d83c35dff4cde3a2d0fc1d2b17c084e8b26dd0ca28a8c75cfb"
}
},
"signed": true,
"size": 4478208,
"tenant": "",
"username": "MARTIN-VBOX-WIN\\root",
"usersid": "S-1-5-21-2977311633-4124872198-649243625-1000"
},
"37d378de-b558-4597-9002-007a09a922ae": {
"@event_create_date": "2023-07-20T08:56:37.997000Z",
"@timestamp": "2023-07-20T08:56:44.140309Z",
"@version": "1",
"agent": {
"agentid": "f93af2e6-b558-4597-bb9f-d8288a510c45",
"domainname": "WORKGROUP",
"hostname": "martin-vbox-win10-first",
"osproducttype": "Windows 10 Enterprise",
"ostype": "windows",
"osversion": "10.0.19041",
"version": "2.29.0rc1-post0"
},
"ancestors": "",
"commandline": "winlogon.exe",
"current_directory": "C:\\Windows\\system32\\",
"fake_parent_commandline": "",
"fake_parent_image": "",
"fake_ppid": 0,
"grandparent_commandline": "",
"grandparent_image": "",
"grandparent_integrity_level": "Unknown",
"groups": [
{
"id": "41761a0c-c691-49f4-88a0-188dcdcc5d40",
"name": "le groupe de la marmotte"
}
],
"hashes": {
"md5": "8b9b35206487d39b2d3d076444485ec2",
"sha1": "b136d54bb0b352b2239e08f0b4389d663e413050",
"sha256": "fbc2eb97a177f7cbd6e38f3a6c45471e988b01978724f9790af0377bb5f3bf8d"
},
"id": "f1OEcokBVudtObjXDi6K",
"image_name": "C:\\Windows\\System32\\winlogon.exe",
"integrity_level": "System",
"log_platform_flag": 0,
"log_type": "process"