HarfangLab EDR
HarfangLab EDR Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
HarfangLab EDR Connector, Compatible version 2.13.7+ This integration was integrated and tested with version 2.13.7+ of Hurukai
#
Configure HarfangLab EDR on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for HarfangLab EDR.
Click Add instance to create and configure a new integration instance.
Parameter Description Required API URL True Fetch incidents False Incident type False API Key False Incidents Fetch Interval False Fetch alerts with type Comma-separated list of types of alerts to fetch (sigma, yara, hlai, vt, ransom, ioc, glimps, orion...). False Minimum severity of alerts to fetch True Fetch alerts with status (ACTIVE, CLOSED) False Maximum number of incidents to fetch per call Fetch maximum <max_fetch> security events and/or threats per call (leave empty if unlimited). False First fetch time Start fetching alerts and/or threats whose creation date is higher than now minus <first_fetch> days. True Mirroring Direction Choose the direction to mirror the detection: Incoming (from HarfangLab EDR to Cortex XSOAR), Outgoing (from Cortex XSOAR to HarfangLab EDR), or Incoming and Outgoing (to/from HarfangLab EDR and Cortex XSOAR). False Fetch types True Close Mirrored security event or threat in the XSOAR When selected, closes the XSOAR incident, which is mirrored from the HarfangLab EDR. False Close Mirrored security event or threat in HarfangLab EDR When selected, closes the HarfangLab EDR security event or threat in the HarfangLab EDR. False Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
fetch-incidentsAllows to retrieve incidents from the HarfangLab EDR API
#
Base Commandfetch-incidents
#
InputArgument Name | Description | Required |
---|
#
Context OutputThere is no context output for this command.
#
harfanglab-get-endpoint-infoGet endpoint information from agent_id
#
Base Commandharfanglab-get-endpoint-info
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Agent | unknown | Agent information |
#
Command example!harfanglab-get-endpoint-info agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
Endpoint information for agent_id : 0fae71cf-ebde-4533-a50c-b3c0290378db
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy effective_policy_id effective_policy_revision external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false e96699ef-3dd9-4718-90ef-c7e5646fd466 5 (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0
#
harfanglab-endpoint-searchSearch for endpoint information from a hostname
#
Base Commandharfanglab-endpoint-search
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Agent | unknown | Agent information. |
Harfanglab.Agent.id | string | agent id (DEPRECATED) |
Harfanglab.status | string | Status (DEPRECATED) |
#
Command example!harfanglab-endpoint-search hostname="DC-01"
#
Context Example#
Human Readable Output#
Endpoint information for Hostname : DC-01
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0 additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null0.6 125627596.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-14T22:23:08.393381Z 0 DC-01 706d4524-dc2d-4438-bfef-3b620646db7f 2022/06/14 21:56:49 (REDACTED) (REDACTED) false false 2022-06-15T06:33:46.544505Z 2022-06-15T06:39:16.544505Z 2022-06-15T06:35:58.544505Z 2022-06-14T22:00:23Z 20348 00454-40000-00001-AA081 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-14T22:02:32Z offline 2133962752.0 0 false 0 2.15.0
#
harfanglab-api-callPerform a generic API call
#
Base Commandharfanglab-api-call
#
InputArgument Name | Description | Required |
---|---|---|
api_method | API method (GET, POST...). | Required |
api_endpoint | API endpoint (/api/version, /api/data/alert/alert/Alert/...). | Optional |
parameters | URL parameters. | Optional |
data | Posted data. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.API | unknown | API call result |
#
Command example!harfanglab-api-call api_method=GET api_endpoint=/api/version
#
Context Example#
Human Readable Output#
Results
version 2.29.7
#
harfanglab-telemetry-processesSearch processes
#
Base Commandharfanglab-telemetry-processes
#
InputArgument Name | Description | Required |
---|---|---|
hash | filehash to search (md5, sha1, sha256). | Optional |
hostname | Endpoint hostname. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetryprocesses.processes | unknown | Provides a list of processes |
agent.agentid | unknown | DEPRECATED |
current_directory | unknown | DEPRECATED |
hashes.sha256 | unknown | DEPRECATED |
#
Command example!harfanglab-telemetry-processes hostname="DC-01" hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:28:57.663000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:58:57.147000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:28:56.585000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
Command example!harfanglab-telemetry-processes hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:45:44.942000Z DC-01 MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource scheduler System C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p NT AUTHORITY\SYSTEM true Microsoft Corporation bef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042 2022-07-28T07:45:44.711000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:45:44.704000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0 2022-07-28T07:44:40.370000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:44:40.363000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0
#
Command example!harfanglab-telemetry-processes hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:46:16.086000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:29:25.127000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:59:24.716000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
Command example!harfanglab-telemetry-processes hostname="DC-01" from_date="2022-07-22T20:26:10" to_date="2022-07-22T20:26:20" limit=5
#
Context Example#
Human Readable Output#
Processes list
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-22T20:26:19.645000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
#
harfanglab-job-pipelistStart a job to get the list of pipes from a host (Windows)
#
Base Commandharfanglab-job-pipelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-pipelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-downloadfileStart a job to download a file from a host (Windows / Linux)
#
Base Commandharfanglab-job-artifact-downloadfile
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
filename | Path of the file to download. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-downloadfile agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="C:\\Program Files\\HarfangLab\\agent.ini"
#
Context Example#
Human Readable Output#
harfanglab-job-prefetchlistStart a job to get the list of prefetches from a host (Windows)
#
Base Commandharfanglab-job-prefetchlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-prefetchlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-runkeylistStart a job to get the list of run keys from a host (Windows)
#
Base Commandharfanglab-job-runkeylist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-runkeylist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-scheduledtasklistStart a job to get the list of scheduled tasks from a host (Windows)
#
Base Commandharfanglab-job-scheduledtasklist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-scheduledtasklist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-driverlistStart a job to get the list of drivers from a host (Windows)
#
Base Commandharfanglab-job-driverlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-driverlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-servicelistStart a job to get the list of services from a host (Windows)
#
Base Commandharfanglab-job-servicelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-servicelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-processlistStart a job to get the list of processes from a host (Windows / Linux)
#
Base Commandharfanglab-job-processlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-processlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-networkconnectionlistStart a job to get the list of network connections from a host (Windows / Linux)
#
Base Commandharfanglab-job-networkconnectionlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-networkconnectionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-networksharelistStart a job to get the list of network shares from a host (Windows)
#
Base Commandharfanglab-job-networksharelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-networksharelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-sessionlistStart a job to get the list of sessions from a host (Windows)
#
Base Commandharfanglab-job-sessionlist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-sessionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-persistencelistStart a job to get the list of persistence items from a host (Linux)
#
Base Commandharfanglab-job-persistencelist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-persistencelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-iocStart a job to search for IOCs on a host (Windows / Linux)
#
Base Commandharfanglab-job-ioc
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
filename | exact filename to search. | Optional |
filepath | exact filepath to search. | Optional |
hash | filehash to search (md5, sha1, sha256). | Optional |
search_in_path | restrict searchs for filename or filepath or filepath_regex to a given path. | Optional |
hash_filesize | size of the file associated to the 'hash' parameters (DEPRECATED, rather use the 'filesize' parameter). If known, it will speed up the search process. | Optional |
filesize | size of the file to search (can be used when searching a file from a hash or from a filename). If known, it will speed up the search process. | Optional |
registry | regex to search in registry (key or value). | Optional |
filepath_regex | search a regex on a filepath . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" search_in_path="C:\\Program Files"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" filesize=1688
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath="C:\\windows\\system32\\calc.exe"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath_regex="System32\\\\calc\\.exe"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" hash=4208893c871d2499f184e3f0f2554da89f451fa9e98d95fc9516c5ae8f2b3bbd filesize=45056
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="DLLPath"
#
Context Example#
Human Readable Output#
Command example!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="hmmapi"
#
Context Example#
Human Readable Output#
harfanglab-job-startuplistStart a job to get the list of startup items from a host (Windows)
#
Base Commandharfanglab-job-startuplist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-startuplist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-wmilistStart a job to get the list of WMI items from a host (Windows)
#
Base Commandharfanglab-job-wmilist
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-wmilist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-mftStart a job to download the MFT from a host (Windows)
#
Base Commandharfanglab-job-artifact-mft
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-mft agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-hivesStart a job to download the hives from a host (Windows)
#
Base Commandharfanglab-job-artifact-hives
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-hives agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-evtxStart a job to download the event logs from a host (Windows)
#
Base Commandharfanglab-job-artifact-evtx
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-evtx agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-logsStart a job to download Linux log files from a host (Linux)
#
Base Commandharfanglab-job-artifact-logs
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-logs agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-filesystemStart a job to download Linux filesystem entries from a host (Linux)
#
Base Commandharfanglab-job-artifact-filesystem
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-filesystem agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-allStart a job to download all artifacts from a host (Windows MFT, Hives, evt/evtx, Prefetch, USN, Linux logs and file list)
#
Base Commandharfanglab-job-artifact-all
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-all agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-job-artifact-ramdumpStart a job to get the entine RAM from a host (Windows / Linux)
#
Base Commandharfanglab-job-artifact-ramdump
#
InputArgument Name | Description | Required |
---|---|---|
agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Job.ID | string | id |
Harfanglab.Job.Action | string | HarfangLab job action |
#
Command example!harfanglab-job-artifact-ramdump agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
#
Context Example#
Human Readable Output#
harfanglab-telemetry-networkSearch network connections
#
Base Commandharfanglab-telemetry-network
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
source_address | Source IP address. | Optional |
source_port | Source port. | Optional |
destination_address | Destination IP address. | Optional |
destination_port | Destination port. | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetrynetwork.network | unknown | Provides a list of network connections |
#
Command example!harfanglab-telemetry-network hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-06-29T22:33:42.434000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 50000 (REDACTED) 443 out 2022-06-29T22:24:08.088000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49998 (REDACTED) 80 out 2022-06-29T22:23:08.037000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49997 (REDACTED) 443 out 2022-06-29T22:08:07.550000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49996 (REDACTED) 443 out 2022-06-29T22:04:42.848000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49995 (REDACTED) 80 out
#
Command example!harfanglab-telemetry-network destination_address="(REDACTED)" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-07-27T14:59:56.114000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62787 (REDACTED) 80 out 2022-07-27T14:58:43.590000Z WORKSTATION-3752 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 64593 (REDACTED) 80 out 2022-07-27T14:49:54.374000Z WORKSTATION-6852 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61571 (REDACTED) 80 out 2022-07-27T14:49:14.813000Z WORKSTATION-4321 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61605 (REDACTED) 80 out 2022-07-27T07:59:49.780000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62472 (REDACTED) 80 out
#
Command example!harfanglab-telemetry-network destination_address="(REDACTED)" from_date="2022-07-21T12:34:05" to_date="2022-07-21T12:34:15" limit=5
#
Context Example#
Human Readable Output#
Network list
create date hostname image name username source address source port destination addr destination port direction 2022-07-21T12:34:09.265000Z WORKSTATION-4812 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 50363 (REDACTED) 80 out
#
harfanglab-telemetry-eventlogSearch event logs
#
Base Commandharfanglab-telemetry-eventlog
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
event_id | Event id. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetryeventlog.eventlog | unknown | Provides a list of event logs |
#
Command example!harfanglab-telemetry-eventlog hostname="DC-01" limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-28T07:29:29.327000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: stopped
Binary: 7300700070007300760063002F0031000000Information 2022-07-28T07:29:29.311000Z DC-01 16384 Microsoft-Windows-Security-SPP Application Classic param1: 2022-11-12T06:42:29Z
param2: RulesEngineInformation 2022-07-28T07:28:58.905000Z DC-01 16394 Microsoft-Windows-Security-SPP Application Classic Information 2022-07-28T07:28:58.795000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: running
Binary: 7300700070007300760063002F0034000000Information 2022-07-28T07:26:50.139000Z DC-01 7036 Service Control Manager System Classic param1: Windows Modules Installer
param2: stopped
Binary: 540072007500730074006500640049006E007300740061006C006C00650072002F0031000000Information
#
Command example!harfanglab-telemetry-eventlog hostname="DC-01" event_id=4624 limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-28T07:24:48.105000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:34:06.425000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:24:48.107000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T05:24:47.496000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T04:24:46.833000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
#
Command example!harfanglab-telemetry-eventlog event_id=4624 from_date="2022-07-21T21:25:34" to_date="2022-07-23T21:25:34" limit=5
#
Context Example#
Human Readable Output#
Event Log list
create date hostname event id source name log name keywords event data level 2022-07-23T21:25:18.159000Z WORKSTATION-1234 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-123$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x280
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:25:10.765000Z WEBSERVER 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WEBSERVER$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:23:53.410000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:55.338000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:53.324000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
#
harfanglab-telemetry-binarySearch for binaries
#
Base Commandharfanglab-telemetry-binary
#
InputArgument Name | Description | Required |
---|---|---|
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
hash | filehash to search (md5, sha1, sha256). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Telemetrybinary.binary | unknown | Provides a list of binaries with associated download links. |
#
Command example!harfanglab-telemetry-binary hash=2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5
#
Context Example#
Human Readable Output#
Binary list
name path size sha256 download link hurukai /opt/hurukai/hurukai 5882824 2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5 https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef
#
harfanglab-telemetry-dnsSearch DNS resolutions
#
Base Commandharfanglab-telemetry-dns
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
requested_name | Requested domain name. | Optional |
query_type | DNS type (A, AAAA, TXT...). | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryDNS.resolutions | unknown | Provides a list of DNS resolutions |
#
Command example!harfanglab-telemetry-dns requested_name=download.windowsupdate.com hostname=webserver
#
Context Example#
Human Readable Output#
harfanglab-telemetry-authentication-windowsSearch Windows authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-windows
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
logon_title | Logon title. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryWindowsAuthentications.authentications | unknown | Provides a list of Windows authentications |
#
Command example!harfanglab-telemetry-authentication-windows limit=5 target_username=vagrant
#
Context Example#
Human Readable Output#
harfanglab-telemetry-authentication-linuxSearch Linux authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-linux
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryLinuxAuthentications.authentications | unknown | Provides a list of Linux authentications |
#
harfanglab-telemetry-authentication-macosSearch Macos authentication telemetry
#
Base Commandharfanglab-telemetry-authentication-macos
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Optional |
source_address | Source IP address. | Optional |
success | Whether authentication succeeded or not. | Optional |
source_username | Source username. | Optional |
target_username | Target username. | Optional |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Maximum number of elements to fetch. Default is 100. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.TelemetryMacosAuthentications.authentications | unknown | Provides a list of Macos authentications |
#
harfanglab-telemetry-authentication-usersGet the top N users who successfully authenticated on the host
#
Base Commandharfanglab-telemetry-authentication-users
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Endpoint hostname. | Required |
from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
limit | Fetch only the top N users who successfully authenticated on the host. Default is 3. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.Authentications.Users | unknown | Provides a list of users who successfully authenticated on the host with interactive logon (sorted per decreasing occurrence) |
#
Command example!harfanglab-telemetry-authentication-users hostname=CL-Ep2-Win11 limit=4
#
Context Example#
Human Readable Output#
Top None authentications
Username Authentication attempts CL-EP2-WIN11\hladmin 4 hladmin 2
#
harfanglab-telemetry-process-graphGet a process graph
#
Base Commandharfanglab-telemetry-process-graph
#
InputArgument Name | Description | Required |
---|---|---|
process_uuid | Process UUID. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Harfanglab.ProcessGraph | unknown | Process Graph |
#
Command example!harfanglab-telemetry-process-graph process_uuid=37d378de-b558-4597-e820-009fa44c4c03