HarfangLab EDR
This Integration is part of the HarfangLab EDR Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
HarfangLab EDR Connector, Compatible version 2.13.7+ This integration was integrated and tested with version 2.13.7+ of Hurukai
Configure HarfangLab EDR on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for HarfangLab EDR.
Click Add instance to create and configure a new integration instance.
Parameter Description Required API URL True Fetch incidents False Incident type False API Key False Long running instance False Incidents Fetch Interval False Fetch alerts with type Comma-separated list of types of alerts to fetch (sigma, yara, hlai, vt, ransom, ioc, glimps, orion...). False Minimum severity of alerts to fetch True Fetch alerts with status (ACTIVE, CLOSED) False First fetch time Start fetching alerts whose creation date is higher than now minus <first_fetch> days. True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
fetch-incidents#
Allows to retrieve incidents from the HarfangLab EDR API
Base Command#
fetch-incidents
Input#
| Argument Name | Description | Required |
|---|
Context Output#
There is no context output for this command.
harfanglab-get-endpoint-info#
Get endpoint information from agent_id
Base Command#
harfanglab-get-endpoint-info
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Agent | unknown | Agent information |
Command example#
!harfanglab-get-endpoint-info agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
Endpoint information for agent_id : 0fae71cf-ebde-4533-a50c-b3c0290378db#
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy effective_policy_id effective_policy_revision external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false e96699ef-3dd9-4718-90ef-c7e5646fd466 5 (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0
harfanglab-endpoint-search#
Search for endpoint information from a hostname
Base Command#
harfanglab-endpoint-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Endpoint hostname. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Agent | unknown | Agent information. |
| Harfanglab.Agent.id | string | agent id (DEPRECATED) |
| Harfanglab.status | string | Status (DEPRECATED) |
Command example#
!harfanglab-endpoint-search hostname="DC-01"
Context Example#
Human Readable Output#
Endpoint information for Hostname : DC-01#
additional_info avg_cpu avg_memory bitness cpu_count cpu_frequency domainname driver_enabled driver_policy external_ipaddress firstseen group_count hostname id installdate ipaddress ipmask isolation_policy isolation_state lastseen lastseen_error lastseen_warning machine_boottime osbuild osid osmajor osminor osproducttype ostype osversion policy producttype starttime status total_memory uninstall_status update_experimental update_status version additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null1.0 183558144.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-15T06:42:50.008015Z 0 DC-01 0fae71cf-ebde-4533-a50c-b3c0290378db 2022/06/15 06:38:58 (REDACTED) (REDACTED) false true 2022-07-28T07:41:32.197641Z 2022-07-28T07:47:02.197641Z 2022-07-28T07:43:44.197641Z 2022-06-28T14:18:31Z 20348 00454-40000-00001-AA596 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-28T14:18:47Z online 2133962752.0 0 false 0 2.15.0 additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null0.6 125627596.0 x64 2 3192 WORKGROUP true false (REDACTED) 2022-06-14T22:23:08.393381Z 0 DC-01 706d4524-dc2d-4438-bfef-3b620646db7f 2022/06/14 21:56:49 (REDACTED) (REDACTED) false false 2022-06-15T06:33:46.544505Z 2022-06-15T06:39:16.544505Z 2022-06-15T06:35:58.544505Z 2022-06-14T22:00:23Z 20348 00454-40000-00001-AA081 10 0 Windows Server 2022 Standard Evaluation windows 10.0.20348 id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: nullserver 2022-06-14T22:02:32Z offline 2133962752.0 0 false 0 2.15.0
harfanglab-telemetry-processes#
Search processes
Base Command#
harfanglab-telemetry-processes
Input#
| Argument Name | Description | Required |
|---|---|---|
| hash | filehash to search (md5, sha1, sha256). | Optional |
| hostname | Endpoint hostname. | Optional |
| from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| limit | Maximum number of elements to fetch. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Telemetryprocesses.processes | unknown | Provides a list of processes |
| agent.agentid | unknown | DEPRECATED |
| current_directory | unknown | DEPRECATED |
| hashes.sha256 | unknown | DEPRECATED |
Command example#
!harfanglab-telemetry-processes hostname="DC-01" hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
Context Example#
Human Readable Output#
Processes list#
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:28:57.663000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:58:57.147000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T05:28:56.585000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
Command example#
!harfanglab-telemetry-processes hostname="DC-01" limit=5
Context Example#
Human Readable Output#
Processes list#
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:45:44.942000Z DC-01 MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource scheduler System C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p NT AUTHORITY\SYSTEM true Microsoft Corporation bef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042 2022-07-28T07:45:44.711000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:45:44.704000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0 2022-07-28T07:44:40.370000Z DC-01 conhost.exe C:\Windows\System32\conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} NT AUTHORITY\SYSTEM true Microsoft Windows 6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733 2022-07-28T07:44:40.363000Z DC-01 hurukai.exe C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23} System C:\Program Files\HarfangLab\hurukai.exe C:\Program Files\HarfangLab\hurukai.exe NT AUTHORITY\SYSTEM true HARFANGLAB SAS 9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0
Command example#
!harfanglab-telemetry-processes hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5
Context Example#
Human Readable Output#
Processes list#
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-28T07:46:16.086000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:29:25.127000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T07:28:58.757000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:59:24.716000Z WEBSERVER sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 2022-07-28T06:58:58.227000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
Command example#
!harfanglab-telemetry-processes hostname="DC-01" from_date="2022-07-22T20:26:10" to_date="2022-07-22T20:26:20" limit=5
Context Example#
Human Readable Output#
Processes list#
create date hostname process name image name commandline integrity level parent image parent commandline username signed signer sha256 2022-07-22T20:26:19.645000Z DC-01 sppsvc.exe C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe System C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\NETWORK SERVICE true Microsoft Windows 3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
harfanglab-job-pipelist#
Start a job to get the list of pipes from a host (Windows)
Base Command#
harfanglab-job-pipelist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-pipelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-downloadfile#
Start a job to download a file from a host (Windows / Linux)
Base Command#
harfanglab-job-artifact-downloadfile
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
| filename | Path of the file to download. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-downloadfile agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="C:\\Program Files\\HarfangLab\\agent.ini"
Context Example#
Human Readable Output#
harfanglab-job-prefetchlist#
Start a job to get the list of prefetches from a host (Windows)
Base Command#
harfanglab-job-prefetchlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-prefetchlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-runkeylist#
Start a job to get the list of run keys from a host (Windows)
Base Command#
harfanglab-job-runkeylist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-runkeylist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-scheduledtasklist#
Start a job to get the list of scheduled tasks from a host (Windows)
Base Command#
harfanglab-job-scheduledtasklist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-scheduledtasklist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-driverlist#
Start a job to get the list of drivers from a host (Windows)
Base Command#
harfanglab-job-driverlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-driverlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-servicelist#
Start a job to get the list of services from a host (Windows)
Base Command#
harfanglab-job-servicelist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-servicelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-processlist#
Start a job to get the list of processes from a host (Windows / Linux)
Base Command#
harfanglab-job-processlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-processlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-networkconnectionlist#
Start a job to get the list of network connections from a host (Windows / Linux)
Base Command#
harfanglab-job-networkconnectionlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-networkconnectionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-networksharelist#
Start a job to get the list of network shares from a host (Windows)
Base Command#
harfanglab-job-networksharelist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-networksharelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-sessionlist#
Start a job to get the list of sessions from a host (Windows)
Base Command#
harfanglab-job-sessionlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-sessionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-persistencelist#
Start a job to get the list of persistence items from a host (Linux)
Base Command#
harfanglab-job-persistencelist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-persistencelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-ioc#
Start a job to search for IOCs on a host (Windows / Linux)
Base Command#
harfanglab-job-ioc
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
| filename | exact filename to search. | Optional |
| filepath | exact filepath to search. | Optional |
| hash | filehash to search (md5, sha1, sha256). | Optional |
| search_in_path | restrict searchs for filename or filepath or filepath_regex to a given path. | Optional |
| hash_filesize | size of the file associated to the 'hash' parameters (DEPRECATED, rather use the 'filesize' parameter). If known, it will speed up the search process. | Optional |
| filesize | size of the file to search (can be used when searching a file from a hash or from a filename). If known, it will speed up the search process. | Optional |
| registry | regex to search in registry (key or value). | Optional |
| filepath_regex | search a regex on a filepath . | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini"
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" search_in_path="C:\\Program Files"
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" filesize=1688
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath="C:\\windows\\system32\\calc.exe"
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath_regex="System32\\\\calc\\.exe"
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" hash=4208893c871d2499f184e3f0f2554da89f451fa9e98d95fc9516c5ae8f2b3bbd filesize=45056
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="DLLPath"
Context Example#
Human Readable Output#
Command example#
!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="hmmapi"
Context Example#
Human Readable Output#
harfanglab-job-startuplist#
Start a job to get the list of startup items from a host (Windows)
Base Command#
harfanglab-job-startuplist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-startuplist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-wmilist#
Start a job to get the list of WMI items from a host (Windows)
Base Command#
harfanglab-job-wmilist
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-wmilist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-mft#
Start a job to download the MFT from a host (Windows)
Base Command#
harfanglab-job-artifact-mft
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-mft agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-hives#
Start a job to download the hives from a host (Windows)
Base Command#
harfanglab-job-artifact-hives
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-hives agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-evtx#
Start a job to download the event logs from a host (Windows)
Base Command#
harfanglab-job-artifact-evtx
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-evtx agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-logs#
Start a job to download Linux log files from a host (Linux)
Base Command#
harfanglab-job-artifact-logs
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-logs agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-filesystem#
Start a job to download Linux filesystem entries from a host (Linux)
Base Command#
harfanglab-job-artifact-filesystem
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-filesystem agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-all#
Start a job to download all artifacts from a host (Windows MFT, Hives, evt/evtx, Prefetch, USN, Linux logs and file list)
Base Command#
harfanglab-job-artifact-all
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-all agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-job-artifact-ramdump#
Start a job to get the entine RAM from a host (Windows / Linux)
Base Command#
harfanglab-job-artifact-ramdump
Input#
| Argument Name | Description | Required |
|---|---|---|
| agent_id | Agent unique identifier as provided by the HarfangLab EDR Manager. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.ID | string | id |
| Harfanglab.Job.Action | string | HarfangLab job action |
Command example#
!harfanglab-job-artifact-ramdump agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"
Context Example#
Human Readable Output#
harfanglab-telemetry-network#
Search network connections
Base Command#
harfanglab-telemetry-network
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Endpoint hostname. | Optional |
| from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| source_address | Source IP address. | Optional |
| source_port | Source port. | Optional |
| destination_address | Destination IP address. | Optional |
| destination_port | Destination port. | Optional |
| limit | Maximum number of elements to fetch. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Telemetrynetwork.network | unknown | Provides a list of network connections |
Command example#
!harfanglab-telemetry-network hostname="DC-01" limit=5
Context Example#
Human Readable Output#
Network list#
create date hostname image name username source address source port destination addr destination port direction 2022-06-29T22:33:42.434000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 50000 (REDACTED) 443 out 2022-06-29T22:24:08.088000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49998 (REDACTED) 80 out 2022-06-29T22:23:08.037000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49997 (REDACTED) 443 out 2022-06-29T22:08:07.550000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\SYSTEM (REDACTED) 49996 (REDACTED) 443 out 2022-06-29T22:04:42.848000Z DC-01 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 49995 (REDACTED) 80 out
Command example#
!harfanglab-telemetry-network destination_address="(REDACTED)" limit=5
Context Example#
Human Readable Output#
Network list#
create date hostname image name username source address source port destination addr destination port direction 2022-07-27T14:59:56.114000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62787 (REDACTED) 80 out 2022-07-27T14:58:43.590000Z WORKSTATION-3752 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 64593 (REDACTED) 80 out 2022-07-27T14:49:54.374000Z WORKSTATION-6852 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61571 (REDACTED) 80 out 2022-07-27T14:49:14.813000Z WORKSTATION-4321 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 61605 (REDACTED) 80 out 2022-07-27T07:59:49.780000Z WORKSTATION-1879 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 62472 (REDACTED) 80 out
Command example#
!harfanglab-telemetry-network destination_address="(REDACTED)" from_date="2022-07-21T12:34:05" to_date="2022-07-21T12:34:15" limit=5
Context Example#
Human Readable Output#
Network list#
create date hostname image name username source address source port destination addr destination port direction 2022-07-21T12:34:09.265000Z WORKSTATION-4812 C:\Windows\System32\svchost.exe NT AUTHORITY\NETWORK SERVICE (REDACTED) 50363 (REDACTED) 80 out
harfanglab-telemetry-eventlog#
Search event logs
Base Command#
harfanglab-telemetry-eventlog
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Endpoint hostname. | Optional |
| event_id | Event id. | Optional |
| from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| limit | Maximum number of elements to fetch. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Telemetryeventlog.eventlog | unknown | Provides a list of event logs |
Command example#
!harfanglab-telemetry-eventlog hostname="DC-01" limit=5
Context Example#
Human Readable Output#
Event Log list#
create date hostname event id source name log name keywords event data level 2022-07-28T07:29:29.327000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: stopped
Binary: 7300700070007300760063002F0031000000Information 2022-07-28T07:29:29.311000Z DC-01 16384 Microsoft-Windows-Security-SPP Application Classic param1: 2022-11-12T06:42:29Z
param2: RulesEngineInformation 2022-07-28T07:28:58.905000Z DC-01 16394 Microsoft-Windows-Security-SPP Application Classic Information 2022-07-28T07:28:58.795000Z DC-01 7036 Service Control Manager System Classic param1: Software Protection
param2: running
Binary: 7300700070007300760063002F0034000000Information 2022-07-28T07:26:50.139000Z DC-01 7036 Service Control Manager System Classic param1: Windows Modules Installer
param2: stopped
Binary: 540072007500730074006500640049006E007300740061006C006C00650072002F0031000000Information
Command example#
!harfanglab-telemetry-eventlog hostname="DC-01" event_id=4624 limit=5
Context Example#
Human Readable Output#
Event Log list#
create date hostname event id source name log name keywords event data level 2022-07-28T07:24:48.105000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:34:06.425000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T06:24:48.107000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T05:24:47.496000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-28T04:24:46.833000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
Command example#
!harfanglab-telemetry-eventlog event_id=4624 from_date="2022-07-21T21:25:34" to_date="2022-07-23T21:25:34" limit=5
Context Example#
Human Readable Output#
Event Log list#
create date hostname event id source name log name keywords event data level 2022-07-23T21:25:18.159000Z WORKSTATION-1234 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-123$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x280
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:25:10.765000Z WEBSERVER 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WEBSERVER$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:23:53.410000Z DC-01 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:55.338000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information 2022-07-23T21:18:53.324000Z WORKSTATION-8501 4624 Microsoft-Windows-Security-Auditing Security Audit Success SubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842Information
harfanglab-telemetry-binary#
Search for binaries
Base Command#
harfanglab-telemetry-binary
Input#
| Argument Name | Description | Required |
|---|---|---|
| from_date | Start date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| to_date | End date (format: YYYY-MM-DDTHH:MM:SS). | Optional |
| hash | filehash to search (md5, sha1, sha256). | Optional |
| limit | Maximum number of elements to fetch. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Telemetrybinary.binary | unknown | Provides a list of binaries with associated download links. |
Command example#
!harfanglab-telemetry-binary hash=2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5
Context Example#
Human Readable Output#
Binary list#
name path size sha256 download link hurukai /opt/hurukai/hurukai 5882824 2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5 https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef
harfanglab-job-info#
Get job status information
Base Command#
harfanglab-job-info
Input#
| Argument Name | Description | Required |
|---|---|---|
| ids | Coma-separated list of job ids. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Job.Info | unknown | Job Status |
Command example#
!harfanglab-job-info ids="ba28f05f-e3c8-4eec-ab6a-01d639c14f2e,70b2cd7b-8a57-4a6c-aa7e-e392676fa7ac"
Context Example#
Human Readable Output#
Jobs Info#
ID Status Creation date ba28f05f-e3c8-4eec-ab6a-01d639c14f2e finished 2022-07-19 19:47:00 70b2cd7b-8a57-4a6c-aa7e-e392676fa7ac finished 2022-07-07 13:39:02
harfanglab-result-pipelist#
Get a hostname's list of pipes from job results
Base Command#
harfanglab-result-pipelist
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job id as returned by the job submission commands. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Pipe.data | unknown | Provides a list of named pipes |
Command example#
!harfanglab-result-pipelist job_id="f6cba4b2-e4a1-41b7-bdc0-0dcb6815d3ad"
Context Example#
Human Readable Output#
Pipe List#
name atsvc Ctx_WinStation_API_service epmapper eventlog hlab-1560-f60834ea319cb1cf InitShutdown lsass LSM_API_service ntsvcs PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER scerpc SessEnvPublicRpc spoolss srvsvc TermSrv_API_service trkwks VBoxTrayIPC-vagrant W32TIME_ALT Winsock2\CatalogChangeListener-1f8-0 Winsock2\CatalogChangeListener-278-0 Winsock2\CatalogChangeListener-284-0 Winsock2\CatalogChangeListener-2c4-0 Winsock2\CatalogChangeListener-2f0-0 Winsock2\CatalogChangeListener-35c-0 Winsock2\CatalogChangeListener-414-0 Winsock2\CatalogChangeListener-528-0 wkssvc
harfanglab-result-prefetchlist#
Get a hostname's list of prefetches from job results
Base Command#
harfanglab-result-prefetchlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job id as returned by the job submission commands. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.Prefetch.data | unknown | Provides a list of prefetch files |
Command example#
!harfanglab-result-prefetchlist job_id="16834054-574b-4dc4-8981-9e6bb93e4529"
Context Example#
Human Readable Output#
Prefetch List#
No entries.
harfanglab-result-runkeylist#
Get a hostname's list of run keys from job results
Base Command#
harfanglab-result-runkeylist
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job id as returned by the job submission commands. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.RunKey.data | unknown | Provides a list of Run Keys |
Command example#
!harfanglab-result-runkeylist job_id="704cac37-57df-4b70-8227-4a770b724108"
Context Example#
Human Readable Output#
RunKey List#
name fullpath signed md5 SecurityHealth C:\Windows\system32\SecurityHealthSystray.exe true 37eea8b4d205b2300e79a9e96f2f7a46 VBoxTray C:\Windows\system32\VBoxTray.exe true 3c21ed6871650bc8635729b9abbb6f21
harfanglab-result-scheduledtasklist#
Get a hostname's list of scheduled tasks from job results
Base Command#
harfanglab-result-scheduledtasklist
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job id as returned by the job submission commands. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Harfanglab.ScheduledTask.data | unknown | Provides a list of scheduled tasks |
Command example#
!harfanglab-result-scheduledtasklist job_id="f22b531a-b078-44fc-8d23-d06725548934"