Skip to content

HarfangLab#

README

HarfangLab responder#

This responder allows to interact with a HarfangLab EDR manager for several kinds of use cases, such as: * Isolating/unisolating an endpoint * Getting forensics data from an endpoint (running processes, loaded drivers, sessions, prefeteches, services...) * Getting raw forensics artifacts (MFT, USN journal, hives...) * Hunting in telemetry (processes, network connections, driver loading...)

The detailed list of HarfangLab's responders is the following:

Service Applicable object Requirement Description
HarfangLab_Isolate case or alert Agent identifier custom field. Allows to isolate an endpoint (add a HarfangLab:isolated tag to a case when done).
HarfangLab_Unisolate case or alert Agent identifier custom field. Allows to unisolate and endpoint (add a HarfangLab:unisolated tag to a case when done).
HarfangLab_KillProcess case or alert Process / Unique identifier custom field. Allows to kill a process.
HarfangLab_DumpProcess case Process / Unique identifier custom field. Allows to dump a process memory.
HarfangLab_GetArtifactAll case Agent identifier custom field. Allows to get an archive file with all artifacts (MFT, USN, EVTX, etc.).
HarfangLab_GetArtifactEvtx case Agent identifier custom field. Allows to get an archive file with Evtx artifact (Windows).
HarfangLab_GetArtifactFilesystem case Agent identifier custom field. Allows to get an archive file with file system artifact (Linux).
HarfangLab_GetArtifactHives case Agent identifier custom field. Allows to get an archive file with Hives artifact (Windows).
HarfangLab_GetArtifactLogs case Agent identifier custom field. Allows to get an archive file with Logs artifact (Linux).
HarfangLab_GetArtifactMFT case Agent identifier custom field. Allows to get an archive file with MFT artifact (Windows).
HarfangLab_GetArtifactPrefetch case Agent identifier custom field. Allows to get an archive file with Prefetch artifact (Windows).
HarfangLab_GetArtifactRamdump case Agent identifier custom field. Allows to get an archive file with a RAM dump artifact.
HarfangLab_GetArtifactUSN case Agent identifier custom field. Allows to get an archive file with USN journal artifact.
HarfangLab_GetDrivers case Agent identifier custom field. Allows to get the list of loaded drivers.
HarfangLab_GetNetworkShares case Agent identifier custom field. Allows to get the list of network shares.
HarfangLab_GetPersistence case Agent identifier custom field. Allows to get the list of persistence items (Linux).
HarfangLab_GetPipes case Agent identifier custom field. Allows to get the list of pipes.
HarfangLab_GetPrefetches case Agent identifier custom field. Allows to get the list of prefetches.
HarfangLab_GetProcesses case Agent identifier custom field. Allows to get the list of running processes and their associated information (open sockets, handles, threads...).
HarfangLab_GetRunKeys case Agent identifier custom field. Allows to get the list of RUN keys.
HarfangLab_GetScheduledTasks case Agent identifier custom field. Allows to get the list of scheduled tasks.
HarfangLab_GetServices case Agent identifier custom field. Allows to get the list of services.
HarfangLab_GetSessions case Agent identifier custom field. Allows to get the list of sessions.
HarfangLab_GetStartupFiles case Agent identifier custom field. Allows to get the list of startup files.
HarfangLab_GetWMI case Agent identifier custom field. Allows to get the list of WMI items.
HarfangLab_SearchDestinationIP case_artifact / ip Case artifact with ip observable. Allows to search the destination IP in the whole telemetry.
HarfangLab_SearchDriverByFileName case_artifact / filename Case artifact with filename observable. Allows to search the driver filename in the whole telemetry.
HarfangLab_SearchDriverByHash case_artifact / hash Case artifact with hash observable. Allows to search the driver hash in the whole telemetry.
HarfangLab_SearchHash case_artifact / hash Case artifact with hash observable. Allows to search the file hash in the whole telemetry.
HarfangLab_SearchSourceIP case_artifact / ip Case artifact with ip observable. Allows to search the source IP in the whole telemetry.
HarfangLab_GetBinary case_artifact / hash Case artifact with hash observable. Allows to search the file hash in the whole telemetry.

HarfangLab-GetPipes#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get pipes on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactEvtx#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get Windows event logs artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-SearchDestinationIP#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Search an IP in HarfangLab EDR's telemetry

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
limit Maximum number of items to collect from telemetry searches
Default value if not configured 100
Type of the configuration item number
The configuration item can contain multiple values False
Is required True

HarfangLab-GetSessions#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get sessions on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetServices#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get services on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetScheduledTasks#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get scheduled tasks on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactMFT#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get MFT artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetWMI#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get WMI items on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetPersistence#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get persistence items on a Linux host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetDrivers#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get drivers loaded on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetPrefetches#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get prefetches on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab_SearchDriverByFileName#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Search a driver load in HarfangLab EDR's telemetry per filename

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
limit Maximum number of items to collect from telemetry searches
Default value if not configured 100
Type of the configuration item number
The configuration item can contain multiple values False
Is required True

HarfangLab-GetNetworkShares#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get network shares on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetProcesses#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get processes running on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetRunKeys#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get RUN keys on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactAll#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get all artifacts

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-UnisolateHost#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Isolate machine with HarfangLab EDR

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetStartupFiles#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get startup files on a host

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactFilesystem#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get Linux filesystem artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactHives#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get Hives artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-SearchSourceIP#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Search an IP in HarfangLab EDR's telemetry

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
limit Maximum number of items to collect from telemetry searches
Default value if not configured 100
Type of the configuration item number
The configuration item can contain multiple values False
Is required True

HarfangLab-DumpProcess#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Dump process memory

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetBinary#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get binary information and download link

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-KillProcess#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Kill a process

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactRamdump#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get RAM dump artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-SearchHash#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Search a hash in HarfangLab EDR's telemetry

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
limit Maximum number of items to collect from telemetry searches
Default value if not configured 100
Type of the configuration item number
The configuration item can contain multiple values False
Is required True

HarfangLab_SearchDriverByHash#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Search a driver load in HarfangLab EDR's telemetry per hash

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
limit Maximum number of items to collect from telemetry searches
Default value if not configured 100
Type of the configuration item number
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactLogs#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get Linux logs artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactUSN#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get USN logs artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-IsolateHost#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
- thehive:alert
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Isolate machine with HarfangLab EDR

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

HarfangLab-GetArtifactPrefetch#

Author: HarfangLab Product Team
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case
Registration required: N/A
Subscription required: True
Free subscription: False
Third party service: N/A

Description#

Get prefetches artifact

Configuration#

apiURL HarfangLab EDR API URL
Default value if not configured https://hurukai:8443/
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
apiKey HarfangLab EDR API Key
Default value if not configured 0123456789abcdef
Type of the configuration item string
The configuration item can contain multiple values False
Is required True