HarfangLab EDR

Details
Content
Dependencies
Version History

Download With Dependencies

This connector allows to fetch security events from a HarfangLab EDR Manager and manage the incident response.

HarfangLab EDR

This connector allows to fetch security events from a HarfangLab EDR Manager and manage the incident response.

It is shipped with:

an integration with 60+ commands/tasks,
an alert management playbook including 20+ subplaybooks,
several Threat Intelligence Management playbooks that allows to hunt for IOCs in the EDR, manually review the IOC sightings and then put the IOCs into detection in the EDR,
an alert type along with its associated incident mapper,
a specific alert layout tailored to HarfangLab EDR alerts.

The alert management playbook illustrates several steps of a typical incident response with forensics activities:

Endpoint isolation
Forensics data collection
Raw artifacts collection
Agent reconnection
Case closing

HarfangLab EDR

This connector allows to fetch security events from a HarfangLab EDR Manager and manage the incident response.

It is shipped with:

an integration with 60+ commands/tasks,
an alert management playbook including 20+ subplaybooks,
several Threat Intelligence Management playbooks that allows to hunt for IOCs in the EDR, manually review the IOC sightings and then put the IOCs into detection in the EDR,
an alert type along with its associated incident mapper,
a specific alert layout tailored to HarfangLab EDR alerts.

The alert management playbook illustrates several steps of a typical incident response with forensics activities:

Endpoint isolation
Forensics data collection
Raw artifacts collection
Agent reconnection
Case closing

Layouts

Name	Description
Hurukai alert layout

Incident Types

Name	Description
Hurukai alert

Classifiers

Name	Description
Hurukai alert mapper

Playbooks

Name	Description
Hurukai - Hunt IOCs	This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source.
Hurukai - Get Runkey List	Get the list of RUN keys
Hurukai - Get Session List	Get the list of active sessions
Hurukai - Get Persistence List	Get the list of persistence means
Hurukai - Get Artifact RAM Dump	Get a RAM dump from Windows and Linux endpoints.
Hurukai - Get WMI List	Get the list of WMI items
Hurukai - Add indicators to HarfangLab EDR	This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking.
Hurukai - Get Driver List	Get the list of loaded drivers
Hurukai - Get Artifact MFT	Get the raw MFT
Hurukai - Get Process List	Get the list of processes
Hurukai - Get Network Connection List	Get the list of active network connections
Hurukai - Get Startup List	Get the list of startup files
Hurukai - Get All Artifacts	Build a global archive with: MFT (Windows) Hives (Windows) USN logs (Windows) Prefetch files (Windows) EVT/EVTX files (Windows) Log files (Linux) Filesystem content (Linux)
Hurukai - Get Service List	Get the list of services
Hurukai - Get Artifact Filesystem	Get a CSV list of files in a Linux filesystem
Hurukai - Process Indicators - Manual Review	This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
Hurukai - Get Prefetch List	Get the list of prefetch files
Hurukai - Get Artifact Evtx	Get Evt/evtx log files
Hurukai - Get Scheduled Task List	Get the list of scheduled tasks
Hurukai - Alert management	Manager security events from HarfangLab EDR
Hurukai - Get Network Share List	Get the list of network shares
Hurukai - Get Pipe List	Get the list of named pipes
Hurukai - Get Artifact Hives	Get the RAW hives
Hurukai - Get Artifact Logs	Get all the log files

Integrations

Name	Description
HarfangLab EDR (Partner Contribution)	HarfangLab EDR Connector, Compatible version 2.13.7+

Incident Types

Name	Description
Hurukai alert

Classifiers

Name	Description
Hurukai alert mapper

Playbooks

Name	Description
Hurukai - Hunt IOCs	This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source.
Hurukai - Get Runkey List	Get the list of RUN keys
Hurukai - Get Session List	Get the list of active sessions
Hurukai - Get Persistence List	Get the list of persistence means
Hurukai - Get Artifact RAM Dump	Get a RAM dump from Windows and Linux endpoints.
Hurukai - Get WMI List	Get the list of WMI items
Hurukai - Add indicators to HarfangLab EDR	This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking.
Hurukai - Get Driver List	Get the list of loaded drivers
Hurukai - Get Artifact MFT	Get the raw MFT
Hurukai - Get Process List	Get the list of processes
Hurukai - Get Network Connection List	Get the list of active network connections
Hurukai - Get Startup List	Get the list of startup files
Hurukai - Get All Artifacts	Build a global archive with: MFT (Windows) Hives (Windows) USN logs (Windows) Prefetch files (Windows) EVT/EVTX files (Windows) Log files (Linux) Filesystem content (Linux)
Hurukai - Get Service List	Get the list of services
Hurukai - Get Artifact Filesystem	Get a CSV list of files in a Linux filesystem
Hurukai - Process Indicators - Manual Review	This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new alert that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
Hurukai - Get Prefetch List	Get the list of prefetch files
Hurukai - Get Artifact Evtx	Get Evt/evtx log files
Hurukai - Get Scheduled Task List	Get the list of scheduled tasks
Hurukai - Alert management	Manager security events from HarfangLab EDR
Hurukai - Get Network Share List	Get the list of network shares
Hurukai - Get Pipe List	Get the list of named pipes
Hurukai - Get Artifact Hives	Get the RAW hives
Hurukai - Get Artifact Logs	Get all the log files

Integrations

Name	Description
HarfangLab EDR (Partner Contribution)	HarfangLab EDR Connector, Compatible version 2.13.7+

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

1.1.7 - R6303396 (September 12, 2023)

Integrations

HarfangLab EDR

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29456

Download

1.1.6 - 6133197 (August 23, 2023)

Integrations

HarfangLab EDR

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29157

Download

1.1.5 - 5950262 (August 3, 2023)

Integrations

HarfangLab EDR

Updated the Docker image to: demisto/python3:3.10.12.66339.
Added the API Key integration parameter to support credentials fetching object.

Related pull requests:
- 28590

Download

1.1.3 - R5866730 (July 25, 2023)

Integrations

HarfangLab EDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27820

Download

1.1.2 - R5170573 (May 2, 2023)

Playbooks

Hurukai - Hunt IOCs

Documentation and metadata improvements.

Related pull requests:
- 23716

Download

1.1.1 - R4718798 (March 1, 2023)

Layouts

Hurukai alert layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24221

Download

1.1.0 - 3520117 (August 23, 2022)

Integrations

HarfangLab EDR

Updated the Docker image to: demisto/python3:3.10.5.31928.
Added the filesize argument to IOC search job. When searching for a file based on its name or hash, filesize will be taken into account instead of the hash_filesize.
You can now search the whole telemetry, instead of specific hostname.
Added the limit argument to the following commands:
- harfanglab-telemetry-processes
- harfanglab-telemetry-network
- harfanglab-telemetry-eventlog
- harfanglab-telemetry-binary
Added command examples to the documentation.
Added additional eventlog information such as create date, source name, log name, event data, level.
You can now search for a specific eventid within the harfanglab-telemetry-eventlog command.
Added support for multiple endpoint descriptions returned from the harfanglab-endpoint-search command.
Deprecated the Agent.id and status outputs from the harfanglab-endpoint-search command.
Deprecated the current_directory, agent.agentid and hashes.sha256 outputs from the harfanglab-telemetry-processes command.
Deprecated the action output context path and added the Harfanglab.Job.Action output context path to the following commands:
- harfanglab-job-info
- harfanglab-job-pipelist
- harfanglab-job-prefetchlist
- harfanglab-job-runkeylist
- harfanglab-job-scheduledtasklist
- harfanglab-job-driverlist
- harfanglab-job-servicelist
- harfanglab-job-processlist
- harfanglab-job-networkconnectionlist
- harfanglab-job-networksharelist
- harfanglab-job-sessionlist
- harfanglab-job-ioc
- harfanglab-job-startuplist
- harfanglab-job-wmilist
- harfanglab-job-artifact-mft
- harfanglab-job-artifact-hives
- harfanglab-job-artifact-evtx
- harfanglab-job-artifact-logs
- harfanglab-job-artifact-filesystem
- harfanglab-job-artifact-all
- harfanglab-job-artifact-downloadfile
- harfanglab-job-artifact-ramdump
- Added the Harfanglab.Agent output prefix to the harfanglab-endpoint-search command.

Related pull requests:
- 20705
- 20266

Download

1.0.2 - 3120482 (June 20, 2022)

Integrations

HarfangLab EDR

Fixed bug triggered when an agent (Linux) has no associated domainname

Playbooks

Hurukai - Get All Artifacts

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact Evtx

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact Filesystem

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact Hives

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact Logs

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact MFT

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Artifact RAM Dump

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Driver List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Network Connection List

Increased all polling task timeouts from 10 minutes to 60 minutes

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Persistence List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Pipe List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Prefetch List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Process List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Runkey List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Scheduled Task List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Service List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Session List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get Startup List

Increased all polling task timeouts from 10 minutes to 60 minutes

Hurukai - Get WMI List

Increased all polling task timeouts from 10 minutes to 60 minutes

Related pull requests:
- 19498
- 19631

Download

PUBLISHER

HarfangLab

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 18, 2022
Last Release	September 12, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

HarfangLab EDR

HarfangLab EDR

HarfangLab EDR

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Playbooks

Hurukai - Hunt IOCs

Layouts

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Playbooks

Hurukai - Get All Artifacts

Hurukai - Get Artifact Evtx

Hurukai - Get Artifact Filesystem

Hurukai - Get Artifact Hives

Hurukai - Get Artifact Logs

Hurukai - Get Artifact MFT

Hurukai - Get Artifact RAM Dump

Hurukai - Get Driver List

Hurukai - Get Network Connection List

Hurukai - Get Network Share List

Hurukai - Get Persistence List

Hurukai - Get Pipe List

Hurukai - Get Prefetch List

Hurukai - Get Process List

Hurukai - Get Runkey List

Hurukai - Get Scheduled Task List

Hurukai - Get Service List

Hurukai - Get Session List

Hurukai - Get Startup List

Hurukai - Get WMI List

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER