HarfangLab EDR

This connector allows to fetch security events from a HarfangLab EDR Manager and manage the incident response.

It is shipped with:

an integration with 60+ commands/tasks,
an alert management playbook including 20+ sub-playbooks,
several Threat Intelligence Management playbooks that allows to hunt for IOCs in the EDR, manually review the IOC sightings and then put the IOCs into detection in the EDR,
an alert type along with its associated incident mapper,
a specific alert layout tailored to HarfangLab EDR alerts.

The alert management playbook illustrates several steps of a typical incident response with forensics activities:

Endpoint isolation
Forensics data collection
Raw artifacts collection
Agent reconnection
Case closing

Name	Description
Hurukai classifier
Hurukai - Incoming mapper
Hurukai - Outgoing mapper	Hurukai mirror out mapper.

Name

Description

Hurukai classifier

Hurukai - Incoming mapper

Hurukai - Outgoing mapper

Hurukai mirror out mapper.

Name	Description
HarfangLab EDR Top Impacted Users
HarfangLab EDR Top Rules
HarfangLab EDR Total Security Event Count
HarfangLab EDR Low Security Event Count
HarfangLab EDR Critical Security Event Count
HarfangLab EDR Threat ID
HarfangLab EDR Medium Security Event Count
HarfangLab EDR Top Agents
HarfangLab EDR High Security Event Count

Name

Description

HarfangLab EDR Top Impacted Users

HarfangLab EDR Top Rules

HarfangLab EDR Total Security Event Count

HarfangLab EDR Low Security Event Count

HarfangLab EDR Critical Security Event Count

HarfangLab EDR Threat ID

HarfangLab EDR Medium Security Event Count

HarfangLab EDR Top Agents

HarfangLab EDR High Security Event Count

Name	Description
Hurukai alert
Hurukai threat

Name

Description

Hurukai alert

Hurukai threat

Name	Description
HarfangLab EDR (Partner Contribution)	HarfangLab EDR Connector, Compatible version 2.13.7+.

Name

Description

HarfangLab EDR (Partner Contribution)

HarfangLab EDR Connector,
Compatible version 2.13.7+.

Name	Description
Hurukai threat layout
Hurukai alert layout

Name

Description

Hurukai threat layout

Hurukai alert layout

Name	Description
Hurukai - Get Artifact Evtx	Get Evt/evtx log files
Hurukai - Get Session List	Get the list of active sessions
Hurukai - Get Startup List	Get the list of startup files
Hurukai - Get Prefetch List	Get the list of prefetch files
Hurukai - Get Network Share List	Get the list of network shares
Hurukai - Add indicators to HarfangLab EDR	This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking.
Hurukai - Get Runkey List	Get the list of RUN keys
Hurukai - Get Network Connection List	Get the list of active network connections
Hurukai - Get Artifact Hives	Get the RAW hives
Hurukai - Get Artifact MFT	Get the raw MFT
Hurukai - Get Driver List	Get the list of loaded drivers
Hurukai - Hunt IOCs	This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source.
Hurukai - Get Scheduled Task List	Get the list of scheduled tasks
Hurukai - Process Indicators - Manual Review	This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
Hurukai - Get Pipe List	Get the list of named pipes
Hurukai - Get All Artifacts	Build a global archive with: MFT (Windows) Hives (Windows) USN logs (Windows) Prefetch files (Windows) EVT/EVTX files (Windows) Log files (Linux) Filesystem content (Linux)
Hurukai - Get Service List	Get the list of services
Hurukai - Get Persistence List	Get the list of persistence means
Hurukai - Get WMI List	Get the list of WMI items
Hurukai - Get Artifact Logs	Get all the log files
Hurukai - Get Process List	Get the list of processes
Hurukai - Alert management	Manager security events from HarfangLab EDR
Hurukai - Get Artifact RAM Dump	Get a RAM dump from Windows and Linux endpoints.
Hurukai - Get Artifact Filesystem	Get a CSV list of files in a Linux filesystem

Name

Description

Hurukai - Get Artifact Evtx

Get Evt/evtx log files

Hurukai - Get Session List

Get the list of active sessions

Hurukai - Get Startup List

Get the list of startup files

Hurukai - Get Prefetch List

Get the list of prefetch files

Hurukai - Get Network Share List

Get the list of network shares

Hurukai - Add indicators to HarfangLab EDR

This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking.

Hurukai - Get Runkey List

Get the list of RUN keys

Hurukai - Get Network Connection List

Get the list of active network connections

Hurukai - Get Artifact Hives

Get the RAW hives

Hurukai - Get Artifact MFT

Get the raw MFT

Hurukai - Get Driver List

Get the list of loaded drivers

Hurukai - Hunt IOCs

This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source.

Hurukai - Get Scheduled Task List

Get the list of scheduled tasks

Hurukai - Process Indicators - Manual Review

This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review.
To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".

Hurukai - Get Pipe List

Get the list of named pipes

Hurukai - Get All Artifacts

Build a global archive with:

MFT (Windows)
Hives (Windows)
USN logs (Windows)
Prefetch files (Windows)
EVT/EVTX files (Windows)
Log files (Linux)
Filesystem content (Linux)

Hurukai - Get Service List

Get the list of services

Hurukai - Get Persistence List

Get the list of persistence means

Hurukai - Get WMI List

Get the list of WMI items

Hurukai - Get Artifact Logs

Get all the log files

Hurukai - Get Process List

Get the list of processes

Hurukai - Alert management

Manager security events from HarfangLab EDR

Hurukai - Get Artifact RAM Dump

Get a RAM dump from Windows and Linux endpoints.

Hurukai - Get Artifact Filesystem

Get a CSV list of files in a Linux filesystem

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

Certification	Certified	Read more
Supported By	Partner
Created	May 18, 2022
Last Release	July 10, 2024

HarfangLab EDR

HarfangLab EDR

Incident Fields

Incident Types

Integrations

HarfangLab EDR

Layouts

Mappers

Hurukai - Incoming mapper

New: Hurukai - Outgoing mapper

Playbooks

Hurukai - Alert management

Hurukai - Get Artifact RAM Dump

Hurukai - Get Prefetch List

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

Integrations

HarfangLab EDR

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER