Skip to content

HarfangLab

HarfangLab

HarfangLab is an Endpoint detection and response (EDR) solution certified by ANSSI since 2020

Configuration

Name Type Description
url string URL of the HarfangLab instance
api_token string Authentication token for the API

Actions

Add comment to Threat

Add comment to Threat

Arguments

Name Type Description
id string Threat IDs
comment string Comment to add

Create IOCs

Create IOCs

Arguments

Name Type Description
stix_objects_path string Filepath of the STIX objects fetched from the collection
sekoia_base_url string [Optional] Sekoia base url, used to generate direct links to IOCs
source_id string Source ID
block_on_agent boolean Block on agent
quarantine_on_agent boolean Quarantine on agent
detect_on_agent boolean Endpoint detection

Download File from Endpoint

Download an arbitrary file from an HarfangLab endpoint

Arguments

Name Type Description
id string Identifier of the endpoint agent
path string Absolute path to the file to download from the endpoint

Outputs

Name Type Description
path string Downloaded file's path

Deisolate an agent

Deisolate an agent

Arguments

Name Type Description
id string The identifier of the agent to deisolate

Outputs

Name Type Description
requested array The list of identifiers of non-deisolated endpoints
unrequested array The list of identifiers of deisolated endpoints

Isolate an agent

Isolate an agent

Arguments

Name Type Description
id string The identifier of the agent to isolate

Outputs

Name Type Description
requested array The list of identifiers of isolated endpoints
unrequested array The list of identifiers of non-isolated endpoints

Deisolate a group

Deisolate a group of endpoints

Arguments

Name Type Description
id string The identifier of the group to deisolate

Outputs

Name Type Description
requested array The list of identifiers of non-deisolated endpoints
unrequested array The list of identifiers of deisolated endpoints

Isolate a group

Isolate a group of endpoints

Arguments

Name Type Description
id string The identifier of the group to isolate

Outputs

Name Type Description
requested array The list of identifiers of isolated endpoints
unrequested array The list of identifiers of non-isolated endpoints

Hostname by IP

Get the hostname of a machine by its IP address

Arguments

Name Type Description
target_ip string Targeted IP address
get_only_last_seen boolean Get the last seen hostname only

Outputs

Name Type Description
hostnames array Hostnames

List named pipes

Get the list of named pipe on the systems

Arguments

Name Type Description
target_agents string Targeted agents identifier
target_groups string Targeted groups identifier

Outputs

Name Type Description
id string Identifier of the job
action string Name of job action
creationtime string Creation date of the job
parameters object Parameters of the job

List processes

Get the list of processes on the systems

Arguments

Name Type Description
target_agents string Targeted agents identifier
target_groups string Targeted groups identifier
get_connections_list boolean Get list of connections (listening and connected sockets)
get_handles_list boolean Get list of open handles
get_signatures_list boolean Get signature info of processes and DLLs

Outputs

Name Type Description
id string Identifier of the job
action string Name of job action
creationtime string Creation date of the job
parameters object Parameters of the job

Update Threat status

Update Threat status

Arguments

Name Type Description
threat_ids array Threats IDs
new_status string New status
update_by_query boolean Update by query

Extra

Module HarfangLab v1.24.0