HarfangLab

the harfanglab connector facilitates seamless integration with the harfanglab edr platform, enabling automated security monitoring and response actions harfanglab is a cutting edge endpoint security solution that provides comprehensive telemetry and actionable insights for threat detection and response this connector enables swimlane turbine users to integrate harfanglab's advanced endpoint isolation and incident management capabilities directly into their security workflows by leveraging this integration, security teams can automate the containment of threats, streamline incident analysis, and enhance their overall security posture with minimal manual intervention prerequisites to effectively utilize the harfanglab connector within the swimlane turbine platform, ensure you have the following http bearer token authentication with these parameters url the base url for the harfanglab api endpoint token a valid bearer token to authenticate api requests the harfanglab connector integrates with swimlane turbine to retrieve the incidents, endpoint info , isolate and deisolate the endpoints capabilities this connector provides the following capabilities deisolate endpoint endpoint search fetch incidents get endpoint info isolate endpoint asset setup this connector requires the below parameters for authentication url token configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions deisolate endpoint reconnect a previously isolated endpoint to the network in harfanglab by specifying the endpoint's id endpoint url /api/data/endpoint/agent/{{id}}/deisolate/ method post input argument name type required description id string required unique identifier additional info object optional parameter for deisolate endpoint additional info1 string optional parameter for deisolate endpoint additional info2 string optional parameter for deisolate endpoint additional info3 string optional parameter for deisolate endpoint additional info4 string optional parameter for deisolate endpoint description string optional parameter for deisolate endpoint group count number optional count value id string required unique identifier policy object optional parameter for deisolate endpoint agent auto forget boolean optional parameter for deisolate endpoint agent auto forget max days number optional agent auto forget max days minimum value is 1 agent auto update boolean optional date value agent ui admin message string optional response message agent ui enabled boolean optional parameter for deisolate endpoint agent ui notification level number optional agent ui notification level maximum value is 2147483647 and minimum value is 2147483648 agent ui notification scope number optional agent ui notification scope maximum value is 2147483647 and minimum value is 2147483648 agent upgrade strategy string optional parameter for deisolate endpoint audit killswitch boolean optional parameter for deisolate endpoint binary download enabled boolean optional parameter for deisolate endpoint description string optional parameter for deisolate endpoint driverblock mode number optional driverblock mode maximum is 3 and minimum is 0 feature callback tampering boolean optional parameter for deisolate endpoint feature dse tampering mode number optional feature dse tampering mode maximum value is 2147483647 and minimum value is 2147483648 feature event stacktrace boolean optional parameter for deisolate endpoint output parameter type description status code number http status code of the response reason string response reason phrase policy not allowed array output field policy not allowed hostname string name of the resource id string unique identifier requested array output field requested hostname string name of the resource id string unique identifier unrequested array output field unrequested hostname string name of the resource id string unique identifier unsupported array output field unsupported hostname string name of the resource id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z" }, "reason" "ok", "json body" { "policy not allowed" \[], "requested" \[], "unrequested" \[], "unsupported" \[] } } ] endpoint search retrieve endpoint information from harfanglab by conducting a targeted search endpoint url /api/data/endpoint/agent method get input argument name type required description search string optional parameter for endpoint search ordering string optional parameter for endpoint search id string optional unique identifier domainname string optional name of the resource dnsdomainname string optional name of the resource hostname string optional name of the resource osmajor number optional parameter for endpoint search osminor number optional parameter for endpoint search osproducttype string optional type of the resource firstseen string optional parameter for endpoint search lastseen string optional parameter for endpoint search version string optional parameter for endpoint search bitness string optional parameter for endpoint search domain string optional parameter for endpoint search installdate string optional date value ipaddress string optional parameter for endpoint search external ipaddress string optional parameter for endpoint search osbuild number optional parameter for endpoint search osid string optional unique identifier osversion string optional parameter for endpoint search producttype string optional type of the resource servicepack string optional parameter for endpoint search total memory number optional parameter for endpoint search cpu count number optional count value cpu frequency number optional parameter for endpoint search output parameter type description status code number http status code of the response reason string response reason phrase count number count value next string output field next previous string output field previous results array result of the operation additional info object output field additional info additional info1 string output field additional info1 antivirus last update date string date value antivirus name string name of the resource antivirus profile object output field antivirus profile agent count number count value antivirus object object output field antivirus object antivirus slug string output field antivirus slug creation date string date value description string output field description id string unique identifier last modifier object output field last modifier id number unique identifier username string name of the resource last update string date value name string name of the resource revision number output field revision antivirus profile status string status value antivirus rules last update date string date value example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "count" 123, "next" "string", "previous" "string", "results" \[] } } ] fetch incidents fetches a list of incidents from harfanglab, providing an overview of security alerts and breaches endpoint url /api/data/alert/alert/alert method get input argument name type required description limit number optional parameter for fetch incidents offset number optional parameter for fetch incidents output parameter type description status code number http status code of the response reason string response reason phrase count number count value next string output field next previous string output field previous results array result of the operation filters object output field filters wildcard array output field wildcard example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "count" 0, "next" "", "previous" "/api/data/alert/alert/alert/?limit=3", "results" \[], "filters" {} } } ] get endpoint info retrieve detailed information for a specific agent in harfanglab using the provided unique identifier (id) endpoint url /api/data/endpoint/agent/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase additional info object output field additional info additional info1 string output field additional info1 additional info2 string output field additional info2 additional info3 string output field additional info3 additional info4 string output field additional info4 antivirus last update date string date value antivirus name string name of the resource antivirus profile object output field antivirus profile agent count number count value antivirus object object output field antivirus object antivirus slug string output field antivirus slug creation date string date value description string output field description id string unique identifier last modifier object output field last modifier id number unique identifier username string name of the resource last update string date value name string name of the resource revision number output field revision antivirus profile status string status value antivirus rules last update date string date value antivirus rules version string output field antivirus rules version example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "additional info" {}, "antivirus last update date" "string", "antivirus name" "example name", "antivirus profile" {}, "antivirus profile status" "active", "antivirus rules last update date" "string", "antivirus rules version" "string", "antivirus version" "string", "application count" 123, "avg cpu" 123, "avg memory" 123, "avg system cpu" 123, "avg system memory" 123, "bitness" "string", "cpu count" 123 } } ] isolate endpoint initiates network isolation on a specified agent using its id in harfanglab, to contain potential threats endpoint url /api/data/endpoint/agent/{{id}}/isolate/ method post input argument name type required description id string required unique identifier additional info object optional parameter for isolate endpoint additional info1 string optional parameter for isolate endpoint additional info2 string optional parameter for isolate endpoint additional info3 string optional parameter for isolate endpoint additional info4 string optional parameter for isolate endpoint description string optional parameter for isolate endpoint group count number optional count value id string required unique identifier policy object optional parameter for isolate endpoint agent auto forget boolean optional parameter for isolate endpoint agent auto forget max days number optional agent auto forget max days minimum value is 1 agent auto update boolean optional date value agent ui admin message string optional response message agent ui enabled boolean optional parameter for isolate endpoint agent ui notification level number optional agent ui notification level maximum value is 2147483647 and minimum value is 2147483648 agent ui notification scope number optional agent ui notification scope maximum value is 2147483647 and minimum value is 2147483648 agent upgrade strategy string optional parameter for isolate endpoint audit killswitch boolean optional parameter for isolate endpoint binary download enabled boolean optional parameter for isolate endpoint description string optional parameter for isolate endpoint driverblock mode number optional driverblock mode maximum is 3 and minimum is 0 feature callback tampering boolean optional parameter for isolate endpoint feature dse tampering mode number optional feature dse tampering mode maximum value is 2147483647 and minimum value is 2147483648 feature event stacktrace boolean optional parameter for isolate endpoint output parameter type description status code number http status code of the response reason string response reason phrase policy not allowed array output field policy not allowed hostname string name of the resource id string unique identifier requested array output field requested hostname string name of the resource id string unique identifier unrequested array output field unrequested hostname string name of the resource id string unique identifier unsupported array output field unsupported hostname string name of the resource id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z" }, "reason" "ok", "json body" { "policy not allowed" \[], "requested" \[], "unrequested" \[], "unsupported" \[] } } ] response headers header description example content type the media type of the resource text/html; charset=utf 8 date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt x hsci cache time http response header x hsci cache time 2024 12 18t12 01 22 328z