HarfangLab EDR Integration

Integrate Noxys with HarfangLab EDR to correlate AI interaction events with endpoint detection and response data.

Overview

This integration enables:

• AI activity visibility in HarfangLab console
• Event correlation between AI and endpoint data
• Custom detection rules for AI threats
• Automated incident response via playbooks
• EU data residency — French EDR platform

Benefits:

• European alternative to US-based EDR
• Native French language support
• GDPR-compliant architecture
• Specialized in APT targeting French organizations

Data Flow:

Noxys Event → Webhook → HarfangLab API → Incident correlation → Alerts & Response

Prerequisites

• HarfangLab EDR subscription
• HarfangLab admin access
• Noxys admin role
• API token or credentials

Step 1: Generate HarfangLab API Token

Create API credentials for Noxys.

1. HarfangLab Console → Settings → API Integration
2. Click Create API Token
3. Configure:
   • Name: Noxys AI Firewall
   • Description: "Integration for AI interaction data"
   • Permissions: Select:
     • ✓ events.write — Create events
     • ✓ incidents.write — Create incidents
     • ✓ alerts.write — Create alerts
4. Click Generate
5. Copy API Token (displayed once only)

Step 2: Get HarfangLab API Endpoint

Find your HarfangLab API endpoint.

1. Settings → API Integration
2. Note API Base URL:
   • Typical format: https://harfanglab.yourdomain.fr/api/v1
3. Copy for use in Noxys configuration

Step 3: Configure Webhook in Noxys

Set up event forwarding to HarfangLab.

1. Noxys Admin Panel → Integrations → Webhooks
2. Click Create Webhook
3. Configure:

Field	Value
URL	https://harfanglab.yourdomain.fr/api/v1/events
Events	interaction.policy_violated, interaction.high_risk, alert.severity_critical, alert.severity_high
Headers	Add: Authorization: Token <api-token-from-step-1>
Description	"HarfangLab EDR Integration"

4. Click Create
5. Test to verify connectivity

Step 4: Verify Events in HarfangLab

Confirm Noxys events are appearing.

1. HarfangLab Console → Events
2. Filter: source="noxys"
3. Should see events with:
   • Event type (policy violation, high risk, etc.)
   • Platform name (ChatGPT, Claude, etc.)
   • Risk score
   • Classifications detected
   • User information

Step 5: Create Detection Rules

Build detection rules in HarfangLab.

Rule 1: Blocked Access to Unauthorized AI Platform

1. HarfangLab → Detection → Rules → New Rule
2. Configure:

Name: "Blocked attempt to use unauthorized AI platform"

Trigger Condition:

event.type == "interaction.policy_violated"
AND event.data.platform_id NOT IN ["chatgpt", "claude", "gemini"]
AND event.data.policy_decision == "block"

Response:

• Severity: High
• Create incident
• Notify SOC team
• (Optional) Isolate endpoint

3. Save & Enable

Rule 2: PII Exposure Attempt

event.type == "interaction.high_risk"
AND event.data.risk_score > 0.9
AND event.data.classifications IN ["CREDIT_CARD", "IBAN", "PASSPORT"]
→ Severity: Critical
→ Create incident immediately

Rule 3: Repeated Violations from Same User

event.type == "interaction.policy_violated"
| stats count by user_id
| where count > 5 in last 60 minutes
→ Severity: Medium
→ Create incident for investigation

Step 6: Create Response Playbooks

Automate incident response.

1. HarfangLab → Response → Playbooks → New Playbook
2. Create playbook:

Trigger: Incident created from Noxys (Rule 1)

Steps:

1. Extract user_id and device_id from event
2. Query user's last 24h activity on this device
3. Check if user has completed security training
4. Send notification to user's manager
5. Create remediation task:
   - Verify user didn't submit actual credentials
   - Reset any exposed credentials if needed
   - Schedule security awareness training
6. Close playbook

3. Enable Playbook

Step 7: Build Dashboard

Create visibility dashboard for AI threats.

1. HarfangLab → Dashboards → Create New
2. Add widgets:

Widget 1: AI Events Volume (24h)

Count of Noxys events by time

Widget 2: Policy Violations by Platform

Distribution of violations across AI platforms

Widget 3: Top Affected Users

Users with most violations in last 7 days

Widget 4: Incident Trend

Number of incidents created from Noxys events

Widget 5: Blocked Events

Interactions blocked by policy
Trending up/down

Step 8: Test Integration

Verify end-to-end functionality.

1. In Noxys:
   • Create test interaction with PII
   • Trigger policy violation
2. In HarfangLab:
   • Check event appears in Events list
   • Verify detection rule triggers
   • Confirm incident is created
3. Verify notifications:
   • Check email/Slack notification received
   • Verify playbook executed (if applicable)

Advanced: Threat Hunting Integration

Use HarfangLab threat hunting on Noxys data.

1. Threat Hunting → Create Hunt

2. Query Noxys events:

   source="noxys"
   AND risk_score > 0.8
   AND timestamp > NOW - 7 days

3. Find patterns:

   • Users accessing suspicious platforms
   • Repeating patterns of violations
   • Unusual times of activity

4. Create indicators of compromise (IOCs)

5. Block detections automatically

Compliance & Audit

Generate compliance reports:

1. Reports → Compliance
2. Create report:
   • Title: "AI Threat Activity Report"
   • Period: Last month
   • Include: Incidents, violations, trends
3. Export for compliance audit

Troubleshooting

Events Not Appearing

1. Verify webhook is active
2. Check API token is correct and hasn't expired
3. Verify API endpoint URL is correct
4. Test webhook manually:
   • Click Test button
   • Check response status
5. Review HarfangLab API logs

Detection Rules Not Triggering

1. Verify rule is Enabled
2. Check rule condition logic
3. Test rule with manual event creation
4. Review rule evaluation logs

Playbook Not Executing

1. Verify playbook is Active
2. Check trigger condition matches event
3. Test playbook manually
4. Review execution logs for errors

Cost Considerations

HarfangLab pricing:

• Base EDR: €2000-5000/month
• Response automation add-on: €1000+/month
• Professional services: À la carte

No additional cost for Noxys webhook integration.

Best Practices

1. Filter events appropriately:

   • Send only policy violations and high-risk events
   • Skip routine created events (too noisy)

2. Test rules before enabling:

   • Test with 1-week sample data
   • Monitor false positive rate
   • Adjust thresholds as needed

3. Use playbooks for automation:

   • Automate initial triage
   • Create tasks for high-severity incidents
   • Reduce manual workload

4. Regular review:

   • Weekly: Check detection effectiveness
   • Monthly: Review and update rules
   • Quarterly: Full security assessment

5. Document everything:

   • Keep rules documented
   • Document detection rationale
   • Track changes over time

Integration with HarfangLab SOAR

If you have HarfangLab SOAR, create automated workflows:

1. SOAR Workflows:

   • Trigger: Noxys alert received
   • Action: Quarantine host (if configured)
   • Notify: Security team via Slack
   • Track: Incident in ticketing system

2. Enable cross-platform correlation:

   • Link Noxys event to endpoint events
   • Build full attack timeline
   • Accelerate investigation

Data Retention

• Noxys data in HarfangLab: Per HarfangLab retention policy
• Incidents created: Retained according to HarfangLab settings
• Detection rules: Perpetual (until disabled/deleted)

Disabling Integration

To disable HarfangLab integration:

1. Integrations → Webhooks → Delete webhook
2. No more events are sent
3. Existing incidents remain in HarfangLab
4. Rules can be disabled or deleted

To re-enable:

1. Follow configuration steps again
2. Verify API token is still valid
3. Events resume flowing

Support & Resources

• HarfangLab Docs: https://docs.harfanglab.io/
• API Documentation: https://docs.harfanglab.io/api/
• Community: https://community.harfanglab.io/
• Noxys Support: support@noxys.eu

Related Integrations

• Sekoia XDR — Alternative European XDR
• CrowdStrike Falcon — Enterprise EDR (US-based)
• Webhooks API — Custom webhook configuration