[New Integration] HarfangLab EDR

[akayaz]

Proposed commit message

Add HarfangLab EDR integration

What does this PR do?

Adds a new HarfangLab EDR integration package with:

• REST API collection for alerts, threats, and agent inventory via CEL input.
• Syslog collection for alerts, threats, audit logs, and endpoint telemetry via TCP/UDP inputs.
• Ingest pipelines, field mappings, sample events, pipeline fixtures, docs, and dashboards for overview, alerts, threats, agents, and endpoint events.

This is opened as a Draft PR because package validation is still in progress.

Checklist

• Package copied under packages/harfang_labs
• CODEOWNERS entry added for @elastic/security-service-integrations
• elastic-package format ran locally
• elastic-package lint ran locally
• Full package validation and CI follow-up

[cla-checker-service]

💚 CLA has been signed

[github-actions]

Elastic Docs Style Checker (Vale)

Summary: 14 warnings, 7 suggestions found

⚠️ Warnings (14): Fix when the suggestion improves clarity or correctness.

File	Line	Rule	Message
packages/harfang_labs/_dev/build/docs/README.md	73	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/harfang_labs/_dev/build/docs/README.md	146	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/harfang_labs/data_stream/agent/manifest.yml	19	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/alert/fields/fields.yml	15	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/harfang_labs/data_stream/alert/fields/fields.yml	18	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/harfang_labs/data_stream/alert/fields/fields.yml	39	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/alert/manifest.yml	19	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/event/manifest.yml	40	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/event/manifest.yml	54	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/event/manifest.yml	117	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/event/manifest.yml	132	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/data_stream/threat/manifest.yml	19	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/manifest.yml	34	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/harfang_labs/manifest.yml	48	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

💡 Suggestions (7): Optional style improvements. Apply when helpful.

File	Line	Rule	Message
packages/harfang_labs/_dev/build/docs/README.md	22	Elastic.Ellipses	In general, don't use an ellipsis.
packages/harfang_labs/_dev/build/docs/README.md	22	Elastic.Ellipses	In general, don't use an ellipsis.
packages/harfang_labs/_dev/build/docs/README.md	22	Elastic.Ellipses	In general, don't use an ellipsis.
packages/harfang_labs/_dev/build/docs/README.md	115	Elastic.Semicolons	Use semicolons judiciously.
packages/harfang_labs/changelog.yml	1	Elastic.Versions	Use 'later versions' instead of 'newer versions' when referring to versions.
packages/harfang_labs/data_stream/event/manifest.yml	89	Elastic.Ellipses	In general, don't use an ellipsis.
packages/harfang_labs/data_stream/event/manifest.yml	93	Elastic.Ellipses	In general, don't use an ellipsis.

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

TL;DR

The Buildkite job failed inside .buildkite/scripts/test_one_package.sh for packages/harfang_labs, but the provided log is truncated to teardown/upload output and does not include the actual failing test/assertion. Immediate next step is to pull the uploaded xUnit artifact(s) for this job and re-run the failing suite with verbose output to identify the exact root cause.

Remediation

• Download and inspect the uploaded xUnit result(s), especially build/test-results/harfang_labs-system-1780477913810017926.xml, to get the exact failed test name and assertion message.
• Re-run the same failing suite in CI-like environment (Docker daemon required), e.g. elastic-package test system -v --report-format xUnit --report-output file from packages/harfang_labs, then patch the corresponding expected fixture/pipeline/config and re-run test_one_package.sh.

Investigation details

Root Cause

I could confirm the failure location (package check step) but not the underlying assertion/error because the available log file (/tmp/gh-aw/buildkite-logs/integrations-check-integrations-harfang_labs.txt) only contains the final teardown and artifact-upload segment.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/44061
• Job/step: Check integrations harfang_labs
• Key log excerpt:

--- [harfang_labs] failed
🚨 Error: The command exited with status 1
user command error: exit status 1

• The same log then jumps directly to artifact uploads (including xUnit files), e.g.:

build/test-results/harfang_labs-system-1780477913810017926.xml
build/test-results/harfang_labs-pipeline-1780477621264041211.xml
build/test-results/harfang_labs-asset-1780477578984897545.xml

Verification

Not run end-to-end in this environment because Docker daemon is unavailable (Cannot connect to the Docker daemon at unix:///var/run/docker.sock).

Follow-up

If you can share the failing xUnit XML content (or the missing earlier part of the Buildkite step log), I can map the failure to the exact file/line in this PR and provide a precise code fix.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• [New Integration] HarfangLab EDR #19348 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #19348 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elastic-vault-github-plugin-prod]

✅ All changelog entries have the correct PR link.

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: c9a62bc

Failed CI Steps

• Check integrations harfang_labs

History

• 💔 Build #44061 failed 125597a