salehmuhaysin
commented
2 years ago hi,
The mans_to_es parser require some packages to be installed which require docker rebuild. i wrote another parser and uploaded here https://github.com/DFIRKuiper/Kuiper/tree/master/kuiper/app/parsers/RedLineParser
it is similar to any parser, so when you want to upload machine, ensure to compress the .mans file into .zip file before, then upload it.
when you want to parse, select the RedLineParser parser
output
Note: the message field depends on the provided sample, if some collection not enabled in the samples the message field will be empty
casimkhan
Discribe the parser mans_to_es is an open source tool for parsing FireEye HX .mans triage collections and send them to ElasticSearch. Mans file is a zipped collection of xml that we parse using xmltodict. It uses pandas and multiprocessing to speed up the parsing with xml files.
Details of parser artifact file mans to es python script actually read manifest.json file which define linkage of different xml files mentioned in .mans zipped folder this actually work only on FireEye HX .mans but if analyst used FireEye Redline tool to collect artifacts then this script partially work because of the artifacts names in manifest.json is different (e.g HX .mans has "generator": "process-handle" where as Redline manifest.json has "generator":"w32process-handle")
sample https://github.com/casimkhan/samples HX sample 1yTQNggTPz3c3nGcaHrFco.mans (triage taken from Mac Os) Redline sample from windows (Redline-Sample.mans)
already exists parser https://github.com/LDO-CERT/mans_to_es/tree/master/mans_to_es
Additional context Ideally, when user submit triage .zip files from KAPE or hoarder if you can add .mans as another option and once its in Kuiper user can click on parse then mans parser can parse and add it into time line