HX Triage not importing

[G0z3r]

I am sure I probably doping something wrong, however I am having issue importing HX standard triage to NightHawk. According to the instructions on your site, I should be able to simply import the .mans file that I receive directly from HX. When I do so, absolutely nothing happens. I do not see anything under current investigations.

[biggiesmallsAG]

Hi mate,

Can you elaborate more on whats happening? Do you see the case appear in the tree?

Can you perhaps show some screenshots?

[G0z3r]

Howdy! So, I have everything up and running. I did change the IP, however I followed your instructions in order to complete the update. That was the extent of any changes I have made to the original configuration. When I attempt to upload a .mans file obtained from an HX triage, nothing happens. The case does not appear in the tree. Please see the screenshots.

Please let me know if there are any other details you would like me to provide.

[G0z3r]

I had a little time to play with this some more. I downloaded the sample upload file 20160707054834.zip and was able to upload into nightHawk. Everything worked as expected. I am still unable to upload HX files though. Do I need to change the triage files I download from FireEye HX in anyway or should I just be able to use them as is?

[jaegeral]

@G0z3r I have the same issue like you have, is there a change in the format of the mans files that nighthawk is not able to parse?

[tpapag]

I'm uploading mans files from HX agent v21.33 with no issue. However, no data is loaded from .mans files collected from HX agent V23.10.1. The error message I find during processing of V23.10.1 .mans files is: "Error - Failed to get Computer Name from Audits" in nighthawk-uwsgi.log. Doing a search of the nightHawkResponse code shows this error occurs when: computername := rlman.SysInfo.SystemInfo.Machine returns "" (line 363 of nightHawk.go). I did a comparison of the manifest.json files archived in the .mans files for v23 vs. v21 and it shows the value of JSON generator keys has changed. Modifying the key value of generator where value is sysinfo to w32system allows the data associated with the stateagentinspector generator to be processed from the newer HX package. However, all the other generator names have changed as well, so no additional data is loaded by nighthawk.

I noticed there's some constants defined for generator keys in nighthawk_go/src/nightHawk/common.go, however these are not used widely throughout the .go code, and the generator names are often hard coded.

Could someone more knowledgable on the .go code base advise on how to refactor the code given that the schema of the manifest.json file has changed, specifically generator key values?

Thanks!

[roshanmaskey]

Hi tpagag,

There has been some changes the way information is collected by HX agent. I have been working on go code to reflect the changes. The need code will be fix the issue.

I will upload the fix in next 48 hours.

[tpapag]

roshanmaskey - Looks like you're working on a lot more than just that. Should your latest commit overcome this issue?

Tom

[roshanmaskey]

biggiesmalls and I have been working on this code for few months. The code base is complete re-write and new dependencies. I am working on install script that should be complete by this weekend.

In the mean time as tactical fix:

• copy bin/nighthawk to /opt/nighthawk/bin/nighthawk_v1.0.4
• copy config/nighthawk.db to /opt/nighthawk/etc
• copy config/nighthawk.json to /opt/nighthawk/etc
• execute nighthawk_v1.0.4 from command line to process triage collected using xagt.

Let me know if you encounter issues.

[Melerium]

Has this been resolved yet? Is there a way to update to 1.0.4?

[joshep-koh]

Hi. When do you upload 1.0.4?

[roshanmaskey]

Hi Guys,

I have uploaded version 1.0.4 code. Please download the release/nhr-1.0.4.tar.gz to setup and install in Ubuntu 16.04.