Skip to main content

Automated Malware Incident Response and Analysis

Project description

amira

PyPI Build Status

AMIRA: Automated Malware Incident Response & Analysis

AMIRA is a service for automatically running the analysis on the OSXCollector output files. The automated analysis is performed via OSXCollector Output Filters, in particular The One Filter to Rule Them All: the Analyze Filter. AMIRA takes care of retrieving the output files from an S3 bucket, running the Analyze Filter and then uploading the results of the analysis back to S3 (although one could envision as well attaching them to the related JIRA ticket).

Prerequisites

tox

The following steps assume you have tox installed on your machine.

If this is not the case, please run:

$ sudo pip install tox

OSXCollector Output Filters configuration file

AMIRA uses OSXCollector Output Filters to do the actual analysis, so you will need to have a valid osxcollector.yaml configuration file in the working directory. The example configuration file can be found in the OSXCollector Output Filters.

The configuration file mentions the location of the file hash and the domain blacklists. Make sure that the blacklist locations mentioned in the configuration file are also available when running AMIRA.

AWS credentials

AMIRA uses boto3 to interface with AWS. You can supply credentials using either of the possible configuration options.

The credentials should allow reading and deleting SQS messages from the SQS queue specified in the AMIRA config as well as the read access to the objects in the S3 bucket where the OSXCollector output files are stored. To be able to upload the analysis results back to the S3 bucket specified in the AMIRA configuration file, the credentials should also allow write access to this bucket.

AMIRA Architecture

The service uses the S3 bucket event notifications to trigger the analysis. You will need to configure an S3 bucket for the OSXCollector output files, so that when a file is added there the notification will be sent to an SQS queue (AmiraS3EventNotifications in the picture below). AMIRA periodically checks the queue for any new messages and upon receiving one it will fetch the OSXCollector output file from the S3 bucket. It will then run the Analyze Filter on the retrieved file.

The Analyze Filter runs all the filters contained in the OSXCollector Output Filters package sequentially. Some of them communicate with the external resources, like domain and hashes blacklists (or whitelists) and threat intel APIs, e.g. VirusTotal, OpenDNS Investigate or ShadowServer. The original OSXCollector output is extended with all of this information and the very last filter run by the Analyze Filter summarizes all of the findings into a human-readable form. After the filter finishes running, the results of the analysis will be uploaded to the Analysis Results S3 bucket.

The overview of the whole process and the system components involved in it are depicted below:

component diagram

Using AMIRA

The main entry point to AMIRA is in the amira/amira.py module. You will first need to create an instance of AMIRA class by providing the AWS region name, where the SQS queue with the event notifications for the OSXCollector output bucket is, and the SQS queue name:

from amira.amira import AMIRA

amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')

Then you can register the analysis results uploader, e.g. the S3 results uploader:

from amira.s3 import S3ResultsUploader

s3_results_uploader = S3ResultsUploader('amira-results-bucket')
amira.register_results_uploader(s3_results_uploader)

Finally, run AMIRA:

amira.run()

Go get some coffee, sit back, relax and wait till the analysis results pop up in the S3 bucket!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

amira-2.0.3.tar.gz (9.2 kB view details)

Uploaded Source

Built Distribution

amira-2.0.3-py3-none-any.whl (10.6 kB view details)

Uploaded Python 3

File details

Details for the file amira-2.0.3.tar.gz.

File metadata

  • Download URL: amira-2.0.3.tar.gz
  • Upload date:
  • Size: 9.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.12

File hashes

Hashes for amira-2.0.3.tar.gz
Algorithm Hash digest
SHA256 0fdc0e19ad1b77611831dde1f4b19c5d269bbfd9dd137b29ce36cf366afe3d80
MD5 ccbe0270bb7caf6de2527893f6e9229b
BLAKE2b-256 e8f4f592a1a60d0017bd4480522b6e837a4e12f0bb7a0023ae60c6e62f72920e

See more details on using hashes here.

Provenance

File details

Details for the file amira-2.0.3-py3-none-any.whl.

File metadata

  • Download URL: amira-2.0.3-py3-none-any.whl
  • Upload date:
  • Size: 10.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.12

File hashes

Hashes for amira-2.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 6fa76eb4c7119bc2fdc81aa2b535ddbd09a236f179aea17fef3873618833d080
MD5 77359501de5ed979694e983c5d7813f5
BLAKE2b-256 85d2d18b63e3dc9ede31f3580b6d53d0340de550207ff6fae9bc7405cc7198b6

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page