AMIRA: Automated Malware Incident Response & Analysis

AMIRA is a service for automatically running the analysis on the OSXCollector output files. The automated analysis is performed via OSXCollector Output Filters, in particular The One Filter to Rule Them All: the Analyze Filter. AMIRA takes care of retrieving the output files from an S3 bucket, running the Analyze Filter and then uploading the results of the analysis back to S3 (although one could envision as well attaching them to the related JIRA ticket).

Amira component overview
Amira component overview

Using AMIRA

The main entry point to AMIRA is in the amira/amira.py module. You will first need to create an instance of AMIRA class by providing the AWS region name, where the SQS queue with the event notifications for the OSXCollector output bucket is, and the SQS queue name:

from amira.amira import AMIRA

amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')

Then you can register the analysis results uploader, e.g. the S3 results uploader:

from amira.s3 import S3ResultsUploader

s3_results_uploader = S3ResultsUploader('amira-results-bucket')
amira.register_results_uploader(s3_results_uploader)

Finally, run AMIRA:

amira.run()

Download AMIRA

AMIRA can be downloaded for free via the official Github page.

Share this information