AMIRA is a service for automatic analysis on archives OSXCollector. Automated analysis is performed via OSXCollector output filters.
More specifically, with One Filter to Rule Them All. AMIRA takes care of retrieving the output files from an S3 bucket, running the analysis filter, and then uploading the analysis results back to the S3.
Architecture
The service uses the event notifications of the S3 bucket, to trigger the analysis. You will need to configure an S3 bucket for the OSXCollector output files so that when a file is added there, the notification will be sent to an SQS thread (AmiraS3EventNotifications in the image below).
AMIRA periodically checks the order for any new messages and when downloaded will get the OSXCollector output file from the S3 bucket. It will then run the analysis filter on the recovered file.
The analysis filter sequentially executes all the filters contained in the packet φίλτρων εξόδου OSXCollector. Ορισμένα από αυτά επικοινωνούν με εξωτερικούς πconditions, such as hashes and use Intel API threat engines, e.g. VirusTotal, OpenDNS Investigate or ShadowServer.
The initial output of OSXCollector is expanded with all this information, and the last filter performed by the analysis filter, summarizes all findings in a human-readable format. After the completion of implementation of the filter, the analysis results will be uploaded to the S3 result analysis bucket
Information about the installation and the use of the program, you will find here.
