YAFRA stands for [y]et [a]nother [f]ramework for [r]eport [a]nalysis
YAFRA is a semi-automated-framework for analysing and representing reports about IT-security incidents. User can provide reports as PDF and YAFRA will extract indicators of compromise (IoC's). After the extraction thos IoC's will be enriched by extrnal source like VirusTotal or Mitre to provide more context and information.
- Docker
- Docker-compose
- Make
- GitLab
- Kroki Server
- MISP
Notice: MISP and GitLab will not be installed via docker-compose. GitLab also needs an active Kroki or PlantUML-Server.
You can use the kroki Docker-Container provide in the make file by running the following command:
make krokiinit
This will open a port on the host-machine at 7777.
Kroki: https://docs.gitlab.com/ee/administration/integration/kroki.html
PlantUML: https://docs.gitlab.com/ee/administration/integration/plantuml.html
Notice: The address have to be put into gitlab by an admin.
- VirusTotal-API-Key
For information about the installation and configuration have a look in the docs folder.
Example reports can be found on the website of the us-cert (CISA): https://us-cert.cisa.gov/ncas/analysis-reports
YAFRA provides a simple to use extension system called YAFRA-Extensions. For more information, have a look at the extensions folder.
- Blue clouds are Microservices
- Green arrows are data to kafka
- Purple arrows are data from kafka
- Orange arrows are data without kafka interaction