Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sensor SSH Cowrie solution #11155

Open
wants to merge 33 commits into
base: master
Choose a base branch
from

Conversation

swiftsolves-msft
Copy link
Contributor

As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire

Required items, please complete

Change(s):

  • See guidance below

Reason for Change(s):

  • See guidance below

Version Updated:

  • Required only for Detections/Analytic Rule templates
  • See guidance below

Testing Completed:

  • See guidance below

Checked that the validations are passing and have addressed any issues that are present:

  • See guidance below

Guidance <- remove section before submitting


Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:


As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
swiftsolves-msft and others added 8 commits September 19, 2024 17:48
fixing yaml spacing intial validation tests failed.
added workbook and fixing parser yaml
fixed some kql, data connector, workbook validation errors, still researching the permissions on data connector does not match.
made a change to fix kql validation removing commas after each extend and new line | extend, also removed txt based parser.
added vm ext ama for linux in deployment.
@v-atulyadav v-atulyadav self-assigned this Sep 20, 2024
@v-atulyadav v-atulyadav added the Solution Solution specialty review needed label Sep 20, 2024
swiftsolves-msft and others added 16 commits September 20, 2024 11:18
fixing detections validation error SourceIP custom colum name to sentinel recognized field Address
minor fixes to validation errors
minor fix filehash
added algo identifier
created new kql validator for cowrie
added | extend for beinging of query line 25
updated deploy to azure button links and data connector permissions reqs
changes to data connector to pass kql validations
sreedharande
sreedharande previously approved these changes Sep 26, 2024
@swiftsolves-msft
Copy link
Contributor Author

Hey all having some difficulty using the Solution Package tool to update and recreate files, currently getting some errors on functions being called elsewhere in other scripts
image

_At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:325 char:42

  • $functionAlias = ($isyaml -eq $true) ? $yaml.FunctionName : $(get ...
    
  •                                      ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:326 char:40

  • $displayName = ($isyaml -eq $true) ? "$($yaml.Function.Title)" :  ...
    
  •                                    ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:327 char:33

  • $name = ($isyaml -eq $true) ? "$($yaml.FunctionName)" : "$($fileN ...
    
  •                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:547 char:217

  • ... ionId'),50),'-','$($ContentKindDict.ContainsKey("Solution") ? $Conten ...
  •                                                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:697 char:95

  • ... text = $contentToImport.WorkbookBladeDescription ? $conten ...
  •                                                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:697 char:94

  • ... text = $contentToImport.WorkbookBladeDescription ? $cont ...
  •                                                              ~
    

The hash literal was incomplete.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:698 char:41

  •                                     }
    
  •                                     ~
    

Missing closing ')' in subexpression.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:665 char:5

  • {
    
  • ~
    

Missing closing '}' in statement block or type definition.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:710 char:33

  •                             )
    
  •                             ~
    

Unexpected token ')' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:711 char:29

  •                         }
    
  •                         ~
    

Unexpected token '}' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to
run without this warning message. Do you want to run C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
At C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1:67 char:43

  •         return $templateSpecAttribute ? ($templateSpecDefaultVers ...
    
  •                                       ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1:76 char:39

  •     return $templateSpecAttribute ? ($templateSpecDefaultVersion, ...
    
  •                                   ~
    

Unexpected token '?' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to
run without this warning message. Do you want to run C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:148 char:146

  • ... -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poller ...
  •                                                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:167 char:131

  • ... -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poller ...
  •                                                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:167 char:130

  • ... l -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poll ...
  •                                                              ~
    

The hash literal was incomplete.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:173 char:26

  •                     } else {
    
  •                      ~
    

The Try statement is missing its Catch or Finally block.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:195 char:130

  • ... ($null -eq $fileContent.name -or $fileContent.name -eq '') ? $fileCo ...
  •                                                             ~
    

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:291 char:6

  • }
    
  •  ~
    

The Try statement is missing its Catch or Finally block.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:311 char:1

  • }
  • ~
    Unexpected token '}' in expression or statement.
    • CategoryInfo : ParserError: (:) [], ParseException
    • FullyQualifiedErrorId : UnexpectedToken

Add-Member : Cannot bind argument to parameter 'InputObject' because it is null.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:100 char:50

  • ... variables | Add-Member -NotePropertyName "email" -NotePropertyValue $ ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidData: (:) [Add-Member], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.AddMemberCommand

Add-Member : Cannot bind argument to parameter 'InputObject' because it is null.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:101 char:50

  • ... variables | Add-Member -NotePropertyName "_email" -NotePropertyValue ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : InvalidData: (:) [Add-Member], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.AddMemberCommand

Get-Content : Cannot find path 'C:\GitHub\Azure-Sentinel\Solutions\Cowrie\SolutionMetadata.json' because it does not exist.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:108 char:25

  •     $baseMetadata = Get-Content -Raw $metadataPath | Out-String | ...
    
  •                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : ObjectNotFound: (C:\GitHub\Azure...onMetadata.json:String) [Get-Content], ItemNotFoundException
    • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand_

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We require a few modifications to the PR before proceeding with packaging.

  1. The Name property of the data file is currently set to Cowrie, whereas it should be designated as Sensor SSH Cowrie.
image
  1. It is also necessary to include workbook metadata in the workbookmetadata.json file
    (https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json)

@swiftsolves-msft
Copy link
Contributor Author

swiftsolves-msft commented Nov 7, 2024 via email

@swiftsolves-msft swiftsolves-msft requested a review from a team as a code owner November 7, 2024 17:57
update images for preview for workbook
@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We request that you initiate the repackaging process after implementing these changes. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
Please act on above ask. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Solution Solution specialty review needed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants