Sensor SSH Cowrie solution #11155
Open
Sensor SSH Cowrie solution #11155
+9,500
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
fixing yaml spacing intial validation tests failed.
added workbook and fixing parser yaml
fixed some kql, data connector, workbook validation errors, still researching the permissions on data connector does not match.
made a change to fix kql validation removing commas after each extend and new line | extend, also removed txt based parser.
added vm ext ama for linux in deployment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Note: If updating a detection, you must update the version field.
Checked that the validations are passing and have addressed any issues that are present:
Note: Let us know if you have tried fixing the validation error and need help.