Azure · swiftsolves-msft · Sep 19, 2024 · Sep 19, 2024 · Sep 20, 2024 · Sep 20, 2024
@@ -0,0 +1,13 @@
+{
+  "Name": "newCowrie_CL",
+  "Properties": [
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "RawData",
+      "Type": "String"
+    }
+  ]
+}
@@ -250,6 +250,7 @@
   "RadiflowIsid",
   "CustomLogsAma",
   "SilverfortAma",
+  "SensorSSHCowrie",
   "IllumioSaaSDataConnector",
   "CTERA"
 ]
@@ -0,0 +1,34 @@
+id: ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2
+name: Alert on High Number of Failed Login Attempts
+description: |
+  'Detect brute-force or password-guessing attacks by monitoring a high volume of failed login attempts.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SensorSSHCowrie
+    dataTypes:
+      - newCowrie_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1110
+query: |
+  newCowrie_CL
+  | extend EventID = tostring(parse_json(RawData).eventid)
+  | extend SourceIP = tostring(parse_json(RawData).src_ip) 
+  | where EventID == "cowrie.login.failed"
+  | summarize FailedAttempts = count() by SourceIP
+  | where FailedAttempts > 2
+  | project SourceIP, FailedAttempts
+  | order by FailedAttempts desc
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,31 @@
+id: 4a566fa4-f901-44fd-9890-a476d163e86a
+name: Detect Connection Events
+description: |
+  'Track connection events to detect unusual patterns in access or possible reconnaissance activity.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SensorSSHCowrie
+    dataTypes:
+      - newCowrie_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+  - T0840
+query: |
+  newCowrie_CL
+  | extend EventID = tostring(parse_json(RawData).eventid)
+  | extend SourceIP = tostring(parse_json(RawData).src_ip)
+  | where EventID == "cowrie.session.closed"
+  | project SourceIP
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,49 @@
+id: 53016cac-ca6c-4b2b-a4c4-7325afcb9502
+name: Detect File Uploads and Downloads
+description: |
+  'Monitor file uploads and downloads to detect potential exfiltration or data theft activities.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SensorSSHCowrie
+    dataTypes:
+      - newCowrie_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T0843
+query: |
+  newCowrie_CL
+  | extend EventID = tostring(parse_json(RawData).eventid) 
+  | extend URL = tostring(parse_json(RawData).url)
+  | extend SourceIP = tostring(parse_json(RawData).src_ip)
+  | extend Sha256Value = tostring(parse_json(RawData).shasum)
+  | extend Message = tostring(parse_json(RawData).message)
+  | extend Outfile = tostring(parse_json(RawData).outfile)
+  | where EventID in ("cowrie.session.file_upload", "cowrie.session.file_download")
+  | project EventID, SourceIP, URL, Outfile, Sha256Value
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+  - entityType: File
+    fieldMappings:
+      - identifier: Name
+        columnName: Outfile
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Value
+        columnName: Sha256Value
+      - identifier: Algorithm
+        columnName: Message
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URL
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,37 @@
+id: b86b27e3-adb9-4f39-8c4e-0b7300031984
+name: Detect Suspicious File Downloads
+description: |
+  'Identify instances where files were downloaded from suspicious or known malicious URLs.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SensorSSHCowrie
+    dataTypes:
+      - newCowrie_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T0843
+query: |
+  newCowrie_CL
+  | extend EventID = tostring(parse_json(RawData).eventid)
+  | extend URL = tostring(parse_json(RawData).url)
+  | extend SourceIP = tostring(parse_json(RawData).src_ip)
+  | where EventID == "cowrie.session.file_download"
+  | where URL contains "malicious-site.com" or URL contains "suspicious"
+  | project SourceIP, URL
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URL
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,33 @@
+id: f72805a7-b8c5-45fb-aacf-d0db7e0bf49b
+name: Monitor Unusual File Execution
+description: |
+  'Detect attempts to execute files or scripts that are unusual or not typical for the environment.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SensorSSHCowrie
+    dataTypes:
+      - newCowrie_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Execution
+relevantTechniques:
+  - T1204
+query: |
+  newCowrie_CL
+  | extend EventID = tostring(parse_json(RawData).eventid)
+  | extend Command = tostring(parse_json(RawData).command)
+  | extend SourceIP = tostring(parse_json(RawData).src_ip)
+  | where EventID == "cowrie.session.command"
+  | where Command contains "wget" or Command contains "curl" or Command contains "chmod +x"
+  | project SourceIP, Command
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,108 @@
+{
+    "id": "MicrosoftSSHCowrieSensor",
+    "title": "Microsoft SSH Cowrie Sensor",
+    "publisher": "Microsoft",
+    "descriptionMarkdown": "The Sensor SSH Cowrie data connector provides the capability to deploy a Linux based Azure VM host with Cowrie setup and configured. Included with CustomTable, AMA, DCR, DCE ready to go and ingesting Cowrie events on host. You can deploy this as a internal / private sensor (HoneyPot) on your existing virtual netwrk and subnet acting as a tripwire and can use the detection rules. Alternatively you can deploy sensor (HoneyPot) publically on the Internet and collect threat inetellegnce. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, collect Threat Intellegence.",
+    "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **<enter the Kusto Function alias>** in queries and workbooks. [Follow steps to get this Kusto Function>](<Link to Kusto Function on Azure Sentinel GitHub>)  ",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "newCowrie_CL",
+            "baseQuery": "newCowrie_CL"
+        }
+    ],
+    "sampleQueries": [
+		{
+            "description" : "Top 10 Cowrie Events detected",
+            "query": "newCowrie_CL\n | extend Message = tostring(parse_json(RawData).message)\n | summarize count() by Message\n | top 10 by count_"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "newCowrie_CL",
+            "lastDataReceivedQuery": "newCowrie_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"          
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "newCowrie_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions on the workspace are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+			{
+				"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+				"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+				"providerDisplayName": "Keys",
+				"scope": "Workspace",
+				"requiredPermissions": {
+					"action": true
+				}
+			}
+        ],
+        "customs": [
+            {
+                "name": "Microsoft.Web/sites permissions",
+                "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+            },            
+            {
+                "name": "Custom prerequisites if necessary, otherwise delete this customs tag",
+                "description": "Description for any custom pre-requisites"
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "",
+            "description": ">**NOTE:** This connector deploys a Debian Azure VM, Cowrie software, CustomTable, AMA, DCR, DCE, uses AMA to pull Cowrie JSON logs into Microsoft Sentinel. This might result in additional data ingestion costs."
+        },
+        {
+            "title": "Option 1 - Private - Azure Resource Manager (ARM) Template",
+            "description": "Use this method for automated deployment of the Cowrie VM using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Package/azuredeployprivate.json)\n2. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n3. Click **Purchase** to deploy."
+        },
+        {
+            "title": "Option 2 - Public - Azure Resource Manager (ARM) Template",
+            "description": "Use this method for automated deployment of the Cowrie VM using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Package/azuredeploypublic.json)\n2. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n3. Click **Purchase** to deploy."
+        },
+        {
+            "title": "",
+            "description": "**Post Deployment**\n\n1.  From the Azure Portal, navigate to the data collection rule cowrie-dcr, click on resources, you will see your VM with a data collection rule associated, Next you must associate Data Collection Endpoint (DCE) cowrie-dce and press Save."
+        }           
+    ],
+    "metadata": {
+        "id": "d4a44059-a0d1-4e76-a8c5-535d381c0872",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "Solution",
+            "name": "Sensore SSH Cowrie"
+        },
+        "author": {
+            "name": "Microsoft"
+        },
+        "support": {
+            "name": "Microsoft Corporation",
+            "email": "[email protected]",
+            "tier": "Microsoft",
+            "link": "https://support.microsoft.com"
+        }
+    }
+}