Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensor SSH Cowrie solution #11155

Open
wants to merge 33 commits into
base: master
Choose a base branch
from
Open

Sensor SSH Cowrie solution #11155

wants to merge 33 commits into from

Conversation

swiftsolves-msft
Copy link
Contributor

As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire

Required items, please complete

Change(s):

  • See guidance below

Reason for Change(s):

  • See guidance below

Version Updated:

  • Required only for Detections/Analytic Rule templates
  • See guidance below

Testing Completed:

  • See guidance below

Checked that the validations are passing and have addressed any issues that are present:

  • See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

@swiftsolves-msft
Sensor SSH Cowrie solution
32c524a 
As part of Hackathon 2024 a team developed a 1 click deploy solution that will deploy a debain vm, install cowrie, create ama dcr, dce, and association, and create a custom table to collect cowrie events. Solution contains a workbook (under development), 1 parser and 5 detection rules . The goal is make this a framework for others and community to create other 1 click deploy for other types of interactive honeypots. Can be used publicly for TI or privately as a detection tripwire
@swiftsolves-msft swiftsolves-msft requested review from a team as code owners September 19, 2024 21:22
swiftsolves-msft and others added 8 commits September 19, 2024 17:48
@swiftsolves-msft
update to detections
1712052 
fixing yaml spacing intial validation tests failed.
@swiftsolves-msft
workbook - parser fix
d758d78 
added workbook and fixing parser yaml
@swiftsolves-msft
update fixes
948d8a6 
fixed some kql, data connector, workbook validation errors, still researching the permissions on data connector does not match.
@swiftsolves-msft
fixed | extend
a8d6828 
made a change to fix kql validation removing commas after each extend and new line | extend, also removed txt based parser.
@swiftsolves-msft
updated to include the vm ext ama
42e025b 
added vm ext ama for linux in deployment.
@v-atulyadav
updated permissions
af08d18
@v-atulyadav
Update ValidConnectorIds.json
ff930f6
@v-atulyadav
Update Cowrie_ARM_Deployment.json
4b1096f
@v-atulyadav v-atulyadav self-assigned this Sep 20, 2024
@v-atulyadav v-atulyadav added the Solution Solution specialty review needed label Sep 20, 2024
swiftsolves-msft and others added 16 commits September 20, 2024 11:18
@swiftsolves-msft
fix validation
4d37e6f 
fixing detections validation error SourceIP custom colum name to sentinel recognized field Address
@swiftsolves-msft
Merge branch 'cowrie-nates' of https://github.com/swiftsolves-msft/Az…
8d22c73 
…ure-Sentinel into cowrie-nates
@swiftsolves-msft
minor fixes to validation errors
6079fe0 
minor fixes to validation errors
@swiftsolves-msft
minor fix filehash
9741efc 
minor fix filehash
@swiftsolves-msft
sha256 entity mapping fix
c84624d 
added algo identifier
@swiftsolves-msft
created new kql validator for cowrie
0fd490c 
created new kql validator for cowrie
@swiftsolves-msft
made a fix to query
8cb08d0 
added | extend for beinging of query line 25
@swiftsolves-msft
update deploy to azure
881cc4a 
updated deploy to azure button links and data connector permissions reqs
@swiftsolves-msft
changes to data connector
04309df 
changes to data connector to pass kql validations
@swiftsolves-msft
data connector valid update
290ea00
@swiftsolves-msft
perm dc issue fix
6291b96
@swiftsolves-msft
fix
afb1a5a
@swiftsolves-msft
fix
432258c
@swiftsolves-msft
rearrange perms
9865d7f
@swiftsolves-msft
fix
89192e2
@v-atulyadav
Update Microsoft-SSHCowrieSensor.json
ed56e33
sreedharande
sreedharande previously approved these changes Sep 26, 2024
View reviewed changes
@swiftsolves-msft
Copy link
Contributor Author

Hey all having some difficulty using the Solution Package tool to update and recreate files, currently getting some errors on functions being called elsewhere in other scripts
image

_At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:325 char:42

  • $functionAlias = ($isyaml -eq $true) ? $yaml.FunctionName : $(get ...

  •                                      ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:326 char:40

  • $displayName = ($isyaml -eq $true) ? "$($yaml.Function.Title)" :  ...

  •                                    ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:327 char:33

  • $name = ($isyaml -eq $true) ? "$($yaml.FunctionName)" : "$($fileN ...

  •                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:547 char:217

  • ... ionId'),50),'-','$($ContentKindDict.ContainsKey("Solution") ? $Conten ...
  •                                                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:697 char:95

  • ... text = $contentToImport.WorkbookBladeDescription ? $conten ...
  •                                                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:697 char:94

  • ... text = $contentToImport.WorkbookBladeDescription ? $cont ...
  •                                                              ~

The hash literal was incomplete.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:698 char:41

  •                                     }

  •                                     ~

Missing closing ')' in subexpression.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:665 char:5

  • {

  • ~

Missing closing '}' in statement block or type definition.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:710 char:33

  •                             )

  •                             ~

Unexpected token ')' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\commonFunctions.ps1:711 char:29

  •                         }

  •                         ~

Unexpected token '}' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to
run without this warning message. Do you want to run C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
At C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1:67 char:43

  •         return $templateSpecAttribute ? ($templateSpecDefaultVers ...

  •                                       ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel.script\package-automation\catalogAPI.ps1:76 char:39

  •     return $templateSpecAttribute ? ($templateSpecDefaultVersion, ...

  •                                   ~

Unexpected token '?' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to
run without this warning message. Do you want to run C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:148 char:146

  • ... -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poller ...
  •                                                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:167 char:131

  • ... -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poller ...
  •                                                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:167 char:130

  • ... l -eq $pollerArrayItem.name -or $pollerArrayItem.name -eq '') ? $poll ...
  •                                                              ~

The hash literal was incomplete.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:173 char:26

  •                     } else {

  •                      ~

The Try statement is missing its Catch or Finally block.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:195 char:130

  • ... ($null -eq $fileContent.name -or $fileContent.name -eq '') ? $fileCo ...
  •                                                             ~

Unexpected token '?' in expression or statement.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:291 char:6

  • }

  •  ~

The Try statement is missing its Catch or Finally block.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\common\get-ccp-details.ps1:311 char:1

  • }
  • ~
    Unexpected token '}' in expression or statement.
    • CategoryInfo : ParserError: (:) [], ParseException
    • FullyQualifiedErrorId : UnexpectedToken

Add-Member : Cannot bind argument to parameter 'InputObject' because it is null.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:100 char:50

  • ... variables | Add-Member -NotePropertyName "email" -NotePropertyValue $ ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidData: (:) [Add-Member], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.AddMemberCommand

Add-Member : Cannot bind argument to parameter 'InputObject' because it is null.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:101 char:50

  • ... variables | Add-Member -NotePropertyName "_email" -NotePropertyValue ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidData: (:) [Add-Member], ParameterBindingValidationException
    • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.AddMemberCommand

Get-Content : Cannot find path 'C:\GitHub\Azure-Sentinel\Solutions\Cowrie\SolutionMetadata.json' because it does not exist.
At C:\GitHub\Azure-Sentinel\Tools\Create-Azure-Sentinel-Solution\V3\createSolutionV3.ps1:108 char:25

  •     $baseMetadata = Get-Content -Raw $metadataPath | Out-String | ...

  •                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : ObjectNotFound: (C:\GitHub\Azure...onMetadata.json:String) [Get-Content], ItemNotFoundException
    • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand_

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We require a few modifications to the PR before proceeding with packaging.

  1. The Name property of the data file is currently set to Cowrie, whereas it should be designated as Sensor SSH Cowrie.
image
  1. It is also necessary to include workbook metadata in the workbookmetadata.json file
    (https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json)

@swiftsolves-msft
Copy link
Contributor Author

swiftsolves-msft commented Nov 7, 2024 via email

@swiftsolves-msft swiftsolves-msft requested a review from a team as a code owner November 7, 2024 17:57
@swiftsolves-msft
update images for preview
004e725 
update images for preview for workbook
@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We request that you initiate the repackaging process after implementing these changes. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
Please act on above ask. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We look forward to your reply regarding this request. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We wanted to check on the status of PR #11155. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation.

@swiftsolves-msft
Copy link
Contributor Author

Hi @swiftsolves-msft, We wanted to check on the status of PR #11155. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation.

Many thanks this is ongoing may be working with sreedharande on the packaging tool as noted I was running into errors when using the tool. Working on this week to get updated with new PR once data package tool succeeds.

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We appreciate your response and look forward to seeing some contributions to this pull request.

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
We eagerly anticipate your contributions to this pull request. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft,
Your response is greatly appreciated, and we anticipate your contributions to this pull request with interest. Thanks

@v-atulyadav
Copy link
Contributor

Hi @swiftsolves-msft, We wanted to check on the status of PR #11155. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation.

Many thanks this is ongoing may be working with sreedharande on the packaging tool as noted I was running into errors when using the tool. Working on this week to get updated with new PR once data package tool succeeds.

Hi @swiftsolves-msft,
We would appreciate it if you could share the difficulties you are experiencing with packaging? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sreedharande sreedharande sreedharande left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@v-atulyadav v-atulyadav

Labels
Solution Solution specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swiftsolves-msft @v-atulyadav @sreedharande