cowrie/docs/sentinel

How to send Cowrie output to Azure Sentinel
===========================================

Open your Sentinel worksapce and navigate to `Data connectors` >
`Syslog` > `Open connector page`. Expand `Install agent on a non-Azure
Linux Machine`, the select `Download & install agent for non-Azure
Linux machines`. Select the Linux tab and either copy the shell
script that is presented, or take note of your Workspace ID and
Primary Key and install the agent on your host by hand::

  $ wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
  $ chmod +x onboard_agent.sh
  $ ./onboard_agent.sh -w <workspace ID> -s <key> -d opinsights.azure.com

Once installed, return to the Syslog connector page and select `Open
your workspace advanced settings configuration`. Select `Data` >
`Custom Logs`. Check `Apply below configuration to my linux machines`
then add a new custom log source: When prompted, upload the ``cowrie.json``
file you downloaded.

The default delimeter is correct (newline).  Specify
``/opt/cowrie/var/log/cowrie/cowrie.json`` as the log collection path.

Name the custom log ``cowrie_JSON``. Sentinel will automatically
append _CL to this name.

It will take a while for this to roll out to the host, but eventually
you'll be able to run the log analytics query cowrie_JSON_CL and
see data coming in.

Take the contents of ``cowrie-parser.txt`` from the ``docs/sentinel`` folder
and paste them into a new log analytics query. Run the query,
then save this off as a function with the name, alias and category
of `Cowrie`.

Once events are being ingested and parsed by Azure Sentinel,
``linux_workbook.json`` can be imported to define a custom workbook to
interact with Cowrie data.