OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)
MIT License
1.24k stars 215 forks source link

Cowrie data dictionaries #98

Closed nicolasreich closed 3 years ago

nicolasreich commented 3 years ago

Hi! As discussed in an issue here's a PR for the data dictionaries for the cowrie honeypots. I'll also ping the cowrie development team to see if they have any comments.

micheloosterhof commented 3 years ago

Hello! Looks good. How do you send the data? Does OSSEM pick up the cowrie.json file or you use another method? I didn't see any documentation in the PR only data dictionaries.

nicolasreich commented 3 years ago

Hey @micheloosterhof, thanks for looking at this! So, OSSEM defines the end result - how "normalized" events should look like, for example once they're ingested into a SIEM. However, it does not define the process, i.e. how to go from the cowrie.json to the normalized version. This is left at the implementer's discretion and will vary wildly depending on the environment.

micheloosterhof commented 3 years ago

Clear. I would recommend documenting a step further as well, how to integrate with OSSEM, not just at the data dictionary level, but at the data flow level as well.

nicolasreich commented 3 years ago

I'm not sure to understand what you mean by the data flow level?

hxnoyd commented 3 years ago

@nicolasreich thanks for your PR and helping us extending OSSEM coverage 🍻