Cowrie data dictionaries

[nicolasreich]

Hi! As discussed in an issue here's a PR for the data dictionaries for the cowrie honeypots. I'll also ping the cowrie development team to see if they have any comments.

[micheloosterhof]

Hello! Looks good. How do you send the data? Does OSSEM pick up the cowrie.json file or you use another method? I didn't see any documentation in the PR only data dictionaries.

[nicolasreich]

Hey @micheloosterhof, thanks for looking at this! So, OSSEM defines the end result - how "normalized" events should look like, for example once they're ingested into a SIEM. However, it does not define the process, i.e. how to go from the cowrie.json to the normalized version. This is left at the implementer's discretion and will vary wildly depending on the environment.

[micheloosterhof]

Clear. I would recommend documenting a step further as well, how to integrate with OSSEM, not just at the data dictionary level, but at the data flow level as well.

[nicolasreich]

I'm not sure to understand what you mean by the data flow level?

[hxnoyd]

@nicolasreich thanks for your PR and helping us extending OSSEM coverage 🍻