diff --git a/rules/0685-cowrie_rules.xml b/rules/0685-cowrie_rules.xml
new file mode 100644
index 000000000..e836ac896
--- /dev/null
+++ b/rules/0685-cowrie_rules.xml
@@ -0,0 +1,47 @@
+<!--
+  -  Cowrie rules
+  -  Author: Meo Shen.
+  -  Updated by Wazuh Inc.
+  -  Copyright (C) 2015-2020, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<group name="cowrie,">
+
+
+  <rule id="90000" level="0" >
+    <decoded_as>json</decoded_as>
+    <field name="eventid">^cowrie</field>
+    <description>cowrie messages grouped.</description>
+  </rule>
+
+  <rule id="90005" level="3">
+    <if_sid>90000</if_sid>
+    <match>cowrie.login.failed</match>
+    <description>cowrie login failed</description>
+    <group>cowrie,</group>
+  </rule>
+
+  <rule id="90010" level="3">
+    <if_sid>90000</if_sid>
+    <match>cowrie.login.success</match>
+    <description>cowrie login success</description>
+    <group>cowrie,</group>
+  </rule>
+
+  <rule id="90015" level="5">
+    <if_sid>90000</if_sid>
+    <match>cowrie.command.input</match>
+    <description>cowrie command input</description>
+    <group>cowrie,</group>
+  </rule>
+
+  <rule id="90020" level="3">
+    <if_sid>90000</if_sid>
+    <match>cowrie.client.version</match>
+    <description>cowrie client version</description>
+    <group>cowrie,</group>
+  </rule>
+
+
+</group>
diff --git a/tools/rules-testing/tests/cowrie_rules.ini b/tools/rules-testing/tests/cowrie_rules.ini
new file mode 100644
index 000000000..6991a576a
--- /dev/null
+++ b/tools/rules-testing/tests/cowrie_rules.ini
@@ -0,0 +1,30 @@
+[Cowrie login failed]
+
+log 1 pass = {"eventid": "cowrie.login.failed", "username": "raspberry", "timestamp": "2018-09-05T13:52:42.584350Z", "message": "login attempt [raspberry/admin] failed", "src_ip": "193.201.224.214", "session": "5d77535d8ac4", "password": "admin", "sensor": "honeypot-ssh"}
+
+rule = 90005
+alert = 3
+decoder = json
+
+[Cowrie login succes]
+
+log 1 pass = {"eventid": "cowrie.login.success", "username": "root", "timestamp": "2018-09-05T14:24:20.903909Z", "message": "login attempt [root/] succeeded", "src_ip": "222.112.82.68", "session": "d051258efd62", "password": "", "sensor": "honeypot-ssh"}
+
+rule = 90010
+alert = 3
+decoder = json
+
+[Cowrie command input]
+
+log 1 pass = {"eventid": "cowrie.command.input", "timestamp": "2018-09-05T13:56:32.039222Z", "message": "CMD: ll", "src_ip": "116.227.2.205", "session": "61e431803b56", "input": "ll", "sensor": "honeypot-ssh"}
+rule = 90015
+alert = 5
+decoder = json
+
+[Cowrie client version]
+
+log 1 pass = {"eventid": "cowrie.client.version", "session": "dd98054a9b17", "timestamp": "2018-09-12T14:18:40.226440Z", "message": "Remote SSH version: 'SSH-2.0-OpenSSH_7.3'", "src_ip": "5.188.86.198", "version": "'SSH-2.0-OpenSSH_7.3'", "sensor": "honeypot-ssh"}
+
+rule = 90020
+alert = 3
+decoder = json