# Thinkst Canary Logs

## Overview

Panther ingests [Thinkst Canary](https://canary.tools/) alert logs by configuring a webhook to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http).

Thinkst Canary honeypots and honeytokens can be deployed in minutes and piped into Panther with just a few clicks. In Panther, you can correlate Canary alerts with other security events to enable centralized threat detection, streamlined incident response, and enhanced visibility across your network security posture.

## **How to onboard Thinkst Canary logs to Panther**

### Step 1: Create a new Thinkst Canary source in Panther

To connect these logs into Panther:

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for “Thinkst Canary,” then click its tile.
4. In upper-right corner of the slide-out panel, click **Start Setup**.

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3e71ccb186f488f57ae9b6561928b8c190b59edc%2FScreenshot%202024-10-08%20at%209.26.11%20AM.png?alt=media" alt="An arrow is drawn from a tile labeled &#x22;Thinkst Canary&#x22; to a &#x22;Start Setup&#x22; button."><figcaption></figcaption></figure>
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * For the **Auth method**, select [shared secret authentication](https://docs.panther.com/data-transports/http#shared-secret). This is the only method of authentication Thinkst Canary supports.
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Configure a webhook in Thinkst Canary

1. In the upper-right corner of your Thinkst Canary console, click the gear icon > **Global Settings**.
2. In the left-hand navigation bar, click **Webhooks**.
3. Click **Add New Webhook**.
4. Under **Global Webhooks Feed**, click the plus sign icon (**+**).\
   ![An arrow is drawn from "Webhooks" to an icon with a plus sign, which is within a "Global Webhooks Feed" section.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-44b0a7d20fc86272c4a4d40bf426c8bb2e76517a%2FScreenshot%202024-09-13%20at%2010.27.56%20AM.png?alt=media)
5. In the **Add New Webhook** pop-up modal, click **Add Generic**.
6. In the **Add new Generic Webhook** pop-up modal, configure the webhook fields:
   * **Webhook URL**: Paste the **HTTP Source URL** you generated in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).
   * **Add custom request headers**: Toggle this field on.
     * The header name and value should only be shared between your Thinkst Canary console and Panther.
   * **Enter header name**: Enter the **Header Name** you entered in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).
   * **Enter header value**: Enter the **Shared Secret Value** you entered or generated in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).\
     ![Under an "Add new Generic Webhook" header, there are various form fields, including "Webhook URL" and "Add custom request headers."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-33719007875867b792d602e72e42b45241c7821d%2Fimage%20\(16\).png?alt=media)
7. Click **Save**.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Thinkst Canary in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/thinkstcanary_rules).

## Supported log types

### ThinkstCanary.Alert

```yaml
schema: ThinkstCanary.Alert
description: Alerts logs from Thinkst Canary
referenceURL: https://help.canary.tools/hc/en-gb/articles/360002431478-I-want-to-integrate-my-SIEM-with-my-Canaries
fields:
    - name: AdditionalDetails
      type: array
      element:
        type: array
        element:
            type: json
    - name: AlertType
      type: string
    - name: CanaryID
      type: string
    - name: CanaryIP
      type: string
      indicators:
        - ip
    - name: CanaryPublicIP
      type: string
      indicators:
        - ip
    - name: CanaryLocation
      type: string
    - name: CanaryName
      type: string
    - name: CanaryPort
      type: string
    - name: Description
      required: true
      type: string
    - name: Flock
      type: string
    - name: IncidentHash
      type: string
      indicators:
        - md5
    - name: IncidentKey
      type: string
    - name: Intro
      required: true
      type: string
    - name: Reminder
      type: string
    - name: ReverseDNS
      type: string
    - name: MatchedAnnotations
      type: string
    - name: TimestampGlobalTZ
      type: string
    - name: Token
      type: string
    - name: Triggered
      type: string
    - name: SourceIP
      type: string
      indicators:
        - ip
    - name: Timestamp
      required: true
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S (%Z)'
      isEventTime: true
```