Thinkst Canary Logs
Connecting Thinkst Canary logs in your Panther Console
Last updated
Connecting Thinkst Canary logs in your Panther Console
Last updated
The Thinkst Canary integration is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther ingests Thinkst Canary alert logs by configuring a webhook to post events to a Panther HTTP source.
Thinkst Canary is a breach detection solution with a focus on detecting lateral movement. In Panther, you can correlate Canary alerts with other security events to enable centralized threat detection, streamlined incident response, and enhanced visibility across your network security posture.
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Thinkst Canary,” then click its tile.
In upper-right corner of the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
For the Auth method, select shared secret authentication. This is the only method of authentication Thinkst Canary supports.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
In the upper-right corner of your Thinkst Canary console, click the gear icon > Global Settings.
In the left-hand navigation bar, click Webhooks.
Click Add New Webhook.
In the Add New Webhook pop-up modal, click Add Generic.
In the Add new Generic Webhook pop-up modal, configure the webhook fields:
Click Save.
See Panther-managed rules for Thinkst Canary in the panther-analysis GitHub repository.
Under Global Webhooks Feed, click the plus sign icon (+).
Enter header value: Enter the Shared Secret Value you entered or generated in Panther in Step 1.