Thinkst Canary Logs

Overview

Panther ingests Thinkst Canary alert logs by configuring a webhook to post events to a Panther HTTP source.

Thinkst Canary honeypots and honeytokens can be deployed in minutes and piped into Panther with just a few clicks. In Panther, you can correlate Canary alerts with other security events to enable centralized threat detection, streamlined incident response, and enhanced visibility across your network security posture.

How to onboard Thinkst Canary logs to Panther

Step 1: Create a new Thinkst Canary source in Panther

To connect these logs into Panther:

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Thinkst Canary,” then click its tile.

4. In upper-right corner of the slide-out panel, click Start Setup.
5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

   • For the Auth method, select shared secret authentication. This is the only method of authentication Thinkst Canary supports.

   • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

   • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure a webhook in Thinkst Canary

1. In the upper-right corner of your Thinkst Canary console, click the gear icon > Global Settings.

2. In the left-hand navigation bar, click Webhooks.

3. Click Add New Webhook.

5. In the Add New Webhook pop-up modal, click Add Generic.

6. In the Add new Generic Webhook pop-up modal, configure the webhook fields:

   • Webhook URL: Paste the HTTP Source URL you generated in Panther in Step 1.

   • Add custom request headers: Toggle this field on.

     • The header name and value should only be shared between your Thinkst Canary console and Panther.

   • Enter header name: Enter the Header Name you entered in Panther in Step 1.
7. Click Save.

Panther-managed detections

See Panther-managed rules for Thinkst Canary in the panther-analysis GitHub repository.

Supported log types

ThinkstCanary.Alert

schema: ThinkstCanary.Alert
description: Alerts logs from Thinkst Canary
referenceURL: https://help.canary.tools/hc/en-gb/articles/360002431478-I-want-to-integrate-my-SIEM-with-my-Canaries
fields:
    - name: AdditionalDetails
      type: array
      element:
        type: array
        element:
            type: json
    - name: AlertType
      type: string
    - name: CanaryID
      type: string
    - name: CanaryIP
      type: string
      indicators:
        - ip
    - name: CanaryPublicIP
      type: string
      indicators:
        - ip
    - name: CanaryLocation
      type: string
    - name: CanaryName
      type: string
    - name: CanaryPort
      type: string
    - name: Description
      required: true
      type: string
    - name: Flock
      type: string
    - name: IncidentHash
      type: string
      indicators:
        - md5
    - name: IncidentKey
      type: string
    - name: Intro
      required: true
      type: string
    - name: Reminder
      type: string
    - name: ReverseDNS
      type: string
    - name: MatchedAnnotations
      type: string
    - name: TimestampGlobalTZ
      type: string
    - name: Token
      type: string
    - name: Triggered
      type: string
    - name: SourceIP
      type: string
      indicators:
        - ip
    - name: Timestamp
      required: true
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S (%Z)'
      isEventTime: true