# Thinkst Canary Logs

## Overview

Panther ingests [Thinkst Canary](https://canary.tools/) alert logs by configuring a webhook to post events to a Panther [HTTP source](/data-onboarding/data-transports/http.md).

Thinkst Canary honeypots and honeytokens can be deployed in minutes and piped into Panther with just a few clicks. In Panther, you can correlate Canary alerts with other security events to enable centralized threat detection, streamlined incident response, and enhanced visibility across your network security posture.

## **How to onboard Thinkst Canary logs to Panther**

### Step 1: Create a new Thinkst Canary source in Panther

To connect these logs into Panther:

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for “Thinkst Canary,” then click its tile.
4. In upper-right corner of the slide-out panel, click **Start Setup**.

   <figure><img src="/files/SG0JFeopppEbdKQYwodK" alt="An arrow is drawn from a tile labeled &#x22;Thinkst Canary&#x22; to a &#x22;Start Setup&#x22; button."><figcaption></figcaption></figure>
5. Follow Panther's [instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * For the **Auth method**, select [shared secret authentication](/data-onboarding/data-transports/http.md#shared-secret). This is the only method of authentication Thinkst Canary supports.
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Configure a webhook in Thinkst Canary

1. In the upper-right corner of your Thinkst Canary console, click the gear icon > **Global Settings**.
2. In the left-hand navigation bar, click **Webhooks**.
3. Click **Add New Webhook**.
4. Under **Global Webhooks Feed**, click the plus sign icon (**+**).\
   ![An arrow is drawn from "Webhooks" to an icon with a plus sign, which is within a "Global Webhooks Feed" section.](/files/bCo4hzzDz9ONSVmuPd8D)
5. In the **Add New Webhook** pop-up modal, click **Add Generic**.
6. In the **Add new Generic Webhook** pop-up modal, configure the webhook fields:
   * **Webhook URL**: Paste the **HTTP Source URL** you generated in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).
   * **Add custom request headers**: Toggle this field on.
     * The header name and value should only be shared between your Thinkst Canary console and Panther.
   * **Enter header name**: Enter the **Header Name** you entered in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).
   * **Enter header value**: Enter the **Shared Secret Value** you entered or generated in Panther in [Step 1](#step-1-create-a-new-thinkst-canary-source-in-panther).\
     ![Under an "Add new Generic Webhook" header, there are various form fields, including "Webhook URL" and "Add custom request headers."](/files/i3B0DUqR2qdWU5eaeoNY)
7. Click **Save**.

## Panther-managed detections

See [Panther-managed](/detections/panther-managed.md) rules for Thinkst Canary in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/thinkstcanary_rules).

## Supported log types

### ThinkstCanary.Alert

```yaml
schema: ThinkstCanary.Alert
description: Alerts logs from Thinkst Canary
referenceURL: https://help.canary.tools/hc/en-gb/articles/360002431478-I-want-to-integrate-my-SIEM-with-my-Canaries
fields:
    - name: AdditionalDetails
      type: array
      element:
        type: array
        element:
            type: json
    - name: AlertType
      type: string
    - name: CanaryID
      type: string
    - name: CanaryIP
      type: string
      indicators:
        - ip
    - name: CanaryPublicIP
      type: string
      indicators:
        - ip
    - name: CanaryLocation
      type: string
    - name: CanaryName
      type: string
    - name: CanaryPort
      type: string
    - name: Description
      required: true
      type: string
    - name: Flock
      type: string
    - name: IncidentHash
      type: string
      indicators:
        - md5
    - name: IncidentKey
      type: string
    - name: Intro
      required: true
      type: string
    - name: Reminder
      type: string
    - name: ReverseDNS
      type: string
    - name: MatchedAnnotations
      type: string
    - name: TimestampGlobalTZ
      type: string
    - name: Token
      type: string
    - name: Triggered
      type: string
    - name: SourceIP
      type: string
      indicators:
        - ip
    - name: Timestamp
      required: true
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S (%Z)'
      isEventTime: true
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/thinkst-canary.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.