Thinkst Canary

Overview

Thinkst Canary is a deception-based security solution designed to detect intrusions early by deploying decoy systems, files, and credentials across an organization’s network. When an attacker interacts with a Canary, it triggers an alert, allowing security teams to respond before real damage occurs. The platform provides minimal false positives and integrates with existing security tools for seamless monitoring.

Supported data types

Thinkst Canary Audit Trails

Table name: thinkst_canary_audit_trail

A crucial aspect of Thinkst Canary's offering is its audit trail functionality, which meticulously logs all interactions with the Canaries and tokens, offering invaluable insights into potentially malicious activities within the network.

Learn more here.

Thinkst Canary Incidents

Table name: thinkst_canary_incidents

Thinkst Canary incident logs are a pivotal aspect of the Thinkst Canary's breach detection capabilities, offering detailed records of interactions with the honeypots and Canary tokens deployed across an organization's network. These logs are essential for understanding the nature of security incidents, facilitating swift response, and enhancing overall security posture.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Thinkst Canary using API.

To connect Thinkst Canary logs:

1. Follow this guide to retrieve the following information:

   • Domain. Example - https://b12341234.canary.tools/

   • Private Key. Example - eb012312312312312312312312312312312312312312

2. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

Canary Audit Trail Sample

{"action_type": "incident_acknowledge", "additional_information": null, "flock_id": "flock:62bda23ef9284fe6", "flock_name": "Test Flock", "id": 968, "message": "Acknowledged incident", "timestamp": "2023-05-30 04:49:30 UTC+0000", "user": "john@abc.com", "user_browser_agent": "Mozilla/5.0", "user_browser_language": "en-US,en;q=0.9", "user_ip": "103.1.126.32"}
{"action_type": "admin_settings_ignored_annotations_ignore", "additional_information": {"annotation": "microsoft_defender_scan"}, "flock_id": 786, "flock_name": "Test Flock", "id": 923, "message": "Ignored annotation", "timestamp": "2023-05-25 12:19:40 UTC+0000", "user": "sam@xyz.com", "user_browser_agent": "Macintosh; Intel Mac OS X 10_15_7", "user_browser_language": "en-US,en;q=0.9", "user_ip": "121.23.230.1"}

Canary Incidents Sample

{"description": {"acknowledged": "True", "created": "1685014922", "created_std": "2023-05-25 11:42:02 UTC+0000", "description": "Host Port Scan", "dst_host": "10.124.132.143", "dst_port": "444", "events": [{"ports": "21,22,23,25,53,80,88,106,111,139,389,443,445,515,548,623,631,660,808,1433,1434,1521,1720,2049,2869,3283,3306,5000,5040,5060,5061,5355,5357,5555,5900,5985,6466,6467,7000,7100,7680,8008,8009,8080,8181,8443,8770,9090,9100,17990,22443,32111,62078", "timestamp": 1685014922, "timestamp_std": "2023-05-25 11:42:02 UTC+0000"}], "events_count": "12", "events_list": "1,2,3,4,5,6,7,8,9,10,11,12", "flock_id": "flock:1234", "flock_name": "Domain Controllers", "ip_address": "", "ippers": "", "local_time": "2023-05-25 11:42:01", "logtype": "5003", "mac_address": "", "matched_annotations": {"microsoft_defender_scan": ["This looks a lot like an automatic scan from a Microsoft Defender end-point-agent."]}, "name": "Hyper-V-Canary-unnamed", "node_id": "321321", "notified": "False", "src_host": "10.12.132.139", "src_host_reverse": "ds.local", "src_port": "631"}, "hash_id": "123123213", "id": "incident:hostportscan:123123:10.14.32.39:123123", "summary": "Host Port Scan", "updated": "Thu, 25 May 2023 12:20:11 GMT", "updated_id": 1790, "updated_std": "2023-05-25 12:20:11 UTC+0000", "updated_time": "1685017211"}