Thinkst Canary¶
About¶
Canaries in IT Security often allude to the concept of the canary in a coal mine where the birds were an early warning sign that danger was near. If the canaries in the mine died, it served as an indication that the miners need to immediately exit because the canaries were more sensitive to dangerous gases than humans. This concept of early detection mirrors that of a Thinkst Canary.
A Canary is a physical or virtual device that is capable of mimicking nearly any type of device in any configuration. It acts very similarly to a honey pot. Canaries are designed to alert the admin user(s) of intruders and reduce the time required to identify a breach. Canaries can pose as Windows file servers, a cisco switch, Linux web servers, mainframes, workstations, and many more. Canaries sit in your network much like a canary in a coal mine; if a mine were filled with poisonous gases miners would have an early warning system. If an intruder is on your network, once the attacker interacts with the Canary, it will generate alerts through email, text messages, slack notifications, or integrate through other systems.
In addition to Canary devices, there are also Canary Tokens. These tokens serve as tripwires that take on many forms such as PDF and Office documents, email addresses/accounts, credentials, API keys, AWS keys, URLs and more that can be strategically placed throughout a network or organization. If an attacker opens a Canary Token document, uses token credentials, API keys or visit the Canary URL, alerts will fire just like the Canary honeypot devices. Admins, analysts and incident responders can investigate alerts with little worry for false positives.
Product Details¶
Vendor URL: Thinkst Canary
Product Type: Deception
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Thinkst Canary
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: Actual CANARY triggers will have a near 100% parse rate, but there are test and other non-trigger events that will generate noise within the traffic that we do not parse that will cause the normalization rate to appear low. Ideally CANARY trips / triggers would be very low in an environment for the triggering of these alarms would indicate potential compromise.
Data Label: THINKST_CANARY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Accept | additional.fields |
| Accept-Encoding | additional.fields |
| Accept-Language | additional.fields |
| BackgroundContext | metadata.description |
| CanaryIP | observer.hostname |
| CanaryIP | observer.ip |
| CanaryIP | target.hostname |
| CanaryIP | target.ip |
| CanaryLocation | observer.resource.name |
| CanaryName | principal.hostname |
| CanaryPort | target.port |
| CanaryPort | network.ip_protocol |
| Connection | additional.fields |
| Description | metadata.product_event_type |
| Description | security_result.summary |
| device.personality | target.application |
| Flock | observer.resource.parent |
| FunctionData | target.application |
| ID | target.resource.id |
| IncidentHash | additional.fields |
| Intrusion URL | network.http.referral_url |
| IP Address | principal.ip |
| Local Host IP | principal.ip |
| Local Host MAC | principal.mac |
| Local Port | principal.port |
| Location | target.location.country_or_region |
| MD-5 | target.file.md5 |
| Occurrences | security_result.detection_fields |
| Prevalence | security_result.severity_details |
| proto | network.ip_protocol |
| PartialPorts | target.application |
| Reminder | target.file.full_path |
| Remote Host IP | target.ip |
| Remote Host MAC | target.mac |
| Remote Host Name | target.hostname |
| Remote Port | target.port |
| Risk name | security_result.threat_nam |
| Rule | metadata.description |
| Rule ID | security_result.summary |
| ReverseDNS | network.dns.answers.name |
| Scan Complete | target.resource.name |
| Scan Type | target.resource.type |
| Server Name | observer.hostname |
| SHA-256 | target.file.sha256 |
| SID | target.process.pid |
| Site | observer.administrative_domain |
| size | target.file.size |
| SourceIP | principal.ip |
| SourceIP | target.hostname |
| SourceIP | target.ip |
| SymantecServer | principal.hostname |
| Timestamp | metadata.event_timestamp |
| Token | target.application |
| Upgrade-Insecure-Requests | Additional.fields |
| User Name | principal.user.userid |
| UserAgent | principal.platform_version |
| Username | principal.user.userid |
| User1 | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification | Security Category | alerting enabled |
|---|---|---|---|
| Canary Disconnected | STATUS_SHUTDOWN | UNKNOWN_CATEGORY | |
| Canary Reconnected | STATUS_STARTUP | UNKNOWN_CATEGORY | |
| Canary Settings Changed | GENERIC_EVENT | UNKNOWN_CATEGORY | |
| Canarytoken triggered | FILE_OPEN | DATA_AT_REST | TRUE |
| Consolidated Network Port Scan | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| Custom TCP Service Request | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| Flock Settings Changed | GENERIC_EVENT | UNKNOWN_CATEGORY | |
| FTP Login Attempt | NETWORK_FTP | NETWORK_MALICIOUS | TRUE |
| Git Repository Clone Attempt | FILE_OPEN | DATA_EXFILTRATION | TRUE |
| Host Port Scan | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| HTTP Login Attempt | NETWORK_HTTP | NETWORK_SUSPICIOUS | TRUE |
| HTTP Page Load | NETWORK_HTTP | NETWORK_SUSPICIOUS | TRUE |
| HTTP Proxy Request | NETWORK_HTTP | NETWORK_SUSPICIOUS | TRUE |
| HTTP Service Scan | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| ModBus Request | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| MSSQL Login Attempt | USER_LOGIN | AUTH_VIOLOATION | TRUE |
| MySQL Login Attempt | USER_LOGIN | AUTH_VIOLOATION | TRUE |
| NMAP FIN Scan Detected | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| NMAP NULL Scan Detected | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| NMAP OS Scan Detected | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| NMAP Xmas Scan Detected | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| NTP Monlist Request | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| RDP Login Attempt | NETWORK_CONNECTION | NETWORK_MALICIOUS | TRUE |
| Redis Command | MUTEX_UNCATEGORIZED | EXPLOIT | TRUE |
| Runfinger Scan Detected | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| Shared File Opened | FILE_OPEN | DATA_AT_REST | TRUE |
| SIP Request | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| SNMP Request | NETWORK_CONNECTION | NETWORK_RECON | TRUE |
| SSH Login Attempt | NETWORK_CONNECTION | NETWORK_MALICIOUS | TRUE |
| Telnet Login Attempt | NETWORK_CONNECTION | NETWORK_MALICIOUS | TRUE |
| TFTP Request | NETWORK_FTP | NETWORK_MALICIOUS | TRUE |
| VNC Login Attempt | USER_LOGIN | AUTH_VIOLOATION | TRUE |
Log Sample¶
<130>1 2021-06-02T11:15:30.696215+00:00 sysloghost ThinkstCanary 6476 newincident [BasicIncidentDetails@51136 eventid="17004" Description="MS Word Document Canarytoken triggered" Timestamp="2021-06-02 11:15:28 (UTC)" IncidentHash="hash" Token="token" Reminder="reminder id" SourceIP="10.10.43.131" Flock="Test \\ Dev Environment"][AdditionalIncidentDetails@51136 DstPort="53" BackgroundContext="This alert is the first from 10.10.43.131."] A MS Word Document Canarytoken was triggered by a DNS query from the source IP 10.10.43.131. Please note that the source IP refers to a DNS resolver, rather than the host that triggered the token.
Sample Parsing¶
metadata.event_timestamp "2021-06-02T11:15:28Z"
metadata.event_type "FILE_OPEN"
metadata.product_name "Thinkst Canary"
metadata.product_event_type "MS Word Document Canarytoken triggered"
metadata.description "This alert is the first from 10.10.43.131. A MS Word Document Canarytoken was triggered by a DNS query from the source IP 10.10.43.131. Please note that the source IP refers to a DNS resolver"
metadata.ingested_timestamp "2021-06-02T11:15:50.234672Z"
principal.ip[0] "10.10.43.131"
target.ip[0] "10.10.43.131"
target.port 53
target.file.full_path "reminder id"
target.application "token"
security_result[0].category[0] "DATA_AT_REST"
security_result[0].severity "HIGH
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon