Console
    Contact Us Start free

    Collect Thinkst Canary logs

    Supported in:

    This parser normalizes raw log messages from Thinkst Canary software by cleaning up line breaks and attempting to parse the message as JSON. Then, based on the presence of specific fields ("Description" for key-value format or "summary" for JSON), it determines the log format and includes the appropriate parsing logic from separate configuration files to map the data into the unified data model.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to Thinkst Canary.

    Configure REST API in Thinkst Canary

    1. Sign in to Thinkst Canary management console.
    2. Click the Gear Icon > Global Settings.
    3. Click API.
    4. Click Enable API.
    5. Click +to add an API.
    6. Give the API a descriptive name.
    7. Copy the Domain Hashand Auth Token.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Thinkst Canary Logs.
    5. Select Third party APIas the Source type.
    6. Select Thinkst Canaryas the Log type.
    7. Click Next.
    8. Specify values for the following input parameters:
      • Authentication HTTP Header:the token previously generated in a auth_token:<TOKEN> format (for example, auth_token:AAAABBBBCCCC111122223333).
      • API Hostname:the FQDN (fully qualified domain name) of your Thinks Canary REST API endpoint (for example myinstance.canary.tools ).
      • Asset namespace: the asset namespace .
      • Ingestion labels: the label applied to the events from this feed.
    9. Click Next.
    10. Review the feed configuration in the Finalizescreen, and then click Submit.

    UDM Mapping

    Log field UDM mapping Logic
    AUDITACTION
    		 read_only_udm.metadata.product_event_type The value is taken from the description field if the format is json, otherwise it is determined by the eventid field
    CanaryIP
    		 read_only_udm.target.ip
    CanaryName
    		 read_only_udm.target.hostname
    CanaryPort
    		 read_only_udm.target.port
    COOKIE
    		 read_only_udm.security_result.about.resource.attribute.labels.value
    created
    		 read_only_udm.metadata.event_timestamp.seconds
    created_std
    		 read_only_udm.metadata.event_timestamp.seconds
    DATA
    description
    		 read_only_udm.metadata.product_event_type The value is taken from the description field if the format is json, otherwise it is determined by the eventid field
    Description
    		 read_only_udm.metadata.product_event_type The value is taken from the description field if the format is json, otherwise it is determined by the eventid field
    DOMAIN
    		 read_only_udm.target.administrative_domain
    dst_host
    		 read_only_udm.target.ip
    dst_port
    		 read_only_udm.target.port
    eventid
    		 read_only_udm.metadata.product_event_type The value is taken from the description field if the format is json, otherwise it is determined by the eventid field
    events_count
    		 read_only_udm.security_result.detection_fields.value
    FILENAME
    		 read_only_udm.target.file.full_path
    FIN
    		 read_only_udm.security_result.detection_fields.value
    flock_id
    		 read_only_udm.principal.resource.attribute.labels.value
    flock_name
    		 read_only_udm.principal.resource.attribute.labels.value
    FunctionData
    FunctionName
    HEADERS
    		 read_only_udm.security_result.about.resource.attribute.labels
    HOST
    		 read_only_udm.target.hostname
    HOSTNAME
    		 read_only_udm.target.hostname
    id
    		 read_only_udm.metadata.product_log_id
    ID
    		 read_only_udm.security_result.detection_fields.value
    IN
    		 read_only_udm.security_result.detection_fields.value
    ip_address
    KEY
    LEN
    		 read_only_udm.security_result.detection_fields.value
    LOCALNAME
    		 read_only_udm.target.hostname
    LOCALVERSION
    		 read_only_udm.target.platform_version
    logtype
    		 read_only_udm.security_result.detection_fields.value
    LOGINTYPE
    MAC
    		 read_only_udm.principal.mac
    matched_annotations
    METHOD
    		 read_only_udm.network.http.method
    MODE
    ms_macro_ip
    		 read_only_udm.principal.ip
    ms_macro_username
    		 read_only_udm.principal.user.user_display_name
    name
    		 read_only_udm.target.hostname
    node_id
    		 read_only_udm.principal.resource.attribute.labels.value
    OFFSET
    OPCODE
    OUT
    		 read_only_udm.security_result.detection_fields.value
    PASSWORD
    PATH
    		 read_only_udm.target.url
    ports
    		 read_only_udm.target.labels.value
    PREC
    		 read_only_udm.security_result.detection_fields.value
    PreviousIP
    		 read_only_udm.principal.ip
    PROTO
    		 read_only_udm.network.ip_protocol
    PSH
    		 read_only_udm.security_result.detection_fields.value
    REALM
    		 read_only_udm.target.administrative_domain
    REMOTENAME
    		 read_only_udm.principal.hostname
    REMOTEVERSION
    		 read_only_udm.principal.platform_version
    REPO
    		 read_only_udm.target.resource.attribute.labels.value
    RESPONSE
    		 read_only_udm.network.http.response_code
    ReverseDNS
    Settings
    		 read_only_udm.target.labels
    SHARENAME
    SIZE
    SKIN
    SMBARCH
    SMBREPEATEVENTMSG
    SMBVER
    SNAME
    SourceIP
    		 read_only_udm.principal.ip
    src_host
    		 read_only_udm.principal.ip
    src_host_reverse
    		 read_only_udm.principal.hostname
    src_port
    		 read_only_udm.principal.port
    STATUS
    summary
    		 read_only_udm.metadata.product_event_type The value is taken from the description field if the format is json, otherwise it is determined by the eventid field
    SYN
    		 read_only_udm.security_result.detection_fields.value
    TCPBannerID
    TERMSIZE
    TERMTYPE
    timestamp
    		 read_only_udm.metadata.event_timestamp.seconds
    timestamp_std
    		 read_only_udm.metadata.event_timestamp.seconds
    Timestamp
    		 read_only_udm.metadata.event_timestamp.seconds
    TKTVNO
    		 read_only_udm.security_result.detection_fields.value
    TOS
    		 read_only_udm.security_result.detection_fields.value
    TTL
    		 read_only_udm.security_result.detection_fields.value
    TYPE
    USER
    		 read_only_udm.principal.user.user_display_name
    USERAGENT
    		 read_only_udm.network.http.user_agent
    USERNAME
    		 read_only_udm.target.user.user_display_name
    URG
    		 read_only_udm.security_result.detection_fields.value
    URGP
    		 read_only_udm.security_result.detection_fields.value
    WINDOW
    		 read_only_udm.security_result.detection_fields.value
    windows_desktopini_access_domain
    		 read_only_udm.principal.group.group_display_name
    windows_desktopini_access_username
    		 read_only_udm.principal.user.user_display_name
    		read_only_udm.metadata.log_type THINKST_CANARY - Hardcoded value
    		read_only_udm.metadata.vendor_name Thinkst - Hardcoded value
    		read_only_udm.metadata.product_name Canary - Hardcoded value
    		read_only_udm.security_result.severity CRITICAL - Hardcoded value
    		read_only_udm.network.application_protocol Determined by the port and product_event_type
    		read_only_udm.extensions.auth.mechanism Determined by the authentication method used in the event

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: