Document toolboxDocument toolbox

ids.thinkst_canary

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Aug 18, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with ids.thinkst_canary identify events generated by Thinkst Canary.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as ids.thinkst_canary. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Thinkst Canary

ids.thinkst_canary.canary.audit

ids.thinkst_canary.canary.audit

ids.thinkst_canary.canary.bird

ids.thinkst_canary.canary.bird

ids.thinkst_canary.canary.incident

ids.thinkst_canary.canary.incident

ids.thinkst_canary.canary.token

ids.thinkst_canary.canary.token

For more information, read more About Devo tags.

How is the data sent to Devo?

You can use the Thinkst Canary collector to send the required events to your Devo domain. Learn more about this in this article. 

Table structure

These are the fields displayed in these tables:

ids.thinkst_canary.canary.audit

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

action_type

str

 

 

 

additional_information

str

 

 

 

flock_id

str

 

 

 

flock_name

str

 

 

 

id

int4

 

 

 

message

str

 

 

 

timestamp_str

str

 

 

 

timestamp

timestamp

parsedate(timestamp_str, dateformat("YYYY-MM-DD HH:mm:ss [UTC]ZZ", "UTC"))

timestamp_str

 

user

str

 

 

 

user_browser_agent

str

 

 

 

user_browser_language

str

 

 

 

user_ip4

ip4

ip4(user_ip_str)

user_ip_str

 

user_ip6

ip6

ip6(user_ip_str)

user_ip_str

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

ids.thinkst_canary.canary.bird

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

container_hostname

str

 

 

 

description

str

 

 

 

first_seen

str

 

 

 

first_seen_std_str

str

 

 

 

first_seen_std

timestamp

first_seen_std_str

 

flock_id

str

 

 

 

gcp_project

str

 

 

 

gcp_zone

str

 

 

 

id

str

 

 

 

ignore_notifications

bool

 

 

 

ignore_notifications_disconnects

bool

 

 

 

ignore_notifications_reconnects

bool

 

 

 

in_flight

bool

 

 

 

in_flight_tracking_url

str

 

 

 

instance_id

str

 

 

 

ip4

ip4

ip_str

 

ip6

ip6

ip_str

 

ippers

str

 

 

 

last_seen

str

 

 

 

last_seen_std_str

str

 

 

 

last_seen_std

timestamp

last_seen_std_str

 

live

bool

 

 

 

local_time

timestamp

 

 

 

location

str

 

 

 

mac_address

str

 

 

 

migration_status

str

 

 

 

name

str

 

 

 

netmask

str

 

 

 

note

str

 

 

 

outside_bird

bool

 

 

 

personality

str

 

 

 

pre_enrolled

bool

 

 

 

public_ip4

ip4

ip_str

 

public_ip6

ip6

ip_str

 

region_id

str

 

 

 

sensor

str

 

 

 

subnet4

net4

subnet

 

subnet6

net6

subnet

 

tailscale_bird

bool

 

 

 

updated

str

 

 

 

updated_std_str

str

 

 

 

updated_std

timestamp

updated_std_str

 

updated_timestamp

timestamp

 

 

 

uptime

int4

 

 

 

uptime_age

str

 

 

 

version

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

ids.thinkst_canary.canary.incident

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

description__acknowledged

str

 

 

 

description__created

timestamp

 

 

 

description__created_std_str

str

 

 

 

description__created_std

timestamp

description__created_std_str

 

description__description

str

 

 

 

description__dst_host

str

 

 

 

description__dst_port

str

 

 

 

description__events

str

 

 

 

description__events_count

str

 

 

 

description__events_list

str

 

 

 

description__flock_id

str

 

 

 

description__flock_name

str

 

 

 

description__local_time

str

 

 

 

description__logtype

str

 

 

 

description__memo

str

 

 

 

description__name

str

 

 

 

description__node_id

str

 

 

 

description__notified

str

 

 

 

description__src_host

str

 

 

 

description__src_port

str

 

 

 

hash_id

str

 

 

 

id

str

 

 

 

summary

str

 

 

 

updated

str

 

 

 

updated_id

int4

 

 

 

updated_std_str

str

 

 

 

updated_std

timestamp

updated_std_str

 

updated_time

timestamp

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

ids.thinkst_canary.canary.token

 

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

enabled

bool

 

updated_id

int4

 

memo

str

 

url

str

 

at_devo_pulling_id

str

 

kind

str

 

hostname2

str

 

created_printable

str

 

flock_id

str

 

canarytoken

str

 

created

str

 

key

str

 

triggered_count

int4

 

node_id

str

 

browser_scanner_enabled

bool

 

qr_code

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓