Thinkst Canary detects security breaches. Users can order, configure, and deploy their Canary Tokens throughout their network. Canary tokens are a powerful tool to help you detect attackers on your devices (“birds”). There can be virtual, hardware, or cloud-based tokens. With the ability to order, configure, and deploy your tokens throughout your network, you can create realistic simulations of Windows file servers, routers, and Linux webservers.
These Canary tokens run in the background, waiting for intruders to engage with them. Once an attacker encounters a Canary token, the services on offer are designed to solicit further investigation, which in turn triggers an alert to notify you of the incident. In short, Canary tokens can help you detect attackers before they cause serious damage to your network.
Devo collector features
Feature
Details
Feature
Details
Allow parallel downloading (multipod)
not allowed
Running environments
collector server
on-premise
Populated Devo events
table
Flattening preprocessing
yes
Data sources
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
Incidents
Fetch all the incidents.
/incidents
incidents
ids.thinkst_canary.canary.incident
v1.0
Birds
Fetch a snapshot of current birds available.
/devices/all
birds
ids.thinkst_canary.canary.bird
v1.0
Audit trail log
Fetches all the audit logs.
audit_trail/fetch
audit_trail_log
ids.thinkst_canary.canary.audit_trail
v1.0
Tokens
Fetches a snapshot of current canary tokens available.
canarytokens/paginate
tokens
ids.thinkst_canary.canary.token
v1.0
For more information on how the events are parsed, visit our page.
Vendor setup
In order to follow this guide, you must have a Thinkst Canary account and access to your web console:
Log in to the Thinkst Canary console.
Click on the gear icon (top-right corner) and then Global settings.
Click on API and make sure the Enabled toggle is active.
Locate your Domain Hash and Auth Token and copy them.
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
Setting
Details
base_url
You domain’s API URL (format: https://{domain_hash}.canary.tools/api/v1).
auth_token
The token obtained from your Thinkst Canary’s console for authentication.
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
Authentication method
Token
Auth token
Required
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
Internal services’ implementation
In the table below we can see an overview of how each service was implemented:
Service name
Implementation details
birds
This service obtains the full list of birds (devices) and sends all the retrieved events in Devo in a “snapshot” fashion. This is the reason we limit the maximum frequency of this service to at least one hour.
audit_trail_log
This service uses an endpoint that allows filtering by the start and end date (up to the day), but it does not offer a sorting mechanism. To circumvent this limitation and send all the events in an ordered fashion, we do the following:
Establish a range of days between the date_from parameter and the day before the current one to chonologically fetch the logs day by day.
All the logs from one single day are sorted before these are sent to Devo.
We keep track of the last “visited day” whose logs were fetched and sent.
We obtain the logs for the current day, filtering out those that were already obtained.
We keep track of the last fetched and sent log to only send consequent ones.
Once the day finishes, it will be treated as in the previous step.
incidents
The endpoint that this service uses, instead of allowing to filter by dates, uses a numeric ID that facilitates following the sequence of events ingested. The service starts from the beginning of the sequence until the last updated ID (included in every response). During the first pulling execution, however, we filter out those events that are previous to the datetime_from (timezone-aware) parameter.
tokens
This service obtains a paginated list of tokens and sends all the retrieved events in Devo in a “snapshot” fashion. This is the reason we limit the maximum frequency of this service to at least one hour.
Setup output
A successful run has the following output messages for the setup module:
INFO MainThread -> [SETUP] ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Puller Setup Started
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> We do not have a token. Getting a new one from the server.
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Attempting to get OAuth2 token from ThreatQuotient server....
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Attempting to get from client_id ThreatQuotient server....
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Successfully received a client_id token from (...)/assets/js/config.js
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Successfully received JWT token from (...) which expires in 3599 seconds
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Puller Setup Terminated
INFO ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) -> Setup for module "ThreatQuotientDataPuller" has been successfully executed
Puller output
A successful initial run has the following output messages for the puller module:
2023-08-03T11:01:04.307 WARNING InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Waiting until setup will be executed
2023-08-03T11:01:06.318 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) Starting the execution of pre_pull()
2023-08-03T11:01:06.319 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Reading persisted data
2023-08-03T11:01:06.324 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Data retrieved from the persistence: None
2023-08-03T11:01:06.324 WARNING InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Persistence will be overridden due to the retrieved state is empty
2023-08-03T11:01:06.325 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Running the persistence upgrade steps
2023-08-03T11:01:06.325 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Running the persistence corrections steps
2023-08-03T11:01:06.325 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Running the persistence corrections steps
2023-08-03T11:01:06.326 WARNING InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: None. New content: {'max_updated_id': 0, 'max_time': None, 'datetime_from_config': '2023-04-01 12:00:00 UTC+0000'}
2023-08-03T11:01:06.332 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Updating the persistence
2023-08-03T11:01:06.335 WARNING InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Persistence has been updated successfully
2023-08-03T11:01:06.335 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) Finalizing the execution of pre_pull()
2023-08-03T11:01:06.336 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Starting data collection every 60 seconds
2023-08-03T11:01:06.337 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Pull Started
2023-08-03T11:01:10.055 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053266318):Number of requests made: 1; Number of events received: 50; Number of duplicated events filtered out: 37; Number of events generated and sent: 13; Average of events per second: 3.497.
2023-08-03T11:01:24.968 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053266318):Number of requests made: 2; Number of events received: 100; Number of duplicated events filtered out: 87; Number of events generated and sent: 13; Average of events per second: 0.698.
2023-08-03T11:01:25.531 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053266318):Number of requests made: 3; Number of events received: 105; Number of duplicated events filtered out: 92; Number of events generated and sent: 13; Average of events per second: 0.677.
2023-08-03T11:01:25.533 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053266318):Number of requests made: 3; Number of events received: 105; Number of duplicated events filtered out: 92; Number of events generated and sent: 13; Average of events per second: 0.677.
2023-08-03T11:01:25.534 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1691053266318):Number of requests made: 3; Number of events received: 105; Number of duplicated events filtered out: 92; Number of events generated and sent: 13; Average of events per second: 0.677.
2023-08-03T11:01:25.534 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> The data is up to date!
2023-08-03T11:01:25.535 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Data collection completed. Elapsed time: 19.217 seconds. Waiting for 40.783 second(s) until the next one
2023-08-03T11:02:06.322 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Pull Started
2023-08-03T11:02:06.551 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053326321):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
2023-08-03T11:02:06.558 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1691053326321):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
2023-08-03T11:02:06.560 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1691053326321):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
2023-08-03T11:02:06.561 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> The data is up to date!
2023-08-03T11:02:06.561 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents,predefined) -> Data collection completed. Elapsed time: 0.240 seconds. Waiting for 59.760 second(s) until the next one
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
2023-03-30T16:36:45.759 INFO InputProcess::ThinkstCanaryIncidentPuller(thinkst,12345,incidents_puller,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1680174320435):Number of requests made: 2; Number of events received: 91; Number of duplicated events filtered out: 0; Number of events generated and sent: 91; Average of events per second: 1.067.
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the date_from/datetime_from parameter to a different one.
Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file. Note that this persistence reset only works for the audit_trail_log and incidents services (birds and tokens are "snapshot" services, without state).
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Error Type
Error Id
Error Message
Cause
Solution
InitVariableError
10
Ping endpoint not found in module globals in collector_definitons.yaml
There is an internal error with the collector.
Please, contact Devo support.
InitVariableError
11
datetime_format not found in module globals for service: {service_name}
There is an internal error with the collector.
Please, contact Devo support.
InitVariableError
12
Start date from config: {start_date} is greater than current date for service: {service_name}
The value provided in date_from/datetime_from parameters is a future date.
Please provide a date/datetime that is before the current date. Note that the datetime_from parameter in the incidents service is timezone-aware.
InitVariableError
13
date_format not found in module globals for service: {self.service_name}
There is an internal error with the collector.
Please, contact Devo support.
PullError
308
Auth token expired. Confirm from Thinkst Canary that the token is still valid.
Auth token expired. Confirm from Thinkst Canary that the token is still valid.
Login to canary console and confirm if you are using the correct auth token.
PullError
311, 312, 313, 320, 321
<Error Message will be received from Thinkst>
Follow the instructions in the error message
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
By default, these information traces will be displayed every 10 minutes.
Sender services
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
Sender services
Description
Sender services
Description
internal_senders
In charge of delivering internal metrics to Devo such as logging traces or metrics.
standard_senders
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace
Description
Logging trace
Description
Number of available senders: 1
Displays the number of concurrent senders available for the given Sender Service.
sender manager internal queue size: 0
Displays the items available in the internal sender queue.
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds
Displays the number of events from the last time and following the given example, the following conclusions can be obtained:
44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
