Change log for THINKST_CANARY
| Date | Changes |
|---|---|
| 2025-06-26 | Enhancement:
- Added Grok patterns to parse the unparsed logs. - Replaced "thinkst_canary_udm_host_port_scan_event.include", "thinkst_canary_udm_canary_disconnected_reconnected_event.include", "thinkst_canary_udm_custom_tcp_service_request_event.include", "thinkst_canary_udm_ssh_login_attempt_event.include", "thinkst_canary_udm_ftp_telnet_login_attempt_event.include", "thinkst_canary_udm_canary_settings_changed_event.include", "thinkst_canary_udm_http_page_load_event.include" with the actual code. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `Request`, 'Command', 'PasswordHash', 'NTPCommand', 'Key', 'Salt', 'Password', 'ClientHash', 'connection', 'accept', 'FunctionName', 'FunctionData', 'TCPBannerID', 'IncidentHash', 'accept-encoding', 'VNCServerChallenge', 'VNCClientResponse', 'VNCPassword', 'Settings', 'LoginType' raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped `Database' raw log field with `event.idm.read_only_udm.target.resource.name` UDM field. - event.idm.read_only_udm.network.ftp.command: Newly mapped `Action' raw log field with `event.idm.read_only_udm.network.ftp.command` UDM field. - event.idm.read_only_udm.principal.user.group_identifiers: Newly mapped `DistinguishedName' raw log field with `event.idm.read_only_udm.principal.user.group_identifiers` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `Path' and 'URL' raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ShareName', 'SMBVersion', 'CanaryID' raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - Added KV block to extract values from the Headers field. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `ReverseDNS' raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.target.ip and event.idm.read_only_udm.target.asset.ip: Newly mapped `CanaryPublicIP' raw log field with `event.idm.read_only_udm.target.ip` and `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `User' raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.target.resource.product_object_id: Newly mapped `EC2InstanceID' raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - event.idm.read_only_udm.target.location.country_or_region: Newly mapped `EC2Region' raw log field with `event.idm.read_only_udm.target.location.country_or_region` UDM field. - event.idm.read_only_udm.principal.administrative_domain: Newly mapped `Domain' raw log field with `event.idm.read_only_udm.principal.administrative_domain` UDM field. - event.idm.read_only_udm.target.files.names: Newly mapped `RemoteSMBName' raw log field with `event.idm.read_only_udm.target.files.names` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `Success' raw log field as ALLOW when `Success' is true and BLOCK when `Success' is false with `event.idm.read_only_udm.security_result.action` UDM field. - event.idm.read_only_udm.target.location.name: Newly mapped `CanaryLocation' raw log field with `event.idm.read_only_udm.target.location.name` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `Username' raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.security_result.description: Newly mapped `BackgroundContext' raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - Added null condition check for all the fields. - Added on_error to all the mutate replace blocks. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `User-Agent' raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.target.file.full_path: Newly mapped `Filename' raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `ThinkstCanary_Hostname' raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.application: Newly mapped `ThinkstCanary_Process' raw log field with `event.idm.read_only_udm.principal.application` UDM field. - Removed redundant code for '_dst_hostname', 'CanaryIP', '_src_host_reverse', '_dst_host' and 'User-Agent'. |
| 2025-02-26 | Enhancement:
- When "_md_product_event_type" is "Host port scan", "description.logtype" is mapped to "security_result.detection_fields". |
| 2025-02-04 | Enhancement:
- When "_md_product_event_type" is "Host port scan" or "Custom TCP Service Request", "description.logtype" is mapped to "security_result.detection_fields". |
| 2024-07-17 | Enhancement:
- Added support for the following events: "Remote registry connection", "Canarytoken triggered", "File share connection", "RDP connection made", and "Canary settings changed". |
| 2024-07-03 | Enhancement:
- Added support for "dns" logs. |
| 2024-05-10 | Enhancement:
- Added support for "Flock Settings Changed" events. - If value of "_md_product_event_type" is "Flock Settings Changed", added a Grok pattern to extract "user_id" from the field "elem.SETTINGS". - Mapped "user_id" to "principal.user.userid". |
| 2024-03-05 | Enhancement:
- Added support for "SIP Request" events. - Added support for "TFTP Request" events. - Mapped "hash_id" to "principal.file.sha1". - Mapped "HEADERS.user-agent" to "network.http.user_agent". - Mapped "description.node_id" to "principal.resource.attribute.labels". - Mapped "description.flock_id" to "principal.resource.attribute.labels". - Mapped "description.flock_name" to "principal.resource.attribute.labels". - Mapped "description.logtype" to "security_result.detection_fields". - Mapped "description.events_count" to "security_result.detection_fields". - Mapped "HEADERS.allow" to "security_result.detection_fields". - Mapped "HEADERS.call-id" to "security_result.detection_fields". - Mapped "HEADERS.contact" to "security_result.detection_fields". - Mapped "HEADERS.sip" to "security_result.detection_fields". - Mapped "HEADERS.cseq" to "security_result.detection_fields". - Mapped "HEADERS.expires" to "security_result.detection_fields". - Mapped "HEADERS.from" to "security_result.detection_fields". - Mapped "HEADERS.to" to "security_result.detection_fields". - Mapped "HEADERS.max-forwards" to "security_result.detection_fields". |
| 2023-12-08 | Enhancement:
- Since all "THINKST_CANARY" alerts are "critical" by default, set "is_alert" to "true" for all events. - Since all "THINKST_CANARY" alerts are "critical" by default, set "is_significant" to "true" for all events. - Since all "THINKST_CANARY" alerts are "critical" by default, set "security_result.severity" to "CRITICAL" for all events. - Added support for "NMAP OS Scan Detected" events. |
| 2023-12-07 | Enhancement:
- Added support for "WinRM Login Attempt", "Telnet Login Attempt", "NMAP OS Scan Detected", "Redis Command" events. - Added support to parse new pattern of "_metadata_event_timestamp","_event_time". |
| 2023-09-15 | Enhancement:
- Added support for 'VNC Login Attempt' events. |
| 2023-08-04 | Bug Fix:
Following changes have been made for Canarytoken triggered events: - Mapped to more specific event_type, for example "NETWORK_CONNECTION". - As 'resource.id' is deprecated, mapped 'canarytoken' to principal.resource.product_object_id. - Also 'event.idm.is_alert' is set to 'true' for the given event. - Set 'security_result.category' to 'NETWORK_SUSPICIOUS. |
| 2023-05-12 | Bug Fix - Added support for logs having "description.summary"="MSSQL Login Attempt" and mapped "event_type" to "USER_LOGIN";
|
| 2022-12-04 | Bug Fix -
- Added support for "HTTP Login Attempt", "FTP Login Attempt", "Website Scan", "Console Settings Changed", "RDP Login Attempt". |