Change log for THINKST_CANARY
| Date | Changes |
|---|---|
| 2025-02-26 | Enhancement:
- When "_md_product_event_type" is "Host port scan", "description.logtype" is mapped to "security_result.detection_fields". |
| 2025-02-04 | Enhancement:
- When "_md_product_event_type" is "Host port scan" or "Custom TCP Service Request", "description.logtype" is mapped to "security_result.detection_fields". |
| 2024-07-17 | Enhancement:
- Added support for the following events: "Remote registry connection", "Canarytoken triggered", "File share connection", "RDP connection made", and "Canary settings changed". |
| 2024-07-03 | Enhancement:
- Added support for "dns" logs. |
| 2024-05-10 | Enhancement:
- Added support for "Flock Settings Changed" events. - If value of "_md_product_event_type" is "Flock Settings Changed", added a Grok pattern to extract "user_id" from the field "elem.SETTINGS". - Mapped "user_id" to "principal.user.userid". |
| 2024-03-05 | Enhancement:
- Added support for "SIP Request" events. - Added support for "TFTP Request" events. - Mapped "hash_id" to "principal.file.sha1". - Mapped "HEADERS.user-agent" to "network.http.user_agent". - Mapped "description.node_id" to "principal.resource.attribute.labels". - Mapped "description.flock_id" to "principal.resource.attribute.labels". - Mapped "description.flock_name" to "principal.resource.attribute.labels". - Mapped "description.logtype" to "security_result.detection_fields". - Mapped "description.events_count" to "security_result.detection_fields". - Mapped "HEADERS.allow" to "security_result.detection_fields". - Mapped "HEADERS.call-id" to "security_result.detection_fields". - Mapped "HEADERS.contact" to "security_result.detection_fields". - Mapped "HEADERS.sip" to "security_result.detection_fields". - Mapped "HEADERS.cseq" to "security_result.detection_fields". - Mapped "HEADERS.expires" to "security_result.detection_fields". - Mapped "HEADERS.from" to "security_result.detection_fields". - Mapped "HEADERS.to" to "security_result.detection_fields". - Mapped "HEADERS.max-forwards" to "security_result.detection_fields". |
| 2023-12-08 | Enhancement:
- Since all "THINKST_CANARY" alerts are "critical" by default, set "is_alert" to "true" for all events. - Since all "THINKST_CANARY" alerts are "critical" by default, set "is_significant" to "true" for all events. - Since all "THINKST_CANARY" alerts are "critical" by default, set "security_result.severity" to "CRITICAL" for all events. - Added support for "NMAP OS Scan Detected" events. |
| 2023-12-07 | Enhancement:
- Added support for "WinRM Login Attempt", "Telnet Login Attempt", "NMAP OS Scan Detected", "Redis Command" events. - Added support to parse new pattern of "_metadata_event_timestamp","_event_time". |
| 2023-09-15 | Enhancement:
- Added support for 'VNC Login Attempt' events. |
| 2023-08-04 | Bug Fix:
Following changes have been made for Canarytoken triggered events: - Mapped to more specific event_type, for example "NETWORK_CONNECTION". - As 'resource.id' is deprecated, mapped 'canarytoken' to principal.resource.product_object_id. - Also 'event.idm.is_alert' is set to 'true' for the given event. - Set 'security_result.category' to 'NETWORK_SUSPICIOUS. |
| 2023-05-12 | Bug Fix - Added support for logs having "description.summary"="MSSQL Login Attempt" and mapped "event_type" to "USER_LOGIN";
|
| 2022-12-04 | Bug Fix -
- Added support for "HTTP Login Attempt", "FTP Login Attempt", "Website Scan", "Console Settings Changed", "RDP Login Attempt". |