|
…
|
||
|---|---|---|
| .. | ||
| azuredeploy.json | ||
| readme.md | ||
readme.md
Thinkst Canary Microsoft Sentinel Alert Integration
Thinkst Canary - Playbooks
Table of Contents
Overview
General info about this product and the core values of this integration.
Thinkst Canary Playbooks
| Action | Description |
|---|---|
| Thinkst Canary Sentinel Connector | Integrate Thinkst Canary cloud console alerts with Microsoft Sentinel |
Prerequisites for using and deploying the playbooks
All playbook templates leverage a webhook in the Azure logic app. To receive the alerts into Sentinel, you need to configure the URL of the webhook in your Thinkst Canary cloud console global or flock specific settings. For instructions on how to do this, please refer this link: How do I configure Webhook notifications for Microsoft Sentinel?
Authentication
The playbook requires a workspace ID and key for the Azure Log Analytics workspace associated with Microsoft Sentinel.
Deployment
This package includes:
- One playbook to support the integration of Thinkst Canary and Thinkst Canary Token alerts with Microsoft Sentinel.
You can choose to deploy the playbook using the buttons below.
Post-Deployment instructions
a. Authorize connections
Once the deployment is completed, you will need to authorize the connection to log analytics following the below steps:
- Click and edit the Log Analytics connection
- Fill in the necessary information including workspace ID and key of your Microsoft Sentinel workspace.
- Click Authorize
- Sign in
- Click Save
b. Configurations in Microsoft Sentinel
For Microsoft Sentinel some additional configuration is needed:
- Enable Microsoft Sentinel analytics rules that create alerts and incidents which includes the relevant entities.
- Use the below templates to import the Thinkst Analytics into your workspace
Thinkst Canary Token Sentinel Analytic Template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f5c166e0-5e2c-4338-927b-ca43e11b2a20')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f5c166e0-5e2c-4338-927b-ca43e11b2a20')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "NRT",
"apiVersion": "2022-09-01-preview",
"properties": {
"displayName": "Thinkst Canary Token Alert",
"description": "Alert generated by Thinkst Canary deception token. This may indicate a document, secret, API key, command, or other file artifact has been interacted with. \n\nWhat are Canary Tokens:\n\nCanarytokens are a simple way to tripwire things. An old concept, they can be super useful (and are trivial to use) but require some background infrastructure to get working. We provide this infrastructure for you, so you can deploy tokens in seconds and get the benefit from them immediately.\n\nFor example, you may be familiar with tracking pixels; transparent 1x1 images embedded in emails that track a user upon opening. These work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.\n\nImagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens do all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.\n\nWhy does this matter?\n\nNetwork breaches happen. From mom and pop stores to mega-corps, and even governments. From unsuspecting grandmas to well known security pros. This sucks because it's commonly only found out about, months or years later.\n\nCanarytokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)",
"severity": "High",
"enabled": true,
"query": "Thinkst_Canary_CL\r\n| extend AlertUrl = strcat('https://<YOUR-INSTANCE>.canary.tools/nest/incident/',replace_regex(IncidentHash_g,'-',''))\r\n| where AlertType_s =~ \"CanarytokenIncident\"",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance",
"Discovery",
"Exfiltration",
"Impact",
"InitialAccess"
],
"techniques": [
"T1595",
"T1087",
"T1526",
"T1083",
"T1135",
"T1012",
"T1018",
"T0888",
"T0846",
"T0882",
"T1078"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT30M",
"matchingMethod": "Selected",
"groupByEntities": [],
"groupByAlertDetails": [
"DisplayName"
],
"groupByCustomDetails": [
"alertDescription"
]
}
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Thinks Canary Token Alert: {{Description_s}}",
"alertDescriptionFormat": "A Thinkst Canary Token has been interacted with. The alert relates to: {{Intro_s}}. The canary token details are: {{Reminder_s}}\n\nAdditional information regarding the alert can be found at: {{AlertUrl}}.",
"alertDynamicProperties": []
},
"customDetails": {
"additionalDetails": "AdditionalDetails_s",
"alertType": "AlertType_s",
"alertUrl": "AlertUrl",
"canaryId": "CanaryID_s",
"admin": "CanaryIP_s",
"clientName": "Flock_s",
"alertDescription": "Description_s",
"canaryTokenDetails": "Reminder_s",
"alertDetailed": "Intro_s",
"attackerIp": "SourceIP",
"attackerSystem": "SourceSystem"
},
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "SourceSystem"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Token_s"
}
]
}
],
"sentinelEntitiesMappings": [
{
"entityType": "SentinelEntities",
"fieldMappings": [
{
"identifier": "Entities",
"columnName": "Reminder_s"
}
]
},
{
"entityType": "SentinelEntities",
"fieldMappings": [
{
"identifier": "Entities",
"columnName": "AlertUrl"
}
]
}
]
}
}
]
}
Thinkst Canary Sentinel Analytic
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f5c166e0-5e2c-4338-927b-ca43e11b22we')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f5c166e0-5e2c-4338-927b-ca43e11b22we')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "NRT",
"apiVersion": "2022-09-01-preview",
"properties": {
"displayName": "Thinkst Canary Alert",
"description": "Alert generated by Thinkst Canary deception intrusion detection sensor.\n\nWhat are Thinkst Canaries?\n\nCanaries are intrusion detection honeypots configure and deployed throughout the network. (These can be hardware, virtual or cloud-based birds!) They can take the form of a Windows file server, a router, Linux webservers etc. Each one hosts realistic services and looks and acts like a real asset.\n\nThinkst Canaries run in the background, waiting for intruders. Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network.\n\nWhen they encounter a Thinkst Canary, the services on offer are designed to solicit further investigation, at which point they’ve betrayed themselves, and your Canary notifies you of the incident.\n\n",
"severity": "High",
"enabled": true,
"query": "Thinkst_Canary_CL\r\n| extend AlertUrl = strcat('https://<YOUR-INSTANCE>.canary.tools/nest/incident/',replace_regex(IncidentHash_g,'-',''))\r\n| where AlertType_s !~ \"CanarytokenIncident\"",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Reconnaissance",
"Discovery",
"Exfiltration",
"Impact",
"InitialAccess"
],
"techniques": [
"T1595",
"T1087",
"T1526",
"T1083",
"T1046",
"T1135",
"T1012",
"T1018",
"T0888",
"T0846",
"T0882",
"T1078"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT30M",
"matchingMethod": "Selected",
"groupByEntities": [
"IP",
"Host"
],
"groupByAlertDetails": [
"DisplayName"
],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Thinks Canary Alert: {{Description_s}}",
"alertDescriptionFormat": "A Thinkst Canary intrusion detection sensor has been interacted with. The alert relates to: {{Intro_s}}. The canary token details are: {{Reminder_s}}\n\nAdditional information regarding the alert can be found at: {{AlertUrl}}.",
"alertDynamicProperties": []
},
"customDetails": {
"additionalDetails": "AdditionalDetails_s",
"alertType": "AlertType_s",
"alertUrl": "AlertUrl",
"canaryId": "CanaryID_s",
"canaryIp": "CanaryIP_s",
"clientName": "Flock_s",
"alertDescription": "Description_s",
"canaryTokenDetails": "Reminder_s",
"alertDetailed": "Intro_s",
"attackerIp": "SourceIP",
"attackerSystem": "SourceSystem",
"alertTimestamp": "Timestamp_s"
},
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "SourceSystem"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "CanaryIP_s"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "CanaryName_s"
}
]
}
],
"sentinelEntitiesMappings": [
{
"entityType": "SentinelEntities",
"fieldMappings": [
{
"identifier": "Entities",
"columnName": "AlertUrl"
}
]
}
]
}
}
]
}
c. Configurations in Thinkst Canary
Step 3: Configure your Canary Console. Head over to your Console Global Settings.
Scroll down and expand the Webhooks, select the + button on the Generic webhook option and paste your listener URL into the text field. Finally, click Add.
Your webhook has now been added globally to your Console and alert data will be sent to Sentinel.
Note: Webhooks can be configured on a per flock basis too, a guide is available here.
Step 4: Querying Alert data. Head over to your Sentinel Log Analytics Workspace.
Selecting logs, a new Custom Logs entry has now been created, this table can be queried for your Canary Console alerts.
Double-clicking on the table name, will pre-populate the table in your search query and show recent alerts.
You're done! ;-)