secops4thewin / TA-canary Public

Notifications You must be signed in to change notification settings
Fork 3
Star 2

This Splunk add on collects Canary.tools device data through APIs and allow you to programatically delete and acknowledge tickets.

GPL-3.0 license

2 stars 3 forks Branches Tags Activity

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
README		README
appserver		appserver
bin		bin
default		default
local		local
metadata		metadata
static		static
LICENSE		LICENSE
README.md		README.md
README.txt		README.txt
TA-canary-1.1.spl		TA-canary-1.1.spl
TA-canary.aob_meta		TA-canary.aob_meta
aob_events_in_meta.json		aob_events_in_meta.json
app.manifest		app.manifest

Repository files navigation

Thinkst Canary AddOn For Splunk

Canary About

Most companies find out way too late that they have been breached. Even with millions of dollars invested in security, over-worked admins and ignored alerts do little to help.

But what if there were a simpler, more reliable signal than malware signatures? Wouldn't you want to know if someone was opening 'passwords.xls' on \NetworkTeam_FS1, or brute-forcing an SSH server on your DataBase segment?

Thinkst Canary can be deployed in under 3 minutes (even on complex networks) and is a clear, high quality marker of compromise. Know. When it Matters.

Overview

This Add-On allows the analyst to collect data from the Canary Tools API. In addition, Adaptive response actions have been provisioned to allow you to automate responses to alerts

Thinkst Canary AddOn For Splunk

This Add-On requires access to the Canary Tools API and for the API to be enabled within your Canary Console and the Splunk Common Information Model App located here. In addition a heavy forwarder will need to be setup as this will act as the server that collects data for indexing.

Features

Collect data related to incidents
Collect data related to devices
Collect data related to tokens
Adaptive Response Action to acknowledge incidents
Adaptive Response Action to delete incidents
CIM Mapping to Intrusion Detection to enable integration with Splunk Enterprise Security

Setup

Canary Tools Setup

Visit your canary console by going to https://yourconsole.canary.tools/settings
Scroll down to API and click on.
Enter your password at the top of the page twice
Click Save
Take note of the generated API key. You will need this.

Splunk Installation

Git clone this directory 'git clone https://github.com/secops4thewin/TA-canary'
Install the add-on to the indexer, heavy forwarder and search head in your Splunk environment
On the Search Head open a browser to to http://yoursplunkserver:8000/en-GB/app/TA-canary/configuration
Enable a proxy if it is required
Click Add-on Settings and enter the API Key from Step 5 above.
Enter your Canary Domain, if your full domain is https://yourconsole.canary.tools/ then use 'yourconsole'.
Click Save
Repeat steps 4-7 on the heavy forwarder.
If you have proxy rules allow https://*.canary.tools/ from your Search Head and Heavy Forwarder

Release Notes

1.0.0 Initial release with API functionality

About

This Splunk add on collects Canary.tools device data through APIs and allow you to programatically delete and acknowledge tickets.

GPL-3.0 license

Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages

Python 99.7%
Other 0.3%