Overview
This topic describes the steps to configure the Thinkst Canary Feed.
Prerequisites
Need to have Administrator login credentials.
Auth Token Configuration in Thinkst Canary
1. Login into the Thinkst Canary console.
2. On the top panel, click the toothed wheel and got to Global Settings.
3. In the Global Settings, Click the API section.
4. Turn on the Enabled toggle.
5. Now Click +button to add fields
API Key type: Admin
Name: SIEM Integration
6. Click Create.
Now Copy the Domain Hash, Key ID & Auth Token and save it in your local machine.
Configure Thinkst Canary in Feeds
1. Go to Feeds under Settings.
2. Click on ADD NEW.
3. Now to add a feed, type Feed Name, select a Source Type and Log Type.
4. Click Next.
5. Now add the required fields, for example:
AUTHENTICATION HTTP HEADER
auth_token:key
API HOSTNAME:
xxxxxxxxx.canary.tools
6. Click Next & Submit
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.