Publisher: Splunk Community
Connector Version: 2.0.0
Product Vendor: ThinkST
Product Name: Canary
Product Version Supported (regex): ".*"
Minimum Product Version: 5.1.0
This app supports ingestion and investigative actions on the ThinkST Canary API Service
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Canary asset in SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
domain | required | string | Domain used for Canary Website. For example (https://*domain*.canary.tools) |
api_key | required | password | API Key from Canary Website |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
on poll - Ingest unacknowledged incidents from Canary
update incident - Acknowledge existing Canary incident
add ip ignorelist - Add new IP to Canary global Ignore List
remove ip ignorelist - Remove IP from Canary global IgnoreList
test ip ignorelist - Test if IP has been globally ignored
list incidents - Get the list of existing Canary Incidents
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Ingest unacknowledged incidents from Canary
Type: ingest
Read only: True
No parameters are required for this action
No Output
Acknowledge existing Canary incident
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
incident | required | The incident key of an existing Incident | string | |
incident_state | required | State to make incident | string |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.incident | string | |
action_result.parameter.incident_state | string | |
action_result.data | string | |
action_result.summary | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |
Add new IP to Canary global Ignore List
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_address | required | IP Address to add to global Ignore List | string | ip |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.data.* | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.summary | string | |
action_result.parameter.ip_address | string | ip |
Remove IP from Canary global IgnoreList
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_address | required | IP Address to remove from global Ignore List | string | ip |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.data.* | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.summary | string | |
action_result.parameter.ip_address | string | ip |
Test if IP has been globally ignored
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip_address | required | IP Address to test on global Ignore List | string | ip |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.data.* | string | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric | |
action_result.summary | string | |
action_result.parameter.ip_address | string | ip |
Get the list of existing Canary Incidents
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
incident_state | required | State of incidents to list | string |
DATA PATH | TYPE | CONTAINS |
---|---|---|
action_result.status | string | |
action_result.parameter.incident_state | string | |
action_result.data.*.devices.*.description.acknowledged | string | |
action_result.data.*.devices.*.description.created | string | |
action_result.data.*.devices.*.description.created_std | string | |
action_result.data.*.devices.*.description.description | string | |
action_result.data.*.devices.*.description.dst_host | string | ip |
action_result.data.*.devices.*.description.dst_port | string | |
action_result.data.*.devices.*.description.events.*.HOSTNAME | string | ip host name |
action_result.data.*.devices.*.description.events.*.PASSWORD | string | |
action_result.data.*.devices.*.description.events.*.PATH | string | |
action_result.data.*.devices.*.description.events.*.SETTINGS | string | |
action_result.data.*.devices.*.description.events.*.SKIN | string | |
action_result.data.*.devices.*.description.events.*.USERAGENT | string | |
action_result.data.*.devices.*.description.events.*.USERNAME | string | user name |
action_result.data.*.devices.*.description.events.*.timestamp | numeric | |
action_result.data.*.devices.*.description.events.*.timestamp_std | string | |
action_result.data.*.devices.*.description.events_count | string | |
action_result.data.*.devices.*.description.ip_address | string | |
action_result.data.*.devices.*.description.ippers | string | |
action_result.data.*.devices.*.description.local_time | string | |
action_result.data.*.devices.*.description.logtype | string | |
action_result.data.*.devices.*.description.mac_address | string | |
action_result.data.*.devices.*.description.name | string | |
action_result.data.*.devices.*.description.node_id | string | |
action_result.data.*.devices.*.description.notified | string | |
action_result.data.*.devices.*.description.src_host | string | ip |
action_result.data.*.devices.*.description.src_host_reverse | string | |
action_result.data.*.devices.*.description.src_port | string | |
action_result.data.*.devices.*.id | string | |
action_result.data.*.devices.*.summary | string | |
action_result.data.*.devices.*.updated | string | |
action_result.data.*.devices.*.updated_id | numeric | |
action_result.data.*.devices.*.updated_std | string | |
action_result.data.*.feed | string | |
action_result.data.*.incidents.*.description.acknowledged | string | |
action_result.data.*.incidents.*.description.created | string | |
action_result.data.*.incidents.*.description.created_std | string | |
action_result.data.*.incidents.*.description.description | string | |
action_result.data.*.incidents.*.description.dst_host | string | ip |
action_result.data.*.incidents.*.description.dst_port | string | |
action_result.data.*.incidents.*.description.events.*.HOSTNAME | string | ip host name |
action_result.data.*.incidents.*.description.events.*.PASSWORD | string | |
action_result.data.*.incidents.*.description.events.*.PATH | string | |
action_result.data.*.incidents.*.description.events.*.SETTINGS | string | |
action_result.data.*.incidents.*.description.events.*.SKIN | string | |
action_result.data.*.incidents.*.description.events.*.USERAGENT | string | |
action_result.data.*.incidents.*.description.events.*.USERNAME | string | user name |
action_result.data.*.incidents.*.description.events.*.timestamp | numeric | |
action_result.data.*.incidents.*.description.events.*.timestamp_std | string | |
action_result.data.*.incidents.*.description.events_count | string | |
action_result.data.*.incidents.*.description.ip_address | string | |
action_result.data.*.incidents.*.description.ippers | string | |
action_result.data.*.incidents.*.description.local_time | string | |
action_result.data.*.incidents.*.description.logtype | string | |
action_result.data.*.incidents.*.description.mac_address | string | |
action_result.data.*.incidents.*.description.name | string | |
action_result.data.*.incidents.*.description.node_id | string | |
action_result.data.*.incidents.*.description.notified | string | |
action_result.data.*.incidents.*.description.src_host | string | ip |
action_result.data.*.incidents.*.description.src_host_reverse | string | |
action_result.data.*.incidents.*.description.src_port | string | |
action_result.data.*.incidents.*.id | string | |
action_result.data.*.incidents.*.summary | string | |
action_result.data.*.incidents.*.updated | string | |
action_result.data.*.incidents.*.updated_id | numeric | |
action_result.data.*.incidents.*.updated_std | string | |
action_result.data.*.max_updated_id | numeric | |
action_result.data.*.result | string | |
action_result.data.*.updated | string | |
action_result.data.*.updated_std | string | |
action_result.data.*.updated_timestamp | numeric | |
action_result.summary.count | numeric | |
action_result.message | string | |
summary.total_objects | numeric | |
summary.total_objects_successful | numeric |