Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=thinkst-overview

Thinkst Canary integration overview

API Network

You can integrate Thinkst Canary with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Thinkst Canary product overview

Thinkst Canary offers honeypots and tokens designed to detect intruders in your environment. By mimicking genuine assets, Canaries attract attackers, triggering alerts when interacted with. These high-fidelity alerts give security teams early warning of potential breaches with minimal false positives.

Sophos documents

Integrate Thinkst Canary

What we ingest

Sample alerts seen by Sophos:

  • Host Port Scan
  • Canarytoken triggered
  • Canary Disconnected
  • SSH Login Attempt
  • Shared File Opened
  • Consolidated Network Port Scan
  • Multiple Canaries Disconnected
  • MSSQL Login Attempt
  • FTP Login Attempt
  • Git Repository Clone Attempt
  • HTTP Page Load

Filtering

We filter messages as follows:

  • We ALLOW only messages that are in the correct format.
  • We DENY messages that aren't in the correct format but we don't DROP the data.

Sample threat mappings

We define the alert type as follows:

If the field description.events exists and has a length greater than 0, and the first entry in description.events.type exists, concatenate the field summary with the first entry in description.events.type.

If the field description.events doesn't exist or has a length of 0, use the field summary instead.

Sample mappings:

{"alertType": "MySQL Login Attempt", "threatId": "TA0008", "threatName": "Lateral Movement"}
{"alertType": "TFTP request", "threatId": "T1046", "threatName": "Network Service Scanning"}
{"alertType": "Canary Disconnected", "threatId": "T1489", "threatName": "Service Stop"}

Vendor documentation