Your Canary Console can feed alerts into Google SecOps using a SOAR integration. This guide assumes that you already have a Google SecOps instance running, and that you are signed in on the platform. This integration uses the Canary Console API, more information here.
Prerequisites
- A Google SecOps account
- Your Canary Console hash - the part before canary.tools in your console URL. Also available on the API settings tab (1)
- A Canary Console API token with at least Analyst type permissions (3), which you can create from your Console (2)
Adding the integration from the content-hub
The Thinkst Soar Integration can be added from the online market place, called the "Content-hub". This can be accessed by going to the Hamburger menu -> Content Hub (1).
Search for Thinkst under the Integrations tab (2).
You can then install (3) the Thinkst Console Integration on Google SecOps.
Configuring the Integration
To configure the integration you need your Canary Console Hash, and an API key, with at least the Analyst permissions. Follow this guide to get your API configuration.
Now in Google SecOps you can configure (1) the integration from the "installed" integrations section.
Here, you add your API Key (1) and Canary Console Hash (2), and leave the Verify SSL (3) checkbox ticked. Next, click on Save (5).
After you have clicked on Save, the Test (4) button will become available; click on this to make sure that the Canary Console API is reachable.
This takes care of adding the integration. Next you have to add and configure the Connector - this is the component that actively polls the Canary Console API and converts incidents to Google SecOps Cases with Alerts and associated Events.
Adding and configuring the connector
To add the Connector you once again go to the Hamburger menu -> Settings -> SOAR Settings (1)
From the SOAR Settings menu you need to go to Ingestion -> Connectors (1) -> Create New Connector (the '+' button) (2)
In the Add Connector box that pops up, look for the Thinkst - Alert connector option (1), and click on Create (2).
This will take you to the configuration window for the Connector, which contains numerous parameters. Do not worry, most settings stay untouched!
Firstly, add your API key ( 1 ) and Console Hash (2) . They are the same hash and key you used in the Configuring the Integration step. Verify SSL should be left checked (3).
Next, consider toggling the Ignore Informative (4) checkbox. If this setting is Checked it will not generate Cases for operational alerts, such Canary Console settings changing, or devices connecting/disconnecting. If you are unsure, leave this unchecked to get all alerts.
Leave the rest of the settings as-is; they are for internal Google SecOps use.
Next, you can Enable (1) the connector by clicking on the toggle in the top-left, and then click on Save (2).
That's it! Any new alerts on the Canary Console will now show up as a Google SecOps Case after a short delay (~1 minute).
Looking at an example
This is not a complete guide on the Google SecOps interface, but just a quick look at what you can expect an alert to look like. Go to the Hamburger menu -> Cases (1).
This will load the page shown below, displaying all Google SecOps cases, including those from the Canary Console. Take a look at the SSH Login Attempt as an example (1):
There are numerous pieces of information that can be examined, but two key points will be highlighted.
First, let's examine Entities (1). If you scroll down on the main Overview page there is an entry called Entities Highlights. These are hostnames and IP Addresses extracted from the alert, and can be used in further Google SecOps processing.
The next useful thing to look at is the Event data. Most of the information you are used to finding on your Canary Console can also be found by going to the Events (1) tab.
This displays the various events associated with this specific SSH Login Attempt incident. When you click on one of these events (1), it will display detailed information about the event on the right-hand side (2), where you can find information similar to what is available on the Canary Console. The screenshot below only shows some of the fields, more can be revealed by scrolling down.
The acknowledge action
The integration also contains one Action, which allows you to Acknowledge an alert on the Canary Console. When looking at cases there is a Manual Action button (1), looking like a gear wheel with an embedded play button.
When you select Run Manual Action a action window will open. Go to THINKST -> Acknowledge Console Alert (1). Select All Entities (2) in the Group field. Leave the rest of the settings as default, they are not applicable for this Action. Then click on Execute (3).
This will send an Acknowledge event through the Canary Console API, marking the incident as acknowledged on the Thinkst Canary Console.