›

OpenCanary

Version	0.3.0 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Community

This integration is for Thinkst OpenCanary honeypot event logs. The package processes messages from OpenCanary honeypot logs.

Data streams

edit

The OpenCanary integration collects the following event types:

events

Requirements

edit

Elastic Agent must be installed. For more details and installation instructions, please refer to the Elastic Agent Installation Guide.

Installing and managing an Elastic Agent:

edit

There are several options for installing and managing Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

edit

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

edit

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

edit

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

Please note, there are minimum requirements for running Elastic Agent. For more information, refer to the Elastic Agent Minimum Requirements.

Enabling the integration in Elastic:

edit

In Kibana navigate to Management > Integrations.
In "Search for integrations" top bar, search for OpenCanary.
Select the "OpenCanary" integration from the search results.
Select "Add OpenCanary" to add the integration.
Add all the required integration configuration parameters.
Select "Save and continue" to save the integration.

Logs

edit

OpenCanary

edit

The events dataset collects the OpenCanary logs.

Example

An example event for events looks as following:

{
    "@timestamp": "2024-04-05T14:37:26.457Z",
    "destination": {
        "address": "10.10.10.10",
        "domain": "OpenCanary1",
        "ip": "10.10.10.10",
        "port": 445
    },
    "event": {
        "action": "flistxattr",
        "category": [
            "network",
            "intrusion_detection"
        ],
        "created": "2024-04-05T14:37:26.457Z",
        "kind": [
            "alert"
        ],
        "original": "{\"dst_host\": \"10.10.10.10\", \"dst_port\": 445, \"local_time\": \"2024-04-05 14:37:26.457226\", \"local_time_adjusted\": \"2024-04-05 07:37:26.457252\", \"logdata\": {\"AUDITACTION\": \"flistxattr\", \"DOMAIN\": \"CONTOSO\", \"FILENAME\": \"/shares/database\", \"LOCALNAME\": \"OpenCanary1\", \"REMOTENAME\": \"Client1\", \"SHARENAME\": \"database\", \"SMBARCH\": \"OSX\", \"SMBVER\": \"SMB3_11\", \"STATUS\": \"ok\", \"USER\": \"jdoe\"}, \"logtype\": 5000, \"node_id\": \"opencanary-1\", \"src_host\": \"192.168.0.10\", \"src_port\": \"-1\", \"utc_time\": \"2024-04-05 14:37:26.457249\"}",
        "provider": "LOG_SMB_FILE_OPEN",
        "start": "2024-04-05T14:37:26.457Z",
        "type": [
            "connection"
        ]
    },
    "log": {
        "logger": "LOG_SMB_FILE_OPEN"
    },
    "network": {
        "direction": "internal"
    },
    "opencanary": {
        "node": {
            "id": "opencanary-1"
        },
        "smb": {
            "filename": "/shares/database",
            "share_name": "database",
            "smb_arch": "OSX",
            "smb_version": "SMB3_11",
            "status": "ok"
        }
    },
    "related": {
        "hosts": [
            "OpenCanary1",
            "Client1"
        ],
        "ip": [
            "10.10.10.10",
            "192.168.0.10"
        ],
        "user": [
            "jdoe"
        ]
    },
    "source": {
        "address": "192.168.0.10",
        "domain": "Client1",
        "ip": "192.168.0.10",
        "port": -1
    },
    "tags": [
        "preserve_original_event",
        "redact_passwords"
    ],
    "user": {
        "domain": "CONTOSO",
        "name": "jdoe"
    }
}

Exported fields

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type.	keyword
log.offset	Offset of the entry in the log file.	long
opencanary.logdata.cwr		keyword
opencanary.logdata.df		keyword
opencanary.logdata.ece		keyword
opencanary.logdata.id		long
opencanary.logdata.len		keyword
opencanary.logdata.prec		keyword
opencanary.logdata.res		keyword
opencanary.logdata.session		keyword
opencanary.logdata.syn		keyword
opencanary.logdata.tos		keyword
opencanary.logdata.ttl		long
opencanary.logdata.urgp		long
opencanary.logdata.window		long
opencanary.mssql.client.app		keyword
opencanary.mssql.client.hostname		keyword
opencanary.mssql.client.interface_library		keyword
opencanary.mssql.database		keyword
opencanary.node.id	Identifier for the OpenCanary node as configured in `/etc/opencanaryd/opencanary.conf`	keyword
opencanary.redis.args		keyword
opencanary.redis.command		keyword
opencanary.skin	Skin configured for the OpenCanary service.	keyword
opencanary.smb.audit_action		keyword
opencanary.smb.filename		keyword
opencanary.smb.share_name		keyword
opencanary.smb.smb_arch		keyword
opencanary.smb.smb_version		keyword
opencanary.smb.status		keyword
opencanary.ssh.local_version		keyword
opencanary.ssh.remote_version		keyword
opencanary.tcp_banner.banner_id		keyword
opencanary.tcp_banner.data		keyword
opencanary.tcp_banner.function		keyword
opencanary.tcp_banner.secret_string		keyword

Changelog

edit

Changelog

Version	Details	Kibana version(s)
0.3.0	Enhancement (View pull request) Do not remove `event.original` in main ingest pipeline.	—
0.2.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	—
0.1.3	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	—
0.1.2	Enhancement (View pull request) Update documentation.	—
0.1.1	Bug fix (View pull request) Fixes and issue where all source and destination details were removed if the source or destination port was an invalid "-1".	—
0.1.0	Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	—
0.0.1	Enhancement (View pull request) Initial draft of the package	—

« Oracle WebLogic integration Osquery »