
Summary
The Thinkst Canary DCRC rule is designed to detect events related to Canary devices disconnecting and reconnecting. When a Canary device, which is a deception technology tool used to detect unauthorized access, goes offline, this rule generates alerts to monitor potential security incidents. The rule utilizes log data from the Thinkst Canary system, specifically looking for logs that indicate a disconnection event. If a Canary is found to have disconnected, the rule triggers an alert containing relevant information such as the Canary ID, IP address, and name. The alert includes additional details like the incident key and a timestamp for when the disconnection was recorded. This detection is critical as it can indicate potential issues with network integrity or unauthorized activities. The rule is configured to suppress duplicate alerts for a specified period (60 minutes), ensuring that each event is reported only once during that timeframe. This minimizes alert fatigue and allows security teams to focus on genuine threats.
Categories
- Network
- Endpoint
- On-Premise
Data Sources
- Network Traffic
- Logon Session
Created: 2024-10-17