diff --git a/global_helpers/panther_thinkstcanary_helpers.py b/global_helpers/panther_thinkstcanary_helpers.py
new file mode 100644
index 000000000..7cbf679dc
--- /dev/null
+++ b/global_helpers/panther_thinkstcanary_helpers.py
@@ -0,0 +1,3 @@
+def additional_details(event):
+    details = event.get("AdditionalDetails", [])
+    return {detail[0]: detail[-1] for detail in details}
diff --git a/global_helpers/panther_thinkstcanary_helpers.yml b/global_helpers/panther_thinkstcanary_helpers.yml
new file mode 100644
index 000000000..d58eec697
--- /dev/null
+++ b/global_helpers/panther_thinkstcanary_helpers.yml
@@ -0,0 +1,5 @@
+AnalysisType: global
+Filename: panther_thinkstcanary_helpers.py
+GlobalID: "panther_thinkstcanary_helpers"
+Description: >
+  Global helpers for ThinkstCanary detections
diff --git a/packs/thinkstcanary.yml b/packs/thinkstcanary.yml
new file mode 100644
index 000000000..e719a07ed
--- /dev/null
+++ b/packs/thinkstcanary.yml
@@ -0,0 +1,11 @@
+AnalysisType: pack
+PackID: PantherManaged.ThinkstCanary
+Description: Group of all ThinkstCanary detections
+PackDefinition:
+  IDs:
+    - Thinkst.CanaryDCRC
+    - Thinkst.CanaryIncident
+    - Thinkst.CanaryTokenIncident
+    # Globals used in these detections
+    - panther_thinkstcanary_helpers
+DisplayName: "Panther ThinkstCanary Pack"
diff --git a/rules/thinkstcanary_rules/thinkst_canary_dcrc.py b/rules/thinkstcanary_rules/thinkst_canary_dcrc.py
new file mode 100644
index 000000000..657dc1c17
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canary_dcrc.py
@@ -0,0 +1,12 @@
+def rule(event):
+    return any(keyword in event.get("Intro", "") for keyword in ["disconnected", "reconnected"])
+
+
+def title(event):
+    return event.get("Intro", "Canary Disconnected/Reconnected")
+
+
+def severity(event):
+    if "reconnected" in event.get("Intro", ""):
+        return "Low"
+    return "Default"
diff --git a/rules/thinkstcanary_rules/thinkst_canary_dcrc.yml b/rules/thinkstcanary_rules/thinkst_canary_dcrc.yml
new file mode 100644
index 000000000..4bda06fa8
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canary_dcrc.yml
@@ -0,0 +1,25 @@
+AnalysisType: rule
+Filename: thinkst_canary_dcrc.py
+DisplayName: Thinkst Canary DCRC
+RuleID: Thinkst.CanaryDCRC
+Description: "A Canary has disconnected/reconnected."
+Enabled: true
+Severity: High
+LogTypes:
+  - ThinkstCanary.Alert
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - ExpectedResult: true
+    Name: Canary Disconnected
+    Log:
+      {
+        "CanaryID": "00029666d14d454f",
+        "CanaryIP": "192.168.20.101",
+        "CanaryName": "FS01",
+        "Description": "Canary Disconnected",
+        "IncidentKey": "incident:devicedied:3b04b62c54dcbb64d17131be::1718794923",
+        "Intro": "One of your Canaries (FS01) previously at 192.168.20.101 has disconnected.",
+        "MatchedAnnotations": {},
+        "Timestamp": "2024-06-19 11:02:03 (UTC)",
+      }
diff --git a/rules/thinkstcanary_rules/thinkst_canary_incident.py b/rules/thinkstcanary_rules/thinkst_canary_incident.py
new file mode 100644
index 000000000..f46407825
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canary_incident.py
@@ -0,0 +1,13 @@
+from panther_thinkstcanary_helpers import additional_details
+
+
+def rule(event):
+    return event.get("AlertType") == "CanaryIncident"
+
+
+def title(event):
+    return event.get("Intro", "Canary Incident")
+
+
+def alert_context(event):
+    return additional_details(event)
diff --git a/rules/thinkstcanary_rules/thinkst_canary_incident.yml b/rules/thinkstcanary_rules/thinkst_canary_incident.yml
new file mode 100644
index 000000000..9e81e1f82
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canary_incident.yml
@@ -0,0 +1,39 @@
+AnalysisType: rule
+Filename: thinkst_canary_incident.py
+DisplayName: Thinkst Canary Incident
+RuleID: Thinkst.CanaryIncident
+Description: "A Canary incident has been detected."
+Enabled: true
+Severity: High
+LogTypes:
+  - ThinkstCanary.Alert
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - ExpectedResult: true
+    Name: Canary Incident
+    Log:
+      {
+        "AdditionalDetails":
+          [
+            ["User", "guest"],
+            ["Filename", "IT/Default Windows Desktop Configuration.docx"],
+            [
+              "Background Context",
+              "You have had 2 incidents from 192.168.110.14 previously.",
+            ],
+          ],
+        "AlertType": "CanaryIncident",
+        "CanaryID": "000222326791e1e8",
+        "CanaryIP": "192.168.110.27",
+        "CanaryLocation": "Server room A",
+        "CanaryName": "VirtualCanary-unnamed",
+        "CanaryPort": 445,
+        "Description": "Shared File Opened",
+        "IncidentHash": "f78b692a7716d0d668012bc0eb65c367",
+        "IncidentKey": "incident:smbfileopen:89d38322e4e764e202b42bbb:192.168.110.14:1717059335",
+        "Intro": "Shared File Opened has been detected against one of your Canaries (VirtualCanary-unnamed) at 192.168.110.27.",
+        "ReverseDNS": "",
+        "SourceIP": "192.168.110.14",
+        "Timestamp": "2024-05-30 08:55:35 (UTC)",
+      }
diff --git a/rules/thinkstcanary_rules/thinkst_canarytoken_incident.py b/rules/thinkstcanary_rules/thinkst_canarytoken_incident.py
new file mode 100644
index 000000000..6d911b1f1
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canarytoken_incident.py
@@ -0,0 +1,13 @@
+from panther_thinkstcanary_helpers import additional_details
+
+
+def rule(event):
+    return event.get("AlertType") == "CanarytokenIncident"
+
+
+def title(event):
+    return event.get("Intro", "Canary Token Incident")
+
+
+def alert_context(event):
+    return additional_details(event)
diff --git a/rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml b/rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml
new file mode 100644
index 000000000..008f35cb2
--- /dev/null
+++ b/rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml
@@ -0,0 +1,45 @@
+AnalysisType: rule
+Filename: thinkst_canarytoken_incident.py
+DisplayName: Thinkst Canarytoken Incident
+RuleID: Thinkst.CanaryTokenIncident
+Description: "A Canarytoken incident has been detected."
+Enabled: true
+Severity: High
+LogTypes:
+  - ThinkstCanary.Alert
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - ExpectedResult: true
+    Name: Canarytoken Incident
+    Log:
+      {
+        "AdditionalDetails":
+          [
+            [
+              "Background Context",
+              "You have had 4 incidents from 123.123.123.123 previously.",
+            ],
+            ["Dst Port", 80],
+            ["Event Name", "GetCallerIdentity"],
+            ["User-Agent", "TruffleHog"],
+          ],
+        "AlertType": "CanarytokenIncident",
+        "Description": "AWS API Key Canarytoken triggered",
+        "IncidentHash": "79cb967bde35e3b2d3b346844c16c4bf",
+        "IncidentKey": "incident:canarytoken:94e08d45e5f2c8c13e7b99ae:123.123.123.123:1718797361",
+        "Intro": "An AWS API Key Canarytoken was triggered by '123.123.123.123'.",
+        "MatchedAnnotations":
+          {
+            "trufflehog_scan":
+              [
+                "This looks like a TruffleHog scan.",
+                "https://help.canary.tools/hc/en-gb/articles/18185364902813-Alert-Annotation-TruffleHog-Scan",
+              ],
+          },
+        "Reminder": "aws api key inside keepass",
+        "SourceIP": "123.123.123.123",
+        "Timestamp": "2024-06-19 11:42:41 (UTC)",
+        "Token": "jf15ldk2jeaooi8dhlc6rgt9g",
+        "Triggered": "2",
+      }