Thinkst Canary

thinkst canary is a deception technology platform that helps organizations detect intrusions by deploying honeypots and canarytokens thinkst canary is a leading deception technology platform designed to detect intrusions and unauthorized access by deploying decoy systems and tokens the thinkst canary connector for swimlane turbine enables seamless integration for automated incident management, allowing users to acknowledge, delete, and fetch incidents and canarytokens efficiently this integration enhances threat detection and response capabilities, providing swimlane turbine users with real time insights and automated workflows to manage security incidents effectively limitations none to date supported versions this thinkst canary connector uses the v1 api additional documents documentation thinkst canary https //docs canary tools/guide/getting started html#hello console configuration prerequisites before you can use the thinkst canary connector for turbine, you'll need access to the thinkst canary api this requires the following authentication using an authentication token url the endpoint url for accessing the thinkst canary api auth token a valid authentication token to authorize api requests authentication methods url the endpoint url for accessing the thinkst canary api auth token a token used to authenticate api requests securely capabilities this thinkst canary connector provides the following capabilities acknowledge incident all incidents create canarytoken delete canarytoken delete incident fetch tokens acknowledge incident acknowledge a specified incident click here https //docs canary tools/incidents/actions html#acknowledge incident all incidents returns all incidents click here https //docs canary tools/incidents/queries html#all incidents create canarytoken create a new canarytoken click here https //docs canary tools/canarytokens/actions html#create canarytoken delete canarytoken delete a canarytoken you'll need to delete all incidents on a token before you can delete the token itself if there are still incidents attached to the token, you can specify clear incidents=true to delete them all click here https //docs canary tools/canarytokens/actions html#delete canarytoken delete incident deletes a specified incident click here https //docs canary tools/incidents/actions html#delete incident fetch tokens fetch all created canarytokens click here https //docs canary tools/canarytokens/queries html#all canarytokens configurations thinkst canary asset authenticates using authentication token configuration parameters parameter description type required url a url to the target host string required auth token auth token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions acknowledge incident acknowledge a specified incident in thinkst canary using the provided data body endpoint url api/v1/incident/acknowledge method post input argument name type required description data body object required response data data body incident string required a valid incident key input example {"data body" {"incident" "example incident"}} output parameter type description status code number http status code of the response reason string response reason phrase action string output field action key string output field key result string result of the operation output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"action" "acknowledged","key" "\<incident key>","result" "success"}} all incidents returns a comprehensive list of all incidents recorded in thinkst canary endpoint url api/v1/incidents/all method get input argument name type required description parameters node id string optional get all incidents associated with a specific canary or canarytoken node id parameters flock id string optional get all incidents for a specific flock id parameters incidents since number optional only return incidents whose updated id is greater than this integer the returned feed includes a max updated id field if the incident list has entries parameters newer than string optional timestamp used to filter returned incidents in the format "yyyy mm dd hh\ mm \ ss " all incidents created strictly after this timestamp will be returned incidents may be missed when using this for polling, and it is advised to use incidents since for that purpose instead parameters older than string optional timestamp used to filter returned incidents in the format yyyy mm dd hh\ mm \ ss all incidents created strictly before this timestamp will be returned parameters event limit number optional specify the maximum number of event logs to be returned with the incident parameters limit number optional parameter used to initiate cursor pagination the limit is used to specify the page sizes returned when iterating through the pages representing all incidents parameters cursor string optional the cursor string retrieved from the cursor element returned along with a page while doing pagination parameters shrink boolean optional a 'true' value will remove duplicated entries (some older consoles will have this defaulted to false, but you'd already know about it if you're on one of those consoles) parameters tz string optional timezone for standardised timestamps (fields that end in " std") input example {"parameters" {"node id" "example node id","flock id" "example flock id","incidents since" 1,"newer than" "example newer than","older than" "example older than","event limit" 100,"limit" 100,"cursor" "example cursor","shrink"\ true,"tz" "example tz"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor object output field cursor cursor next string output field cursor next cursor next link string output field cursor next link cursor prev object output field cursor prev cursor prev link object output field cursor prev link feed string output field feed incidents array unique identifier incidents description object unique identifier incidents description acknowledged string unique identifier incidents description created string unique identifier incidents description created std string unique identifier incidents description description string unique identifier incidents description dst host string unique identifier incidents description dst port string unique identifier incidents description events array unique identifier incidents description events canarytoken string unique identifier incidents description events dst port number unique identifier incidents description events event name string unique identifier incidents description events headers object http headers for the request incidents description events headers accept string http headers for the request incidents description events headers accept encoding string http headers for the request incidents description events headers connection string http headers for the request incidents description events headers user agent string http headers for the request output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"cursor" {"next" "mte6mta6mtq0oje6mjowoji6nq==","next link" "https //example canary tools/api/v1/incidents/all?cursor=mte6mta6mtq0oje6mjowoji ","prev"\ null,"prev link"\ null},"feed" "all incidents","incidents" \[{}],"max updated id" 10,"result" "success","updated" "tue, 07 apr 2020 08 53 43 gmt","updated std" "2020 04 07 08 53 43 utc+0000","updated timestamp" 1586249623}} create canarytoken create a new canarytoken in thinkst canary using the provided data body endpoint url /api/v1/canarytoken/create method post input argument name type required description data body object required response data data body kind string required specifies the type of canarytoken data body memo string required a reminder that will be included in the alert to let you know where you placed this canarytoken, limited to 10000 characters data body aws access key string optional aws access key id (required if automating creation of aws s3 token) data body aws secret key string optional aws secret access key (required if automating creation of aws s3 token) data body aws session token string optional aws session token (required if automating creation of aws s3 token, using temporary credentials) data body aws region string optional aws region (required if automating creation of aws s3 token) data body azure id cert file name string optional azure id config will use this as the file path to the certificate (required when creating azure id tokens) data body browser redirect url string optional browser redirect url is the url you want your canarytoken server to redirect attackers to after they have triggered your canarytoken token (required when creating fast redirect and slow redirect tokens) data body browser scanner enabled boolean optional enables a javascript scanner to retrieve more information (only valid with 'http' canarytokens) data body cloned web string optional domain to check against (required when creating cloned web tokens) data body custom domain string optional specifies the custom canarytoken domain to use (that's already been linked to the console) when creating a canarytoken data body expiry string optional specifies the expiry when creating a canarytoken string format using y, mo, w, d, h are supported e g 12h, 6mo (only aws api key token) data body expected referrer string optional the expected referrer to make a request when creating the cloned css and azure entra login canarytokens data body flock id string optional a valid flock id (defaults to the default flock or flock id of auth token if using canarytoken deploy flock api key type) data body idp app type string optional type of the fake app for the idp app canarytoken valid options are aws, azure, bitwarden, dropbox, duo, elasticsearch, freshbooks, gcloud, gdrive, github, gitlab, gmail, intune, jamf, jira, kibana, lastpass, ms365, msteams, onedrive, onepassword, outlook, pagerduty, sage, salesforce, sap, slack, virtru, zendesk, zoho, zoom data body process name string optional name of the process you want to monitor (required when creating sensitive cmd tokens) data body pwa app name string optional name of the fake app for the pwa canarytoken data body pwa icon string optional name of the icon used by your fake app for the pwa canarytoken data body s3 log bucket string optional s3 bucket where logs will be stored (required when creating aws s3 tokens) data body s3 source bucket string optional s3 bucket to monitor for access (required when creating aws s3 tokens) data body tokened usernames string optional a comma separated list of active directory usernames to token (required when creating active directory login tokens) form data object optional response data form data doc object optional upload ms word document to canarytoken; optionally used with ms word document (doc msword) token form data doc file name string required response data input example {"data body" {"kind" "example token kind","memo" "example memo","aws access key" "example aws access key","aws secret key" "example aws secret key","aws session token" "example aws session token","aws region" "example aws region","azure id cert file name" "example azure id cert file name","browser redirect url" "example browser redirect url","browser scanner enabled"\ true,"cloned web" "example cloned web url","custom domain" "example custom domain","expiry date" "example expiry date","expected referrer" "example expected referrer","flock id" "flock\ default","idp app type" "aws","process name" "example process name","pwa app name" "example pwa app name","pwa icon" "example pwa icon","s3 log bucket" "example s3 log bucket","s3 source bucket" "example s3 source bucket","tokened usernames" "example tokened usernames"},"form data" {"doc" {"file name" "example file name","file" "2"},"exe" {"file name" "example file name","file" "4"},"pdf" {"file name" "example file name","file" "3"},"web image" \[{"file name" "example file name","file" "1"}]}} output parameter type description status code number http status code of the response reason string response reason phrase canarytoken object output field canarytoken canarytoken browser scanner enabled boolean output field canarytoken browser scanner enabled canarytoken canarytoken string output field canarytoken canarytoken canarytoken created string output field canarytoken created canarytoken created printable string output field canarytoken created printable canarytoken enabled boolean output field canarytoken enabled canarytoken flock id string unique identifier canarytoken hostname string name of the resource canarytoken key string output field canarytoken key canarytoken kind string output field canarytoken kind canarytoken memo string output field canarytoken memo canarytoken triggered count number count value canarytoken updated id number unique identifier canarytoken url string url endpoint for the request result string result of the operation output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"canarytoken" {"browser scanner enabled"\ true,"canarytoken" "\<token code>","created" "1586161315 087693","created printable" "2020 04 06 08 21 55 (utc)","enabled"\ true,"flock id" "flock\ default","hostname" "\<token hostname>","key" "\<token key>","kind" "http","memo" "example memo","triggered count" 0,"updated id" 7,"url" "\<token url>"},"result" "success"}} delete canarytoken delete a canarytoken in thinkst canary after clearing all associated incidents use clear incidents=true to remove incidents automatically endpoint url api/v1/canarytoken/delete method post input argument name type required description data body object required response data data body canarytoken string required a valid canarytoken data body clear incidents boolean optional delete associated incidents input example {"data body" {"canarytoken" "example canarytoken","clear incidents"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"result" "success"}} delete incident delete a specified incident in thinkst canary using the provided data body endpoint url api/v1/incident/delete method delete input argument name type required description data body object required response data data body incident string required a valid incident key input example {"data body" {"incident" "example incident"}} output parameter type description status code number http status code of the response reason string response reason phrase action string output field action key string output field key result string result of the operation output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"action" "deleted","key" "\<incident key>","result" "success"}} fetch tokens fetch all created canarytokens from thinkst canary for monitoring and analysis endpoint url api/v1/canarytokens/fetch method get input argument name type required description parameters flock id string optional a valid flock id (for returning canarytokens for a specific flock) parameters include endpoints string optional include factory endpoints (such as apeeperfactory) input example {"parameters" {"flock id" "example flock id","include endpoints" "apeeperfactory"}} output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation tokens array output field tokens tokens browser scanner enabled boolean output field tokens browser scanner enabled tokens canarytoken string output field tokens canarytoken tokens created string output field tokens created tokens created printable string output field tokens created printable tokens enabled boolean output field tokens enabled tokens flock id string unique identifier tokens hostname string name of the resource tokens key string output field tokens key tokens kind string output field tokens kind tokens memo string output field tokens memo tokens node id string unique identifier tokens triggered count number count value tokens updated id number unique identifier tokens url string url endpoint for the request output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"result" "success","tokens" \[{}]}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt