Skip to main content
All CollectionsTemplatesIntermediate
Notify when a Thinkst Canary Token is triggered. - Workflow Template
Notify when a Thinkst Canary Token is triggered. - Workflow Template

Triggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.

Updated over a week ago

The Torq workflow template "Notify when a Thinkst Canary Token is triggered" is designed for organizations enhancing their threat hunting capabilities. Upon Thinkst Canary token activation, this automated workflow reads the geolocation data, constructs a static map via Google Maps, opens a case with the captured CanaryToken data, and crafts detailed case notes, observables, and descriptions. Simultaneously, it notifies the predefined Slack channel to alert the response team for immediate action, ensuring they are equipped with all necessary information to analyze and respond to potential threats swiftly.

Trigger

Thinkst Canary

Optional Triggers

["Use different Canary tokens to trigger the same Webhook."]

Use Cases

Threat Hunting

Workflow Breakdown

  1. Reads geolocation and creates and static maps using Google Maps.

  2. Open a Case with CanaryToken Data and attach previous created map.

  3. Creates Observables, notes and description for the case.

  4. Send Slack Notification.

Vendors

Slack, Utils, Torq Cases, Google Maps

Workflow Output

Slack notification and a Torq case with details and static maps.

Tips

  • Change the size and type of map between hybrid, satellite, or roadmap views.

Did this answer your question?