Skip to main content
All CollectionsTemplatesIntermediate
Notify when a Thinkst Canary Token is triggered. - Workflow Template
Notify when a Thinkst Canary Token is triggered. - Workflow Template

Triggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.

Updated over a month ago

The Torq workflow template "Notify when a Thinkst Canary Token is triggered" is designed for organizations enhancing their threat hunting capabilities. Upon Thinkst Canary token activation, this automated workflow reads the geolocation data, constructs a static map via Google Maps, opens a case with the captured CanaryToken data, and crafts detailed case notes, observables, and descriptions. Simultaneously, it notifies the predefined Slack channel to alert the response team for immediate action, ensuring they are equipped with all necessary information to analyze and respond to potential threats swiftly.

Take Me to the Template

Trigger

Thinkst Canary

Optional Triggers

["Use different Canary tokens to trigger the same Webhook."]

Use Cases

Threat Hunting

Workflow Breakdown

  1. Reads geolocation and creates and static maps using Google Maps.

  2. Open a Case with CanaryToken Data and attach previous created map.

  3. Creates Observables, notes and description for the case.

  4. Send Slack Notification.

Vendors

Slack, Utils, Torq Cases, Google Maps

Workflow Output

Slack notification and a Torq case with details and static maps.

Tips

  • Change the size and type of map between hybrid, satellite, or roadmap views.

Related Articles
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Notify on Open and In-Progress Torq Cases Approaching the SLA - Workflow Template
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template
Did this answer your question?