Skip to main content

Deception Engineering

info

When the honeytoken is triggered an alert is sent to a webhook managed by Apps Script. All the alerts are then logged into a spreadsheet. The notification is done by sending a message to a Slack channel via a webhook and by sending an email.

The honeytokens have been generated with https://canarytokens.org/generate.

tip

Regarding the maintenance, the deployment of the web app is done by a Google service account.

To make an update, click on Deploy > Manage deployments > Edit. Then create a new version of the deployment.

Do not create a new deployment!

function doGet(e) {
  var params = JSON.stringify(e);
  return HtmlService.createHtmlOutput(params);
}

function doPost(e){
  var jsonString=e.postData.getDataAsString();
  var payload=JSON.parse(jsonString);

  var timestamp=payload["time"];
  var manage_url=payload["manage_url"];
  var memo=payload["memo"];
  var additional_data=payload["additional_data"];
  //var source_ip=payload["additional_data"]["src_ip"];

  if(payload["memo"] != "Congrats! The newly saved webhook works"){
    var sheet = SpreadsheetApp.getActiveSheet();
    sheet.appendRow([timestamp, manage_url,memo,additional_data]);
    sendSlackAlert(timestamp,manage_url,memo);
    sendZendeskAlert(timestamp,manage_url,memo);
  }
  else return;

  return HtmlService.createHtmlOutput("SUCCESS");
}

function sendZendeskAlert(timestamp,manage_url,memo){
  var recipient = "<[email protected]>";
  var subject = "A Canary Token is Triggered: " + memo;
  var htmlBody = "Honeypots Notification\n" + timestamp + "\n\n" + memo + "\n\nYou can find more details on Slack: <https://XXXX.slack.com/archives/XXXX> \n\nHere is the Manage URL: " + manage_url + "\n\nThe Incident Response Guideline can be found here: <https://docs.google.com/document/d/XXXX/edit>";
  MailApp.sendEmail(recipient, subject, htmlBody);
}

function sendSlackAlert(timestamp, manage_url, memo) {
  const webhookUrl = "<Slack webhook URL>";

  var payload = {
    "channel": "#alerts-honeypots",
    "blocks":  [
      {
              "type": "header",
              "text": {
                    "type": "plain_text",
                    "text": "A Canary Token is Triggered!"
        }
      },
      {
        "type": "section",
        "text": {
            "type": "mrkdwn",
                    "text": "*Tmestamp*\n" + timestamp + "\n*Memo*\n" + memo + "\n*IOCs*\n<<https://docs.google.com/spreadsheets/d/XXXX/edit#gid=0|Spreadsheet History>>\n<" + manage_url + "|Canarytokens.org Management>\n*Incident Response*\n<<https://docs.google.com/document/d/xxx|Honeypot Guideline>>"
        }
    }]
  }
 
  var options = {
    "method" : "post",
    "contentType" : "application/json",
    "payload" : JSON.stringify(payload)
  };
 
  return UrlFetchApp.fetch(webhookUrl, options)
}