← All controls

57 Canary tokens via commercial console

The same canary detection bought rather than built: a commercial console (Thinkst Canary) mints Drive documents, AWS keys, Office files and DNS tokens, and maintains the alert routing for them. Tokens go one per location, so the alert identifies the breach point, and alerting lands out-of-band, outside the tenant being defended.

Caveats

Setup steps

  1. Alerting destination
    out-of-band mailbox/Slack, outside the defended tenant
  2. One token per location so the alert identifies the breach point

Ongoing maintenance

How to verify

  1. Trip one token of each deployed type and confirm the console records it and the notification arrives.

v0.0.1Detectedition All (3rd-party $) policy #30 · #33 (gap G1) ↗