The values returned by this Canarytokens API correspond to the kind parameter used to create
Canarytokens. As an example, if you wanted to create a Cloned Web Canarytoken, you would check the
response to this Canarytokens API and use cloned-web to define the Canarytoken type you wish to create.
GET /api/v1/canarytokens/list
Lists the available Canarytokens on your Canary Console.
Required Parameters
auth_tokenstring
A valid auth token
Response
A JSON structure with result indicator and Canarytokens information.
Specifies the type of Canarytoken. Please check "List Canarytokens" for available Canarytoken kind values.
memostring
A reminder that will be included in the alert to let you know where you placed this Canarytoken, limited to 10000 characters.
Optional Parameters
aws_access_keystring
AWS Access Key ID (required if automating creation of AWS S3 token)
aws_secret_keystring
AWS Secret Access Key (required if automating creation of AWS S3 token)
aws_session_tokenstring
AWS Session Token (required if automating creation of AWS S3 token, using temporary credentials)
aws_regionstring
AWS region (required if automating creation of AWS S3 token)
azure_id_cert_file_namestring
Azure ID config will use this as the file path to the certificate (required when creating Azure ID tokens).
browser_redirect_urlstring
Browser redirect URL is the URL you want your Canarytoken server to redirect attackers to after they have triggered your Canarytoken token (required when creating fast-redirect and slow-redirect tokens)
browser_scanner_enabledboolean
Defaults to: true
Enables a Javascript scanner to retrieve more information (only valid with 'http' Canarytokens)
cloned_webstring
Domain to check against (required when creating cloned-web tokens)
exestring
The Windows executable that you would like tokened (required when creating signed-exe tokens)
docfile
Upload MS Word Document to canarytoken; optionally used with MS Word Document (doc-msword) token. With curl use the following flag -F 'doc=@upload-me.docx; type=application/vnd.openxmlformats-officedocument.wordprocessingml.document'
Upload PDF file to canarytoken; optionally used with Adobe PDF canarytoken (pdf-acrobat-reader). With curl use the following flag -F pdf=@upload-me.pdf; type=application/pdf
process_namestring
Name of the process you want to monitor (required when creating sensitive-cmd tokens)
s3_log_bucketstring
S3 bucket where logs will be stored (required when creating aws-s3 tokens)
s3_source_bucketstring
S3 bucket to monitor for access (required when creating aws-s3 tokens)
web_imagefile
Upload an Image file (jpeg or png) that will be displayed on the Canarytokens URL (required when creating web-image tokens) With curl use the following flag: -F 'web_image=@upload-me.png; type=image/png' for png files -F 'web_image=@upload-me.jpg; type=image/jpeg' for jpeg files
tokened_usernamesstring
A comma separated list of Active Directory usernames to token (required when creating active-directory-login tokens)
Response
A JSON structure with the created Canarytoken information.
Delete a Canarytoken. You'll need to delete all incidents on a token before you can delete the token itself. If there are still incidents attached to the token, you can specify `clear_incidents=true` to delete them all.
Bulk delete Canarytokens that match the specified criterion. You'll need to delete all incidents on the matching tokens before you can delete the tokens, otherwise no tokens will be deleted and an error returned.
Required Parameters
auth_tokenstring
A valid auth token
domainsstring
A comma separated list of custom domains from which all tokens should be deleted.
Remove an AWS S3 Canarytoken from your Amazon console.
Required Parameters
auth_tokenstring
A valid auth token
canarytokenstring
A valid Canarytoken
aws_access_keystring
AWS Access Key ID (this is not stored on the Console and is only used for the duration of the operation)
aws_secret_keystring
AWS Secret Access Key (this is not stored on the Console and is only used for the duration of the operation)
aws_regionstring
AWS Region where the token is located
Optional Parameters
aws_session_tokenstring
AWS Session Token. Required when using temporary AWS authentication (this is not stored on the Console and is only used for the duration of the operation)
delete_bucketsboolean
Defaults to: false
Boolean indicating if buckets must be deleted
s3_source_bucketstring
Name of the S3 bucket which was being monitored (required if delete_buckets is true)
{"result":"success","token":{"canarytoken":"<token_code>","created":"1585947523.255526","created_printable":"2020-04-03 20:58:43 (UTC)","enabled":true,"flock_id":"flock:default","hostname":"<token_hostname>","key":"<token_key>","kind":"dns","memo":"Updated Example Memo","triggered_count":0,"updated_id":4,"url":"<token_url>"}}