Hi Everyone, I want to integrate Canary Tokens (can be any really), with Rapid7. Has anyone done it before? If so, can you share how you did it, best practices, or the best way to go about integrating them? Thank you in advance!
Hi.
There are many different deception technologies in IDR. Please see:
Hi
I use webhooks to push canary alerts into IDR.
From notes;
In R7
Data Collection → new Rapid7 Custom Event source
Select Webhook at the “Run On” stage
Copy URl
In thinkst
Settings → Global Settings → Webhooks → Add Generic → Paste in URL from R7 event source and save
Alerts turn up in raw logs.
Basic detection rule looks like :
from(
event_type = “raw”
AND
log.id = “401e9a79-2402-4724-8c57-fed9c83927ca”
)
where(
“AlertType” = “CanaryIncident”
)
The log.id im sure will be different in your environment.