agent security skill risk: medium
Canary Token Deployment for Deception Detection
Provides steps to authenticate with the Thinkst Canary API, create web bug, DNS, and document tokens, list tokens, query alerts, and generate deception coverage reports.
- Policy sensitive
- Human review
- External action: high
SKILL 4 files · 2 folders
SKILL.md
--- name: implementing-deception-based-detection-with-canarytoken description: "Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug" --- # Implementing Deception-Based Detection with Canarytoken ## Overview Canary Tokens are lightweight tripwire mechanisms that alert when an attacker accesses a resource. This skill uses the Thinkst Canary REST API to programmatically create tokens (web bugs, DNS tokens, MS Word documents, AWS API keys), deploy them to strategic locations, monitor for triggered alerts, and generate deception coverage reports. ## When to Use - When deploying or configuring implementing deception based detection with canarytoken capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Thinkst Canary Console or canarytokens.org account - API auth token from Canary Console - Python 3.9+ with `requests` - File system access for deploying document and file tokens ## Steps 1. Authenticate to the Canary Console API using auth_token 2. Create web bug (HTTP) tokens for embedding in documents and web pages 3. Create DNS tokens for monitoring DNS resolution attempts 4. Create MS Word document tokens for file share deployment 5. List all active tokens and their trigger history 6. Query recent alerts for triggered token events 7. Generate deception coverage report with deployment recommendations ## Expected Output - JSON report listing all deployed Canary Tokens, trigger history, alert details, and coverage analysis - Deployment map showing token types across network segments
REQUIRED CONTEXT
- Thinkst Canary Console or canarytokens.org account
- API auth token from Canary Console
- Python 3.9+ with requests library
- File system access for deploying tokens
EXPECTED OUTPUT
- Format
- structured_report
- Schema
- json_report · deployed Canary Tokens, trigger history, alert details, coverage analysis, Deployment map
- Constraints
- JSON report listing all deployed Canary Tokens, trigger history, alert details, and coverage analysis
- Include deployment map showing token types across network segments
SUCCESS CRITERIA
- Deploy and monitor Canary Tokens via the Thinkst Canary API
- Generate deception coverage report with deployment recommendations
CAVEATS
- Dependencies
- Thinkst Canary Console or canarytokens.org account
- API auth token from Canary Console
- Python 3.9+ with `requests`
- File system access for deploying document and file tokens
- Missing context
- Exact API authentication details and token format
- Output format specification beyond high-level JSON description
- Error handling or retry logic
- Ambiguities
- Awkward phrasing in 'When deploying or configuring implementing deception based detection with canarytoken capabilities'
- Does not specify exact API endpoints or request formats
- Steps list high-level actions without parameters or examples
QUALITY
- OVERALL
- 0.58
- CLARITY
- 0.72
- SPECIFICITY
- 0.55
- REUSABILITY
- 0.48
- COMPLETENESS
- 0.62
IMPROVEMENT SUGGESTIONS
- Replace the redundant 'When to Use' bullet with concise trigger conditions
- Add concrete code examples or curl snippets for each step
- Define the structure of the expected JSON report explicitly
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR AGENT
- MoltPass Client for AI Agent Identitiesagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Blue Book Policy Builderagentsecurity
- Threat Modeling Security Architecture Expertagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- SIEM Detection Rule Tuning Guideagentsecurity
- AI File Metadata Compliance Auditoragentsecurity
- Azure Storage Misconfiguration Audit Reporteragentsecurity
- Implementing PAM for Database Accessagentsecurity
- AFL++ Coverage-Guided Fuzzing Procedureagentsecurity
- Supply Chain Attack Simulation Detectoragentsecurity
- Security Audit Fix Verifieragentsecurity
- Active Directory ACL Abuse Analyzeragentsecurity
- Privileged Access Workstation Implementation Guideagentsecurity
- SSRF Vulnerability Testing and Reporting Guideagentsecurity
- Security Audit Fix Revieweragentsecurity
- AWS IAM Privilege Escalation Detectoragentsecurity
- SSL/TLS Security Assessment with Sslyzeagentsecurity
- GCP Penetration Testing with GCPBucketBruteagentsecurity
- AWS CloudTrail Anomaly Detection Guideagentsecurity