Canary tokens integration with Grafana,

I would like to create a dashboard for canary tokens in Grafana, for that first I need to configure the data source, can someone help me with this??

Hi @zupuer - could you describe what you’re trying to do a little more - which data source, where is the data you’re looking to access? Or are you looking to create a new datasource plugin?

Canarytokens are digital alarms that alert when someone tries to do something sneaky on computers or network. They help catch bad actors in the act. I’m looking to create a Grafana dashboard to visualize our Canarytokens data for an overall view. Can you guide me through the steps of setting up this dashboard? I’m specifically interested in how to connect the data source, create panels, and visualize information such as timestamp and token type.

What type of datasource is it? Is it mysql, postgres if so please post table(s) schema(s), does it provide a rest api if so please post a json response
We have no idea what canary :bird: is

I’m thankful that both of you are here to provide your assistance. Canary tokens are not conventional software applications that use databases like MySQL or PostgreSQL. Instead, they are a technique used in cybersecurity for detecting unauthorized access or activity. They create ‘bait’ that triggers alerts when accessed.

Canary tokens do not offer a REST API or predefined JSON responses. They operate by generating logs or records within existing systems, such as web servers, email servers, or file systems. These systems’ existing logging mechanisms capture information about interactions and activities related to the tokens.

Please post sample logs, email etc
Without sample data it would just be guess work

And there is no visualization without some structured data be it logs emails or whatever

Sure, Canary Tokens management section, we can download data in JSON and Excel formats.
Please find the files.

“hits”: [
“time_of_hit”: 1690212345.678901,
“src_ip”: “123.456.789.10”,
“geo_info”: {
“loc”: “37.7749,-122.4194”,
“org”: “AS12345 Sample ISP”,
“city”: “San Francisco”,
“country”: “US”,
“region”: “California”,
“hostname”: null,
“ip”: “123.456.789.10”,
“timezone”: “America/Los_Angeles”,
“postal”: “94101”,
“asn”: {
“route”: “123.456.0.0/16”,
“type”: “isp”,
“asn”: “AS12345”,
“domain”: “”,
“name”: “Sample ISP”
“readme”: null
“is_tor_relay”: false,
“input_channel”: “HTTPS”,
“src_data”: null,
“useragent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.1234.567 Safari/537.36”,
“token_type”: “ms_word”
“token_type”: “ms_word”

1 Like

So which data points in the data you posted you want to visualize on the map?

try infinity plugin and then use jsonata to extract the data.
here is how


Thank you for your guidance on visualizing Canary Token data in Grafana. I tried the Infinity plugin and JSON data, but the URL I received from the Canary Token GET request contains details for only one token. How can I retrieve data for multiple tokens simultaneously?

You clearly indicated you get your data as json or csv.

And now you mention a GET request whereas earlier you stated there is no rest api.

I am confused

I apologize for any confusion. I can indeed obtain JSON or CSV data for individual triggers. However, my goal is to collect data for all triggers across all tokens, not just a single trigger.
Canary Tokens indeed do not typically store data in a centralized database. They are designed to generate alerts or notifications when interacted with, which can be useful for detecting unauthorized access or activities.
Canary tokens are indeed bait or decoy objects that are strategically placed within a network or system to serve as early warning mechanisms. When these tokens are interacted with, such as being opened, accessed, or clicked on, they trigger alerts or notifications to alert administrators or security teams to potential security incidents or unauthorized access.
If you have any insights on how to achieve this broader view of all triggered Canary Tokens together? And once again sorry for the confusion.

:slightly_smiling_face: I think you already thoroughly explained what Canary is and does and we understand that part.

Since you do not ssve this dsta in a centralized location like a database but are just interacting with it as either json or csv downloads there is not much you can do other than manually copy paste into one of those data types.

I am just not sure how you can view those alerts as shown in previous screens, when the data is not saved anywhere. Are those autogenerated screens?
Anyways back to your question, grafana needs the data from a centralized location in your case you will need to either do it manually or create a script that does that for you.