Splunk Your Canarytokens

Canarytokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.) When triggered, they generate an alert that can be ingested into Splunk to add another layer of visibility to your security monitoring.

Imagine knowing when your website source code has been cloned or notified if an attacker uses a strategically placed “canary” AWS API key. There are many use cases to use Canarytokens for, and today we will walk through setting up a simple token and ingesting the alert into Splunk for further analysis.

Here is an overview of the steps we will take to get started with Canarytokens and Splunk.

  1. Create an HTTP Event Collector (HEC) token in Splunk.
  2. Allow authentication via query string in Splunk configuration files.
  3. Create Canarytoken.
  4. Visualize results in Splunk.

Create a Splunk HEC token

Perform the following steps to create a new HEC token in Splunk1.

  1. Navigate to Settings > Data Inputs.
  2. Click “HTTP Event Collector.”
  3. In the upper right corner, click “Global Settings.”
  4. Ensure “All tokens” is set to enabled, and take note of your HTTP port number (default=8088).
  5. Save and close the global setting and now click “New Token.”
  6. Give the new token a name and click next.

    Name the HEC token Name the HEC token

  7. For simplicity, set the sourcetype to _json and choose an index to place the data.

    Name the HEC token Set sourcetype and index

  8. Click review and then finish the token.

    Completed Token Completed Token

Take note of the token value; we will be using this shortly.

Allow URL authentication

To pass the token value through a URL, we need to set allowQueryStringAuth to true in the configuration file.

If you are a Splunk Cloud Customer, you must open a Splunk Support ticket to set allowQueryStringAuth to true on your HEC endpoint.

The following is an example configuration file that sets this parameter to “true.”

disabled = 0
host = splunk
index = canary
indexes = canary
sourcetype = _json
token = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
allowQueryStringAuth = true

Create a Canarytoken

Now it is time to navigate to to generate a Canarytoken. For this example, I will create a “Web bug/URL token” to easily demonstrate an alert in Splunk.

The webhook URL will include the Splunk HEC token we created in the previous step. The format for this token will be as follows:


Canarytoken Example Canarytoken Example

Completed Canarytoken

The token is now ready to use. Once the provided URL is visited, I will receive an alert in Splunk!

Splunk Output

Security Considerations

There are a few last things to mention in terms of security-related concerns.

  • The Splunk HEC may be observed in transit and/or logged in plain text.
  • Use HTTPS and give minimal access permissions to the Splunk HEC token.
  • If possible, create an allow-list or ACLs to only permit webhooks from Canarytokens.
  • Always consult your security team before implementing anything in production.


Canarytokens are another valuable method for catching attackers before they get too far into your network. These tokens could serve as a much-needed warning sign before an attack hits. Combine this with the powerful logging analytics Splunk has to correlate across data sources, and you get increased visibility into your ever-evolving attack surface.


This post is licensed under CC BY 4.0 by the author.