Security teams can now investigate and acknowledge Canary incidents in Google Security Operations response workflows as cases (with alert and event context intact).
Thinkst Canary now integrates with Google Security Operations response workflows, giving security teams a straightforward way to work high-confidence Canary alerts in the environment they are already used to. Canary incidents can be ingested into Google Security Operations response workflows as cases, where analysts can review alert and event context (and acknowledge incidents when the work is done).
Most teams do not need more alerts. They need alerts they can act on. Because Canary alerts are high-confidence by design, analysts can move quickly from detection to investigation, spending less time validating the alert and more time understanding what access an attacker may already have gained and how far they have moved.
The integration also surfaces hostnames, IP addresses, and other useful entities in Google Security Operations to support enrichment and investigation. Teams can choose whether to include the full alert stream or exclude purely informative operational alerts, depending on how they want to run the workflow.
Key benefits of the integration
- High-fidelity alert intake: Bring Thinkst Canary incidents into Google Security Operations as cases with alerts and event context.
- Faster investigations: Review extracted entities such as IP addresses and hostnames to accelerate triage and enrichment.
- Less tool switching: Acknowledge a Canary incident from within Google Security Operations instead of switching back to the Canary Console for a routine workflow step.
- Flexible alert filtering: Use the connector setting to suppress informative alerts when the team wants to focus only on response-relevant incidents.
Use cases
Confirmed intrusion and breach scoping
If an attacker interacts with a Canary service, the alert gives analysts a strong indication that the network has been breached. From there, teams can use Google Security Operations to investigate the attacker’s path, determine what access was obtained, and assess the extent of lateral movement or broader compromise.
Unauthorised internal reconnaissance
If an attacker scans or probes a Canary, the alert provides a reliable signal of malicious activity inside the environment. Analysts can investigate where the activity originated, identify related systems or users, and understand how the attacker gained an internal foothold.
Early lateral movement detection
When an attacker attempts to move through the network and interacts with a Canary, the alert can open a Google Security Operations case for immediate review. Analysts can then trace related activity and determine whether additional systems or credentials have been compromised.
Rapid validation of suspicious behaviour
When other detections or weak signals suggest a possible compromise, a Canary alert can provide the confirmation analysts need to prioritise response. Instead of spending time debating whether the activity is benign, the team can focus on containment and investigation.
Getting started
Customers can get started by installing the Thinkst integration from the Google Security Operations Content Hub and configuring the connector with their Canary Console details and API token. For step-by-step configuration guidance and troubleshooting support, see: Configuring Google SecOps SOAR Integration.