56 Self-hosted canary corpus
A small corpus of plausible-but-worthless documents — a board deck, a salary sheet, key material — seeded in Drive where the real ones live, each carrying a unique beacon served from an Apps Script web app you control. Nothing legitimate ever links to them, so a beacon hit means someone found the file by looking for it, and the hit is routed to the same paging path as a real alert.
Caveats
Setup steps
-
Content plausible, value zero; never linked from real workflows
-
- Beacon endpoint
client-controlled webhook, not a shared SaaS
-
Deploy > New deployment > Web app; Execute as = me; Who has access = Anyone; logged fields = timestamp, beacon id, query params
-
Ongoing maintenance
- automatable: script Quarterly: rotate fired canaries and reseed the corpus as real documents move.
- requires a human Per hit: triage whether the access was staff error or a real intrusion.
How to verify
Open one canary document from a clean, non-staff context and confirm the beacon reports with the expected identifiers.
v0.1.2Detect policy #30 · #33 (gap G1) ↗