# Incident Objects
Each log entry is termed an event, and consists of actions such as a single SSH login attempt, or a single POST to a website, or a single SIP request. An event will result in an incident being created, but subsequent similar events from the same source will be bundled together if they occur in close proximity. This means that if someone launches a brute-force attack, there is a single incident created with an event assigned to each login attempt.
The incident object contains a record of the individual events that constitute the incident.
# Basic Structure
Incident feeds have this basic structure:
updated
Human readable date when the incident was updated
updated_std
The date/time when the incident was updated in the format YYYY-MM-DD HH:MM:SS TZ
updated_time
Timestamp of the updated time eg. 1574945951
created
Timestamp of the incident creation time eg. 1574945951
created_std
The date/time when the incident was created in the format YYYY-MM-DD HH:MM:SS TZ
dst_host
Optional - The destination IP address of the attack
dst_port
Optional - The destination port of the attack
events_count
Number of events for the incident
flock_id
ID of the Flock in which the incident occurred
flock_name
Name of the Flock in which the incident occurred
name
Optional - The name of the device on which the incident occurred
node_id
Optional - The node_id of the device on which the incident occurred
src_host
The source IP address of the attacker
src_host_reverse
The source hostname of the attacker
src_port
The source port of the attacker
{
"feed": "Unacknowledged Incidents",
[...]
"incidents": [
{
"id": "...",
"summary": "<EVENT_DESCRIPTION>",
"updated": "...",
"updated_std": "...",
"updated_time": "..."
[...]
"description": {
[...]
"logtype": "<LOGTYPE>",
"description": "<EVENT_DESCRIPTION>",
"created": "...",
"created_std": "...",
"dst_host": "...",
"dst_port": "...",
"events": [
<EVENT_DICT>,
<EVENT_DICT>,
...,
]
"events_count": "...",
"flock_id": "...",
"flock_name": "...",
"name": "...",
"node_id": "...",
"src_host": "...",
"src_host_reverse": "...",
"src_port": "..."
}
}
]
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
The “events” field contains a list of <EVENT_DICT> s. In the incident types below, only the <EVENT_DESCRIPTION> and <EVENT_DICT> values are defined as the rest of the incident object is the same across the various incident types.
All fields will be present in each incident, unless noted otherwise.
The actual data returned by the API may include additional fields. However, any field not described in this document should be considered experimental and likely to disappear.
# Canary Disconnected
EVENT_DICT
Empty, no additional event data.
<EVENT_DESCRIPTION> = "Canary Disconnected"
<LOGTYPE> = "1004"
<EVENT_DICT> = { }
2
3
# Canarytokens
There are two types of Canarytokens, HTTP and DNS.
# HTTP
type
A string containing the token type [http or dns]
canarytoken
Unique string that acts as the Canarytoken
headers
Headers is a dict. Only present for HTTP Canarytokens.
url
URL of the HTTP Canarytoken
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "17000"
<EVENT_DICT> = {
"type": "http",
"canarytoken": "<tokenvalue>",
"headers" : {
<headername_1>: <headervalue_1> , <headername_2>: <headervalue_2> , ...
},
"url": "<tokenurl>",
}
2
3
4
5
6
7
8
9
10
# DNS
type
A string containing the token type (http or dns)
canarytoken
Unique string that acts as the Canarytoken.
hostname
Hostname of the DNS Canarytoke
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "16000"
<EVENT_DICT> = {
"type": "dns",
"canarytoken": "<tokenvalue>",
"hostname": "<tokenhostname>"
}
2
3
4
5
6
7
# Custom TCP Service Request
The Custom TCP Service module lets the Canary administrator create simple services that either immediately prints a banner on connection, or wait for the client to send data before responding.
LOGTYPE 20001 - Banner sent immediately on connection.
20002 - Banner sent after the client sent a line.
BANNER_ID
Multiple banners are supported, the id identifies which banner service was triggered.
DATA
Optional. The attacker's supplied data.
FUNCTION
Indicates which trigger fired, either 'DATA_RECEIVED' for when a banner was sent after the attacker sent data, or 'CONNECTION_MADE' for when a banner was sent immediately on connection.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Custom TCP Service Request"
<LOGTYPE> = "20001"
<LOGTYPE> = "20002"
<EVENT_DICT> = {
"BANNER_ID": "...",
"DATA": "...",
"FUNCTION": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
# FTP Login Attempt
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "FTP Login Attempt"
<LOGTYPE> = "2000"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
# Git Repository Clone Attempt
HOST
Git client's view of the Canary's hostname.
REPO
Name of the repository the client attempted to clone.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Git Repository Clone Attempt"
<LOGTYPE> = "19001"
<EVENT_DICT> = {
"HOST": "...",
"REPO": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
# HTTP Incidents
Two types of HTTP Incidents:
- Page loads, triggered by GET requests. They are disabled by default as they’re noisy, and needs to be specifically enabled.
- Login attempts, triggered by GET requests. They are always enabled.
# HTTP Page Load
PATH
Web path requested by the source.
USERAGENT
Useragent of the source's browser.
CHANNEL
Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.
METHOD
The HTTP request method used eg. GET/POST/DELETE
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Page Load"
<LOGTYPE> = "3000"
<EVENT_DICT> = {
"PATH": "...",
"USERAGENT": "...",
"CHANNEL": "...",
"METHOD": "...",
"RESPONSE": ...,
"SKIN": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
# HTTP Login Attempt
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
PATH
Web path requested by the source.
USERAGENT
Useragent of the source's browser.
CHANNEL
Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.
METHOD
The HTTP request method used eg. GET/POST/DELETE
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Login Attempt"
<LOGTYPE> = "3001"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "..."
"PATH": "...",
"USERAGENT": "...",
"CHANNEL": "...",
"METHOD": "...",
"RESPONSE": "...",
"SKIN": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
# HTTP Proxy Request
Triggered by any request through the HTTP proxy module.
USERNAME
Optional. Attacker supplied proxy username.
PASSWORD
Optional. Attacker supplied proxy password.
URL
URL requested by the source.
USERAGENT
Useragent of the source's browser.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Proxy Request"
<LOGTYPE> = "7001"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "..."
"URL": "...",
"USERAGENT": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
# HTTP Service Scan
Triggered by scans for HTTP services
METHOD
The HTTP request method used eg. GET/POST/DELETE
PATH
Web path requested by the source.
RESPONSE
The response code eg. 200
<EVENT_DESCRIPTION> = "HTTP Service Scan"
<LOGTYPE> = "3004"
<EVENT_DICT> = {
"METHOD": "...",
"PATH": "...",
"RESPONSE": ...,
}
2
3
4
5
6
7
# ModBus Request
Triggered by any valid ModBus request.
LOGTYPE 18001 - Modbus Query Function
18002 - Modbus Read Function
18003 - Modbus Write Function
UNIT_ID
ModBus unit target.
FUNC_CODE
ModBus function code.
FUNC_NAME
Optional. ModBus function name, if available.
SFUNC_CODE
Optional. ModBus subfunction code, if available.
SFUNC_NAME
Optional. ModBus subfunction name, if available.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "ModBus Request"
<LOGTYPE> = "18001 | 18002 | 18003"
<EVENT_DICT> = {
"UNIT_ID": "...",
"FUNC_CODE": "...",
"FUNC_NAME": "...",
"SFUNC_CODE": "...",
"SFUNC_NAME": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
# MSSQL Login Attempt
Triggered by any attempt to authenticate to the MS-SQL Server module.
SQL Server supports multiple authentication modes, and the fields that come through depending on the mode.
LOGTYPE 9001 for SQL Server authentication
9002 for Windows authentication
USERNAME
Attacker supplied database username.
PASSWORD
Optional. Attacker supplied database password.
HOSTNAME
Optional. Attacker supplied hostname.
DOMANNAME
Optional. Attacker supplied Active Directory name.
APPNAME
Name of the app with which the query was made eg. SQLCMD
HOSTNAME
Hostname of the attacker
SERVERNAME
IP address of the attacker
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "MSSQL Login Attempt"
<LOGTYPE> = "9001 | 9002"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "..."
"HOSTNAME": "...",
"DOMAINNAME": "..."
"APPNAME": "...",
"HOSTNAME": "...",
"SERVERNAME": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
# MySQL Login Attempt
Triggered by an authentication attempt against the MySQL service.
The client sends a hashed password, not a cleartext password. The Canary will try to crack the hash with passwords one might expect in a brute-force.
USERNAME
Attacker supplied database username.
CLIENT_HASH
Attacker supplied database password hash.
SALT
Attacker supplied database password hash salt.
PASSWORD
Recovered password if possible, otherwise <Password not in common list>
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "MySQL Login Attempt"
<LOGTYPE> = "8001"
<EVENT_DICT> = {
"USERNAME": "...",
"CLIENT_HASH": "...",
"SALT": "...",
"PASSWORD": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
# NTP Monlist Request
Triggered by the NTP Monlist command.
NTP_CMD
Name of the NTP command sent. Currently is 'monlist'.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NTP Monlist Request"
<LOGTYPE> = "11001"
<EVENT_DICT> = {
"NTP_CMD": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
# Port Scans
There are six types of port scans incidents.
- A host port scan occurs when a single Canary is port scanned by a single source.
- A consolidated network port scan occurs when multiple Canaries are scanned by a single source.
- An NMAP FIN scan was run against the Canary.
- An NMAP NULL scan was run against the Canary.
- An NMAP OS scan was run against the Canary.
- An NMAP XMAS scan was run against the Canary.
# Host Port Scan
ports
List of comma-separated ports.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Host Port Scan"
<LOGTYPE> = "5003"
<EVENT_DICT> = {
"ports": "23,80,443"
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
# Consolidated Network Port Scan
EVENT_DICT
The dict's keys are port numbers, and the values are lists of IP addresses.
port
Port number on the Canary
canary_IP
Canaries that were targeted
<EVENT_DESCRIPTION> = "Consolidated Network Port Scan"
<LOGTYPE> = "5007"
<EVENT_DICT> = {
"<port>": [
"<canary_IP>",
"<canary_IP>"
],
"<port>": [
"<canary_IP>",
"<canary_IP>"
]
}
2
3
4
5
6
7
8
9
10
11
12
# NMAP FIN Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP FIN Scan Detected"
<LOGTYPE> = "5008"
<EVENT_DICT> = {
"ID": "...",
"LEN": "...",
"MAC": "...",
"PREC": "...",
"PROTO": "...",
"RES": "...",
"TOS": "...",
"TTL": "...",
"URGP": "...",
"WINDOW": "...",
"SYN": "...",
"ACK": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP NULL Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP NULL Scan Detected"
<LOGTYPE> = "5005"
<EVENT_DICT> = {
"ID": "...",
"LEN": "...",
"MAC": "...",
"PREC": "...",
"PROTO": "...",
"RES": "...",
"TOS": "...",
"TTL": "...",
"URGP": "...",
"WINDOW": "...",
"SYN": "...",
"ACK": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP OS Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP OS Scan Detected"
<LOGTYPE> = "5004"
<EVENT_DICT> = {
"ID": "...",
"LEN": "...",
"MAC": "...",
"PREC": "...",
"PROTO": "...",
"RES": "...",
"TOS": "...",
"TTL": "...",
"URGP": "...",
"WINDOW": "...",
"SYN": "...",
"ACK": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP XMAS Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP XMAS Scan Detected"
<LOGTYPE> = "5006"
<EVENT_DICT> = {
"ID": "...",
"LEN": "...",
"MAC": "...",
"PREC": "...",
"PROTO": "...",
"RES": "...",
"TOS": "...",
"TTL": "...",
"URGP": "...",
"WINDOW": "...",
"SYN": "...",
"ACK": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# RDP Login Attempt
Triggered by an attempt to join the Canary's RDP service.
BUILD
Optional. Shows the build number of the attacker's RDP client if that is exposed, otherwise absent.
DOMAINNAME
Attacker supplied domain name
MAJORVERSION
The major version of the attacker's RDP client (ie. 6 for 6.1).
MINORVERSION
The minor version of the attacker's RDP client (ie. 1 for 6.1).
USERNAME
Attacker supplied username.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "RDP Login Attempt"
<LOGTYPE> = "14003"
<EVENT_DICT> = {
"BUILD": "...",
"DOMAINNAME": "...",
"MAJORVERSION": "...",
"MINORVERSION": "...",
"USERNAME": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
# Redis Command
Triggered by an attacker connecting to the Redis service and issuing valid Redis commands.
CMD
Redis command issued by the attacker.
ARGS
Arguments to the command.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Redis Command"
<LOGTYPE> = "21001"
<EVENT_DICT> = {
"CMD": "...",
"ARGS": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
# Shared File Opened
Triggered by the opening of a file on the Canary’s Windows File Share.
USER
Username supplied by the attacker.
FILENAME
Name of file on the Canary that was accessed.
AUDITACTION
Type of file action. Currently, only 'pread'.
DOMAIN
Name of domain or workgroup.
LOCALNAME
Windows Name of Canary machine.
MODE 'workgroup' or 'domain'
OFFSET
Starting position of the read.
REMOTENAME
Windows Name of the client machine.
SHARENAME
Name of the share on which the file resides.
SIZE
Amount of bytes read.
SMBARCH
Guess of the remote machine's Windows version.
SMBVER
Version of the SMB protocol that was used.
STATUS
Result of the file read. Currently, only 'ok'.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Shared File Opened"
<LOGTYPE> = "5000"
<EVENT_DICT> = {
"USER": "...",
"FILENAME": "...",
"AUDITACTION": "...",
"DOMAIN": "...",
"LOCALNAME": "...",
"MODE": "...",
"OFFSET": "...",
"REMOTENAME": "...",
"SHARENAME": "...",
"SIZE": "...",
"SMBARCH": "...",
"SMBVER": "...",
"STATUS": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# SIP Request
Triggered by an attacker connecting to the SIP service and issuing a valid SIP request.
HEADERS
Dict of the SIP headers included in the request.
<EVENT_DESCRIPTION> = "SIP Request"
<LOGTYPE> = "15001"
<EVENT_DICT> = {
"HEADERS": {
"<header_name1>": "<header_value1>",
"<header_name2>": "<header_value2>",
"<header_name3>": "<header_value3>",
"...": "..."
}
}
2
3
4
5
6
7
8
9
10
# SNMP Request
Triggered by an incoming SNMP query against the Canary.
COMMUNITY_STRING
SNMP community string supplied by the attacker.
REQUESTS
SNMP OID requested by the attacker.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "SNMP Request"
<LOGTYPE> = "13001"
<EVENT_DICT> = {
"COMMUNITY_STRING": "...",
"REQUESTS": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
# SSH Login Attempt
Triggered by an attempt to login to the Canary using SSH. Both password-based and key-based authentication is possible.
It is also possible to configure “Watched Credentials”, which says to only alert if the attacker-supplied credentials match a configured list.
USERNAME
Username supplied by the attacker.
PASSWORD
Optional. The attacker's supplied password in password-based auth.
LOCALVERSION
Canary's SSH version string.
REMOTEVERSION
The attacker's supplied version string.
KEY
Optional. The attacker's supplied public key in key-based auth.
WATCHED_CREDENTIALS
Optional. Set to 'Yes' if Watched Credentials are enabled.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "SSH Login Attempt"
<LOGTYPE> = "4002"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "...",
"LOCALVERSION": "...",
"REMOTEVERSION": "...",
"KEY": "...",
"WATCHED_CREDENTIALS": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
11
12
# Telnet Login Attempt
Triggered by a Telnet authentication attempt.
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
TERMSIZE
The size of the terminal
TERMTYPE
The terminal type
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Telnet Login Attempt"
<LOGTYPE> = "6001"
<EVENT_DICT> = {
"USERNAME": "...",
"PASSWORD": "..."
"TERMSIZE": "..." ,
"TERMTYPE": "..." ,
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
10
# TFTP request
Triggered by a TFTP request against the Canary.
FILENAME
Name of file the attacker tried to act on.
OPCODE
File action, either 'READ' or 'WRITE'
MODE
TFTP defines three modes of transfer: netascii, octet, and mail.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "TFTP Request"
<LOGTYPE> = "10001"
<EVENT_DICT> = {
"FILENAME": "...",
"OPCODE": "..."
"MODE": "..."
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
# VNC Login Attempt
Triggered by an attempt to login to Canary’s password-protected VNC service.
VNC passwords are not transmitted in the clear. Instead, a hashed version is sent. The Canary will test the hashed password against a handful of common passwords to guess the password, but the hash parameters are also reported so the administrator can crack the hash on more powerful rigs.
PASSWORD
Cracked password if very weak.
SERVER_CHALLENGE
VNC password hashing parameter.
CLIENT_RESPONSE
VNC password hashing parameter.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "VNC Login Attempt"
<LOGTYPE> = "12001"
<EVENT_DICT> = {
"PASSWORD": "...",
"SERVER_CHALLENGE": "...",
"CLIENT_RESPONSE": "...",
"timestamp": ...,
"timestamp_std": "..."
}
2
3
4
5
6
7
8
9
# WinRM Login Attempt
Triggered by an attempt to connect to the Canary using a WinRM agent.
USERNAME
Attacker supplied username.
PASSWORD
Optional. Attacker supplied password. This will not be present for Kerberos or NTLM authentication.
WORKSTATION
Present for Kerberos auth attempts. Gives the workstation name of the attacker.
DOMAINNAME
Attacker supplied domain name.
USERAGENT
Optional. Gives the agent used by the attacker to connect.
AUTHTYPE
The authentication type used to connect to WinRM. If present, this will be one of 'basic', 'ntlm', 'certificate', 'kerberos' or 'digest', otherwise this will be 'unknown'.
SNAME
Present for Kerberos auth attempts. Gives the service name of the request.
REALM
Present for Kerberos auth attempts. Gives the Kerberos realm.
TKTVNO
Present for Kerberos auth attempts. Gives the ticket format version number of the request.
WINRMPAYLOAD
The xml payload of the WinRM connection attempt.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "WinRM Login Attempt"
<LOGTYPE> = "29001"
<EVENT_DICT> = {
"AUTHTYPE": "...",
"PASSWORD": "...",
"USERAGENT": "...",
"USERNAME": "...",
"WINRMPAYLOAD": "..."
}
2
3
4
5
6
7
8
9
← Queries Management →