# Incident Objects
Each log entry is termed an event, and consists of actions such as a single SSH login attempt, or a single POST to a website, or a single SIP request. An event will result in an incident being created, but subsequent similar events from the same source will be bundled together if they occur in close proximity. This means that if someone launches a brute-force attack, there is a single incident created with an event assigned to each login attempt.
The incident object contains a record of the individual events that constitute the incident.
# Basic Structure
Incident feeds have this basic structure:
updated
Human readable date when the incident was updated
updated_std
The date/time when the incident was updated in the format YYYY-MM-DD HH:MM:SS TZ
updated_time
Timestamp of the updated time eg. 1574945951
created
Timestamp of the incident creation time eg. 1574945951
created_std
The date/time when the incident was created in the format YYYY-MM-DD HH:MM:SS TZ
dst_host
Optional - The destination IP address of the attack
dst_port
Optional - The destination port of the attack
events_count
Number of events for the incident
flock_id
ID of the Flock in which the incident occurred
flock_name
Name of the Flock in which the incident occurred
name
Optional - The name of the device on which the incident occurred
node_id
Optional - The node_id of the device on which the incident occurred
src_host
The source IP address of the attacker
src_host_reverse
The source hostname of the attacker
src_port
The source port of the attacker
{ "feed": "Unacknowledged Incidents", [...] "incidents": [ { "id": "...", "summary": "<EVENT_DESCRIPTION>", "updated": "...", "updated_std": "...", "updated_time": "..." [...] "description": { [...] "logtype": "<LOGTYPE>", "description": "<EVENT_DESCRIPTION>", "created": "...", "created_std": "...", "dst_host": "...", "dst_port": "...", "events": [ <EVENT_DICT>, <EVENT_DICT>, ..., ] "events_count": "...", "flock_id": "...", "flock_name": "...", "name": "...", "node_id": "...", "src_host": "...", "src_host_reverse": "...", "src_port": "..." } } ] }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
The “events” field contains a list of <EVENT_DICT> s. In the incident types below, only the <EVENT_DESCRIPTION> and <EVENT_DICT> values are defined as the rest of the incident object is the same across the various incident types.
All fields will be present in each incident, unless noted otherwise.
The actual data returned by the API may include additional fields. However, any field not described in this document should be considered experimental and likely to disappear.
# Canary Disconnected
EVENT_DICT
Empty, no additional event data.
<EVENT_DESCRIPTION> = "Canary Disconnected" <LOGTYPE> = "1004" <EVENT_DICT> = { }Copied!
2
3
# Canary Settings Changed
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
SETTINGS
A string containing the changed settings
<EVENT_DESCRIPTION> = "Canary Settings Changed" <LOGTYPE> = "23002" <EVENT_DICT> ={ "timestamp": ..., "timestamp_std": "...", "SETTINGS": "..." }Copied!
2
3
4
5
6
7
# Console Settings Changed
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
SETTINGS
A string containing the changed settings.
<EVENT_DESCRIPTION> = "Console Settings Changed" <LOGTYPE> = "23001" <EVENT_DICT> ={ "timestamp": ..., "timestamp_std": "...", "SETTINGS": "..." }Copied!
2
3
4
5
6
7
# Flock Settings Changed
SETTINGS
A string containing the changed settings.
<EVENT_DESCRIPTION> = "Console Settings Changed" <LOGTYPE> = "23003" <EVENT_DICT> ={ "SETTINGS": "enable_emails_notifications=True\nModified by user" }Copied!
2
3
4
5
# Canarytokens
Most Canarytokens make use of HTTP and DNS as their underlying communication channel.
# HTTP
LOGTYPE 17001 - TOKENS HTTP REMOTE IMAGE
17003 - TOKENS HTTP CLONED SITE
17004 - TOKENS DOC MSWORD
17005 - TOKENS HTTP AWS S3
17006 - TOKENS HTTP GOOGLE DOCS
17007 - TOKENS HTTP GOOGLE SHEETS
17008 - TOKENS HTTP SIGNED EXE
17009 - TOKENS HTTP QR CODE
17012 - TOKENS HTTP AWS ID
17016 - TOKENS HTTP FAST REDIRECT
17017 - TOKENS HTTP SLOW REDIRECT
17019 - TOKENS HTTP OFFICE365 MAIL
17020 - TOKENS HTTP SLACK API
17021 - TOKENS HTTP GMAIL
17022 - TOKENS HTTP WIREGUARD
17023 - TOKENS HTTP DOC MSEXCEL
17024 - TOKENS HTTP AZURE ID
17025 - TOKENS HTTP CLONED CSS
17026 - TOKENS HTTP AZURE ENTRA LOGIN
17027 - TOKENS HTTP CREDIT CARD
17028 - TOKENS HTTP PWA
17029 - TOKENS HTTP MYSQL DUMP
type
A string containing the token type.
canarytoken
Unique string that acts as the Canarytoken.
headers
Headers is a dict.
kind
Type of Canarytoken triggered.
url
URL of the HTTP Canarytoken.
geoip
Geographic lookup of source ip.
ip_blocklist
Lookup object of where the source ip is a known proxy, tor or vpn source.
cloned_site Cloned Site/CSS - URL of cloned site.
original_site Cloned Site/CSS - Domain of protected site.
referer Cloned Site - HTTP referer.
masked_card_number Credit Card - Credit Card Number.
transaction_amount Credit Card - Transaction Amount.
transaction_currency Credit Card - Transaction Currency.
transaction_date Credit Card - Transaction Date.
transaction_type Credit Card - Transaction Type.
merchant Credit Card - Merchant.
location PWA - Location.
additional_info
Stores Token specific data dependent on service, for example S3 bucket operation details received from AWS API's.
<EVENT_DESCRIPTION> = "Canarytoken triggered" <LOGTYPE> = "17000 | 17001 | 17003 | 17004 | 17005 | 17006 | 17007 | 17008 | 17009 | 17012 | 17016 | 17017 | 17019 | 17020 | 17021 | 17022 | 17023 | 17024 | 17025 | 17026 | 17027 | 17028 | 17029 " <EVENT_DICT> = { "type": "http", "canarytoken": "<tokenvalue>", "headers" : { <headername_1>: <headervalue_1> , <headername_2>: <headervalue_2> , ... }, "url": "<tokenurl>" }Copied!
2
3
4
5
6
7
8
9
10
# DNS
LOGTYPE 16006 - TOKENS DNS DESKTOPINI
16008 - TOKENS DNS PDF ACROBAT_READER
16009 - TOKENS DNS MSWORD MACRO
16010 - TOKENS DNS MSEXCEL MACRO
16011 - TOKENS DNS SENSITIVE CMD
16012 - TOKENS DNS ACTIVE DIRECTORY LOGIN
17023 - TOKENS DOC MSEXCEL
type
A string containing the token type.
canarytoken
Unique string that acts as the Canarytoken.
hostname
Hostname of the DNS Canarytoken.
generic_data
Encoded additional information. See Encoding additional information in your token (opens new window)
windows_desktopini_access_username Windows Folder - Host username.
windows_desktopini_access_domain Windows Folder - Host domain.
windows_desktopini_computer_name Windows Folder - Host computer name.
ms_macro_os MS Excel / Word Macro - Host OS.
ms_macro_username MS Excel / Word Macro - Host username.
ms_macro_ip MS Excel / Word Macro - Host local ip.
cmd_computer_name Sensitive Command - Host computer name.
cmd_user_name Sensitive Command - Host user name.
cmd_invocation_id Sensitive Command - Unique identifier per command's executed instance, this changes every execution.
cmd_resolved_ip ACTIVE DIRECTORY LOGIN - Source IP address.
cmd_workstation ACTIVE DIRECTORY LOGIN - Source Hostname.
cmd_user_name ACTIVE DIRECTORY LOGIN - Username.
cmd_machine_name ACTIVE DIRECTORY LOGIN - Domain Controller.
cmd_event_record_id ACTIVE DIRECTORY LOGIN - Event record ID.
<EVENT_DESCRIPTION> = "Canarytoken triggered" <LOGTYPE> = "16000 | 16006 | 16008 | 16009 | 16010 | 16011 | 16012" <EVENT_DICT> = { "type": "dns", "canarytoken": "<tokenvalue>", "hostname": "<tokenhostname>", "generic_data": "<only present when additional data is encoded>", "windows_desktopini_access_username": "<only present for windows folder alerts>", "windows_desktopini_access_domain": "<only present for windows folder alerts>", "windows_desktopini_computer_name": "<only present for windows folder alerts>", "ms_macro_os": "<only present for MS Word / Excel alerts>", "ms_macro_username": "<only present for MS Word / Excel alerts>", "ms_macro_ip": "<only present for MS Word / Excel alerts>", "cmd_computer_name": "<only present for sensitive command alerts>", "cmd_user_name": "<only present for sensitive command alerts>", "cmd_invocation_id": "<only present for sensitive command alerts>", "cmd_resolved_ip": "<only present for active directory login alerts>", "cmd_workstation": "<only present for active directory login alerts>", "cmd_user_name": "<only present for active directory login alerts>", "cmd_machine_name": "<only present for active directory login alerts>", "cmd_event_record_id": "<only present for active directory login alerts>" }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Other Tokens use their own communication channel.
# Wireguard
LOGTYPE 17022 - TOKENS WIREGUARD
type
A string containing the token type
canarytoken
Unique string that acts as the Canarytoken.
client_public_key
Connecting client's public key.
client_session_index
Connecting client session ID.
<EVENT_DESCRIPTION> = "Canarytoken triggered" <LOGTYPE> = "17022" <EVENT_DICT> = { "client_public_key": "...", "client_session_index": "..." }Copied!
2
3
4
5
6
# Custom TCP Service Request
The Custom TCP Service module lets the Canary administrator create simple services that either immediately prints a banner on connection, or wait for the client to send data before responding.
LOGTYPE 20001 - TCP banner sent immediately on connection.
20002 - TCP banner sent after the client sent a line.
20003 - TCP banner keep alive connection made.
20004 - TCP banner keep alive secret received.
20005 - TCP banner keep alive data received.
20006 - TCP banner connection refused.
BANNER_ID
Multiple banners are supported, the id identifies which banner service was triggered.
DATA
Optional. The attacker's supplied data.
FUNCTION
Indicates which trigger fired, either 'DATA_RECEIVED' for when a banner was sent after the attacker sent data, or 'CONNECTION_MADE' for when a banner was sent immediately on connection.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Custom TCP Service Request" <LOGTYPE> = "20001 | 20002 | 20003 | 20004 | 20005 | 20006" <EVENT_DICT> = { "BANNER_ID": "...", "DATA": "...", "FUNCTION": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
# Dummy Incident
Alert data sent via Syslog or Webhook when testing connections.
<EVENT_DESCRIPTION> = "This is a dummy incident" <EVENT_DICT> = { "ReverseDNS": "theattackers.ip.local", "CanaryName": "DummyDevice", "CanaryIP": "1.1.1.1", "AlertType": "CanaryIncident", "AdditionalDetails": { "Field2": "VALUE2", "Field3": "VALUE3", "Field1": "VALUE1" }, "CanaryID": "0000000testnode", "Description": "Fake Location", "Timestamp": "1691096157", "Intro": "This is a dummy incident.", "Flock": "flock:dummyincidentflock", "CanaryLocation": "Fake Location", "SourceIP": "2.2.2.2" }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# FTP Login Attempt
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "FTP Login Attempt" <LOGTYPE> = "2000" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
# Git Repository Clone Attempt
HOST
Git client's view of the Canary's hostname.
REPO
Name of the repository the client attempted to clone.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Git Repository Clone Attempt" <LOGTYPE> = "19001" <EVENT_DICT> = { "HOST": "...", "REPO": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
# HTTP Incidents
Currently, there are 7 types of HTTP Incidents:
- Page loads, triggered by GET requests. They are disabled by default as they’re noisy, and needs to be specifically enabled.
- Login attempts, triggered by POST requests. They are always enabled.
- POST requests to non login pages.
- Error page requested. This is usually triggered by tools trying random urls.
- A scan of the HTTP web skin detected. This is triggered by many many GET requests to random urls.
- HTTP API requested received. This is only on certain HTTP web skins that support HTTP API.
- POST request that resulted in a error page. This is usually triggered by tools trying POSTs to random urls.
LOGTYPE 3000 - HTTP GET
3001 - HTTP LOGIN ATTEMPT
3002 - HTTP POST
3003 - HTTP ERROR
3004 - HTTP SCAN
3005 - HTTP API REQUEST
3006 - HTTP POST ERROR PAGE
# HTTP API Request
Triggered by a HTTP request to a Canary configured as an API server. (opens new window)
HEADERS
Headers Present in the request.
HOSTNAME
Destination Hostname.
METHOD
HTTP Method.
PATH
Web path requested by the source.
POSTDATA
Additional POST data sent by source.
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
timestamp
The timestamp of the request eg. 1580378197
USERAGENT
Useragent of the source's browser.
<EVENT_DESCRIPTION> = "HTTP API Request" <LOGTYPE> = "3005" <EVENT_DICT> = { "POSTDATA": { "...": "..." }, "timestamp": ..., "HOSTNAME": "...", "RESPONSE": ..., "HEADERS": { "...": "...", }, "timestamp_std": "...", "SKIN": "...", "PATH": "...", "USERAGENT": "...", "METHOD": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# HTTP Page Load
PATH
Web path requested by the source.
USERAGENT
Useragent of the source's browser.
CHANNEL
Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.
METHOD
The HTTP request method used eg. GET/POST/DELETE
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Page Load" <LOGTYPE> = "3000 | 3002 | 3003" <EVENT_DICT> = { "PATH": "...", "USERAGENT": "...", "CHANNEL": "...", "METHOD": "...", "RESPONSE": ..., "SKIN": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
# HTTP Login Attempt
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
PATH
Web path requested by the source.
USERAGENT
Useragent of the source's browser.
CHANNEL
Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.
METHOD
The HTTP request method used eg. GET/POST/DELETE
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Login Attempt" <LOGTYPE> = "3001" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." "PATH": "...", "USERAGENT": "...", "CHANNEL": "...", "METHOD": "...", "RESPONSE": "...", "SKIN": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
# HTTP POST ERROR PAGE
PATH
Web path requested by the source.
USERAGENT
Useragent of the source's browser.
CHANNEL
Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.
METHOD
The HTTP request method used eg. GET/POST/DELETE
RESPONSE
The response code eg. 200
SKIN
Which Webserver skin was used eg. nasLogin
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Post Request to an Error Page" <LOGTYPE> = "3006" <EVENT_DICT> = { "PATH": "...", "USERAGENT": "...", "CHANNEL": "...", "METHOD": "...", "RESPONSE": "...", "SKIN": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
# HTTP Service Scan
Triggered by scans for HTTP services
METHOD
The HTTP request method used eg. GET/POST/DELETE
PATH
Web path requested by the source.
RESPONSE
The response code eg. 200
<EVENT_DESCRIPTION> = "HTTP Service Scan" <LOGTYPE> = "3004" <EVENT_DICT> = { "METHOD": "...", "PATH": "...", "RESPONSE": ..., }Copied!
2
3
4
5
6
7
# HTTP Proxy Request
Triggered by any request through the HTTP proxy module.
USERNAME
Optional. Attacker supplied proxy username.
PASSWORD
Optional. Attacker supplied proxy password.
URL
URL requested by the source.
USERAGENT
Useragent of the source's browser.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "HTTP Proxy Request" <LOGTYPE> = "7001" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." "URL": "...", "USERAGENT": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
# LDAP Bind Attempt
Triggered by a LDAP BIND request.
DN
Distinguished Name.
MECH
SASL Mechanism.
VER
Version.
SEARCH_ATTRIBUTE
Search Target.
REQ
Request.
PASSWORD
Password.
TYPE
Authentication type.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "LDAP Bind Attempt Detected" <LOGTYPE> = "31001" <EVENT_DICT> = { "DN": "...", "MECH": "...", "VER": "...", "timestamp": ..., "REQ": "...", "timestamp_std": "...", "PASSWORD": "...", "TYPE": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
# Local Tampering Detected
Triggered by local tampering with a Canary host.
MESSAGE
Tampering cause summary.
MESSAGE_THINKST
Tampering cause details.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Local Tampering Detected" <LOGTYPE> = "30001" <EVENT_DICT> = { "timestamp": ..., "timestamp_std": "...", "MESSAGE": "...", "MESSAGE_THINKST": "...", }Copied!
2
3
4
5
6
7
8
# ModBus Request
Triggered by any valid ModBus request.
LOGTYPE 18001 - Modbus Query Function
18002 - Modbus Read Function
18003 - Modbus Write Function
UNIT_ID
ModBus unit target.
FUNC_CODE
ModBus function code.
FUNC_NAME
Optional. ModBus function name, if available.
SFUNC_CODE
Optional. ModBus subfunction code, if available.
SFUNC_NAME
Optional. ModBus subfunction name, if available.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "ModBus Request" <LOGTYPE> = "18001 | 18002 | 18003" <EVENT_DICT> = { "UNIT_ID": "...", "FUNC_CODE": "...", "FUNC_NAME": "...", "SFUNC_CODE": "...", "SFUNC_NAME": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
# Mongo Request
Triggered by any valid MongoDB request.
LOGTYPE 28001 - Mongo Command
28002 - Mongo Auth Command
cmd
Command attempted.
db
Database accessed.
user
Attacker supplied database username.
password
Attacker supplied database password.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Mongo Authentication Attempt" <LOGTYPE> = "28001 | 28002" <EVENT_DICT> = { "timestamp": "...", "cmd": "...", "db": "...", "timestamp_std": "...", "user": "...", "password": "..." }Copied!
2
3
4
5
6
7
8
9
10
# MSSQL Login Attempt
Triggered by any attempt to authenticate to the MS-SQL Server module.
SQL Server supports multiple authentication modes, and the fields that come through depending on the mode.
LOGTYPE 9001 for SQL Server authentication
9002 for Windows authentication
USERNAME
Attacker supplied database username.
PASSWORD
Optional. Attacker supplied database password.
HOSTNAME
Optional. Attacker supplied hostname.
DOMANNAME
Optional. Attacker supplied Active Directory name.
APPNAME
Name of the app with which the query was made eg. SQLCMD
HOSTNAME
Hostname of the attacker
SERVERNAME
IP address of the attacker
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "MSSQL Login Attempt" <LOGTYPE> = "9001 | 9002" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." "HOSTNAME": "...", "DOMAINNAME": "..." "APPNAME": "...", "HOSTNAME": "...", "SERVERNAME": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
# MySQL Login Attempt
Triggered by an authentication attempt against the MySQL service.
The client sends a hashed password, not a cleartext password. The Canary will try to crack the hash with passwords one might expect in a brute-force.
USERNAME
Attacker supplied database username.
CLIENT_HASH
Attacker supplied database password hash.
SALT
Attacker supplied database password hash salt.
PASSWORD
Recovered password if possible, otherwise <Password not in common list>
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "MySQL Login Attempt" <LOGTYPE> = "8001" <EVENT_DICT> = { "USERNAME": "...", "CLIENT_HASH": "...", "SALT": "...", "PASSWORD": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
# Network Settings Roll-back
Triggered by a Canary reverting it's network settings after a settings push if it can't connect to the Console.
Canary Status
The status of the canary after the rollback
Erroneous network settings
The settings which changed, causing the rollback
Restored network settings
The settings restored after the rollback
Rollback time
The timestamp of the rollback eg. 1580378197
User
The user that deployed the erroneous settings
timestamp
The timestamp of the incident eg. 1580378197
timestamp_std
Human readable timestamp of the incident eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Network Settings Roll-back" <LOGTYPE> = "22011" <EVENT_DICT> = { "Canary Status": "Canary is currently ONLINE.", "Erroneous network settings": "Canary IP address: 192.168.1.114; Netmask: 255.255.255.0; Gateway: 192.168.1.1; DNS server 1: 8.7.6.5; DNS server 2: 8.7.6.5; DHCP: Disabled", "Restored network settings": "Canary IP address: 192.168.1.206; DHCP: Enabled", "Rollback time": "1746085804.66", "User": "user", "timestamp": 1746085866, "timestamp_std": "2025-05-01 07:51:06 UTC+0000" }Copied!
2
3
4
5
6
7
8
9
10
11
# NTP Monlist Request
Triggered by the NTP Monlist command.
NTP_CMD
Name of the NTP command sent. Currently is 'monlist'.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NTP Monlist Request" <LOGTYPE> = "11001" <EVENT_DICT> = { "NTP_CMD": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
# Port Scans
There are six types of port scans incidents.
- A host port scan occurs when a single Canary is port scanned by a single source.
- A consolidated network port scan occurs when multiple Canaries are scanned by a single source.
- An NMAP FIN scan was run against the Canary.
- An NMAP NULL scan was run against the Canary.
- An NMAP OS scan was run against the Canary.
- An NMAP XMAS scan was run against the Canary.
# Host Port Scan
LOGTYPE 5001 - PORT SYN
5002 - PORT SCAN NET
5009 - PORT RUNFINGER SCAN
5011 - PORT RUNFINGER DIALECT
5012 - PORT RUNFINGER LANMAN
ports
List of comma-separated ports.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Host Port Scan" <LOGTYPE> = "5001 | 5002 | 5003 | 5009 | 5011 | 5012" <EVENT_DICT> = { "ports": "23,80,443" "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
# Consolidated Network Port Scan
EVENT_DICT
The dict's keys are port numbers, and the values are lists of IP addresses.
port
Port number on the Canary
canary_IP
Canaries that were targeted
<EVENT_DESCRIPTION> = "Consolidated Network Port Scan" <LOGTYPE> = "5007" <EVENT_DICT> = { "<port>": [ "<canary_IP>", "<canary_IP>" ], "<port>": [ "<canary_IP>", "<canary_IP>" ] }Copied!
2
3
4
5
6
7
8
9
10
11
12
# NMAP FIN Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP FIN Scan Detected" <LOGTYPE> = "5008" <EVENT_DICT> = { "ID": "...", "LEN": "...", "MAC": "...", "PREC": "...", "PROTO": "...", "RES": "...", "TOS": "...", "TTL": "...", "URGP": "...", "WINDOW": "...", "SYN": "...", "ACK": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP NULL Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP NULL Scan Detected" <LOGTYPE> = "5005" <EVENT_DICT> = { "ID": "...", "LEN": "...", "MAC": "...", "PREC": "...", "PROTO": "...", "RES": "...", "TOS": "...", "TTL": "...", "URGP": "...", "WINDOW": "...", "SYN": "...", "ACK": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP OS Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP OS Scan Detected" <LOGTYPE> = "5004" <EVENT_DICT> = { "ID": "...", "LEN": "...", "MAC": "...", "PREC": "...", "PROTO": "...", "RES": "...", "TOS": "...", "TTL": "...", "URGP": "...", "WINDOW": "...", "SYN": "...", "ACK": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# NMAP XMAS Scan
ID
IP packet ID
LEN
Length of IP packet
MAC
First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet
PREC
Precedent bits, almost always 0x00
PROTO
The protocol used
RES
Reserved bits, almost always 0x0
TOS
IP Type of Service field, almost always 0x00
TTL
Time-to-live on the IP packet
URGP
Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.
WINDOW
TCP Window size
SYN
Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.
ACK
Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.
timestamp
The timestamp of the request eg. 1580378197.
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "NMAP XMAS Scan Detected" <LOGTYPE> = "5006" <EVENT_DICT> = { "ID": "...", "LEN": "...", "MAC": "...", "PREC": "...", "PROTO": "...", "RES": "...", "TOS": "...", "TTL": "...", "URGP": "...", "WINDOW": "...", "SYN": "...", "ACK": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# RDP Login Attempt
Triggered by interacting with the Canary's RDP service.
Currently, there are 4 different RDP service incident types:
- RDP New Connection Incident
- RDP Failed Connection Incident
- RDP Confirmed Connection Incident
- RDP Login Attenpt
LOGTYPE 14001 - RDP NEW CONNECTION
14002 - RDP FAILED CONNECTION
14003 - RDP CONFIRMED CONNECTION
14004 - RDP LOGIN ATTEMPT
BUILD
Optional. Shows the build number of the attacker's RDP client if that is exposed, otherwise absent.
DOMAINNAME
Attacker supplied domain name
MAJORVERSION
The major version of the attacker's RDP client (ie. 6 for 6.1).
MINORVERSION
The minor version of the attacker's RDP client (ie. 1 for 6.1).
USERNAME
Attacker supplied username.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "RDP Login Attempt" <LOGTYPE> = "14001 | 14002 | 14003 | 14004" <EVENT_DICT> = { "BUILD": "...", "DOMAINNAME": "...", "MAJORVERSION": "...", "MINORVERSION": "...", "USERNAME": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
# Redis Command
Triggered by an attacker connecting to the Redis service and issuing valid Redis commands.
CMD
Redis command issued by the attacker.
ARGS
Arguments to the command.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Redis Command" <LOGTYPE> = "21001" <EVENT_DICT> = { "CMD": "...", "ARGS": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
# Windows File Share Incidents
Triggered by interacting with the Canary’s Windows File Share.
Currently there are 5 Windows File Share incident types:
- Windows File Share File Opened Incident
- Windows File Share Login Incident
- Windows File Share Enumeration Incident
- Windows File Share Connected Incident
- Windows File Share Registry Connected Incident
LOGTYPE 5000 - SMB FILE OPEN
5010 - SMB LOGIN
5013 - SMB GROUP ENUM
5014 - SMB SHARE CONNECT
5015 - SMB REGISTRY
USER
Username supplied by the attacker.
FILENAME
Name of file on the Canary that was accessed.
AUDITACTION
Type of file action. Currently, only 'pread'.
DOMAIN
Name of domain or workgroup.
LOCALNAME
Windows Name of Canary machine.
MODE 'workgroup' or 'domain'
OFFSET
Starting position of the read.
REMOTENAME
Windows Name of the client machine.
SHARENAME
Name of the share on which the file resides.
SIZE
Amount of bytes read.
SMBARCH
Guess of the remote machine's Windows version.
SMBVER
Version of the SMB protocol that was used.
STATUS
Result of the file read. Currently, only 'ok'.
LOGINTYPE LOGIN - Login Type.
RID GROUP ENUM - Relative Identifier.
SID GROUP ENUM - Security Identifier.
SGROUPNAME GROUP ENUM - Security Group Name.
AUDITACTION GROUP ENUM - Windows API Queried.
HIVE REGISTRY - Registry Hive.
REGISTRY_KEY REGISTRY - Registry Key.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Shared File Opened" <LOGTYPE> = "5000 | 5010 | 5013 | 5014 | 5015" <EVENT_DICT> = { "USER": "...", "FILENAME": "...", "AUDITACTION": "...", "DOMAIN": "...", "LOCALNAME": "...", "MODE": "...", "OFFSET": "...", "REMOTENAME": "...", "SHARENAME": "...", "SIZE": "...", "SMBARCH": "...", "SMBVER": "...", "STATUS": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# SIP Request
Triggered by an attacker connecting to the SIP service and issuing a valid SIP request.
HEADERS
Dict of the SIP headers included in the request.
<EVENT_DESCRIPTION> = "SIP Request" <LOGTYPE> = "15001" <EVENT_DICT> = { "HEADERS": { "<header_name1>": "<header_value1>", "<header_name2>": "<header_value2>", "<header_name3>": "<header_value3>", "...": "..." } }Copied!
2
3
4
5
6
7
8
9
10
# SNMP Request
Triggered by an incoming SNMP query against the Canary.
COMMUNITY_STRING
SNMP community string supplied by the attacker.
REQUESTS
SNMP OID requested by the attacker.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "SNMP Request" <LOGTYPE> = "13001" <EVENT_DICT> = { "COMMUNITY_STRING": "...", "REQUESTS": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
# SSH Login Attempt
Triggered by an attempt to login to the Canary using SSH. Both password-based and key-based authentication is possible.
It is also possible to configure “Watched Credentials”, which says to only alert if the attacker-supplied credentials match a configured list.
LOGTYPE 4000 - SSH NEW CONNECTION
4001 - SSH REMOTE VERSION SENT
4002 - SSH LOGIN ATTEMPT
USERNAME
Username supplied by the attacker.
PASSWORD
Optional. The attacker's supplied password in password-based auth.
LOCALVERSION
Canary's SSH version string.
REMOTEVERSION
The attacker's supplied version string.
KEY
Optional. The attacker's supplied public key in key-based auth.
WATCHED_CREDENTIALS
Optional. Set to 'Yes' if Watched Credentials are enabled.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "SSH Login Attempt" <LOGTYPE> = "4000 | 4001 | 4002" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "...", "LOCALVERSION": "...", "REMOTEVERSION": "...", "KEY": "...", "WATCHED_CREDENTIALS": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
11
12
# Telnet Login Attempt
Triggered by a Telnet authentication attempt.
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
TERMSIZE
The size of the terminal
TERMTYPE
The terminal type
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "Telnet Login Attempt" <LOGTYPE> = "6001" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." "TERMSIZE": "..." , "TERMTYPE": "..." , "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
10
# TFTP request
Triggered by a TFTP request against the Canary.
FILENAME
Name of file the attacker tried to act on.
OPCODE
File action, either 'READ' or 'WRITE'
MODE
TFTP defines three modes of transfer: netascii, octet, and mail.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "TFTP Request" <LOGTYPE> = "10001" <EVENT_DICT> = { "FILENAME": "...", "OPCODE": "..." "MODE": "..." "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
# TN3270 Login
Triggered by a TN3270 request against the Canary.
USERNAME
Attacker supplied username.
PASSWORD
Attacker supplied password.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "TN3270 Login Attempt" <LOGTYPE> = "32001" <EVENT_DICT> = { "USERNAME": "...", "PASSWORD": "..." }Copied!
2
3
4
5
6
# VNC Login Attempt
Triggered by an attempt to login to Canary’s password-protected VNC service.
VNC passwords are not transmitted in the clear. Instead, a hashed version is sent. The Canary will test the hashed password against a handful of common passwords to guess the password, but the hash parameters are also reported so the administrator can crack the hash on more powerful rigs.
PASSWORD
Cracked password if very weak.
SERVER_CHALLENGE
VNC password hashing parameter.
CLIENT_RESPONSE
VNC password hashing parameter.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "VNC Login Attempt" <LOGTYPE> = "12001" <EVENT_DICT> = { "PASSWORD": "...", "SERVER_CHALLENGE": "...", "CLIENT_RESPONSE": "...", "timestamp": ..., "timestamp_std": "..." }Copied!
2
3
4
5
6
7
8
9
# WinRM Login Attempt
Triggered by an attempt to connect to the Canary using a WinRM agent.
USERNAME
Attacker supplied username.
PASSWORD
Optional. Attacker supplied password. This will not be present for Kerberos or NTLM authentication.
WORKSTATION
Present for Kerberos auth attempts. Gives the workstation name of the attacker.
DOMAINNAME
Attacker supplied domain name.
USERAGENT
Optional. Gives the agent used by the attacker to connect.
AUTHTYPE
The authentication type used to connect to WinRM. If present, this will be one of 'basic', 'ntlm', 'certificate', 'kerberos' or 'digest', otherwise this will be 'unknown'.
SNAME
Present for Kerberos auth attempts. Gives the service name of the request.
REALM
Present for Kerberos auth attempts. Gives the Kerberos realm.
TKTVNO
Present for Kerberos auth attempts. Gives the ticket format version number of the request.
WINRMPAYLOAD
The xml payload of the WinRM connection attempt.
timestamp
The timestamp of the request eg. 1580378197
timestamp_std
Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000
<EVENT_DESCRIPTION> = "WinRM Login Attempt" <LOGTYPE> = "29001" <EVENT_DICT> = { "AUTHTYPE": "...", "PASSWORD": "...", "USERAGENT": "...", "USERNAME": "...", "WINRMPAYLOAD": "..." }Copied!
2
3
4
5
6
7
8
9