# Incident Objects

Each log entry is termed an event, and consists of actions such as a single SSH login attempt, or a single POST to a website, or a single SIP request. An event will result in an incident being created, but subsequent similar events from the same source will be bundled together if they occur in close proximity. This means that if someone launches a brute-force attack, there is a single incident created with an event assigned to each login attempt.

The incident object contains a record of the individual events that constitute the incident.

# Basic Structure

Incident feeds have this basic structure:

updated Human readable date when the incident was updated

updated_std The date/time when the incident was updated in the format YYYY-MM-DD HH:MM:SS TZ

updated_time Timestamp of the updated time eg. 1574945951

created Timestamp of the incident creation time eg. 1574945951

created_std The date/time when the incident was created in the format YYYY-MM-DD HH:MM:SS TZ

dst_host Optional - The destination IP address of the attack

dst_port Optional - The destination port of the attack

events_count Number of events for the incident

flock_id ID of the Flock in which the incident occurred

flock_name Name of the Flock in which the incident occurred

name Optional - The name of the device on which the incident occurred

node_id Optional - The node_id of the device on which the incident occurred

src_host The source IP address of the attacker

src_host_reverse The source hostname of the attacker

src_port The source port of the attacker


Response
{
  "feed": "Unacknowledged Incidents",
[...]
  "incidents": [
    {
      "id": "...",
      "summary": "<EVENT_DESCRIPTION>",
      "updated": "...",           
      "updated_std": "...",       
      "updated_time": "..."       
[...]
      "description": {
[...]
        "logtype": "<LOGTYPE>",
        "description": "<EVENT_DESCRIPTION>",
        "created": "...",         
        "created_std": "...",     
        "dst_host": "...",        
        "dst_port": "...",        
        "events": [
          <EVENT_DICT>,
          <EVENT_DICT>,
          ...,
        ]
        "events_count": "...",      
        "flock_id": "...",
        "flock_name": "...",
        "name": "...",              
        "node_id": "...",           
        "src_host": "...",          
        "src_host_reverse": "...",  
        "src_port": "..."           
      }
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

The “events” field contains a list of <EVENT_DICT> s. In the incident types below, only the <EVENT_DESCRIPTION> and <EVENT_DICT> values are defined as the rest of the incident object is the same across the various incident types.

All fields will be present in each incident, unless noted otherwise.

The actual data returned by the API may include additional fields. However, any field not described in this document should be considered experimental and likely to disappear.

# Canary Disconnected

EVENT_DICT Empty, no additional event data.


Response
<EVENT_DESCRIPTION> = "Canary Disconnected"
<LOGTYPE> = "1004"
<EVENT_DICT> = { }                    
1
2
3

# Canary Settings Changed

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000

SETTINGS A string containing the changed settings


Response
<EVENT_DESCRIPTION> = "Canary Settings Changed"
<LOGTYPE> = "23002"
<EVENT_DICT> ={
                "timestamp": ..., 
                "timestamp_std": "...", 
                "SETTINGS": "..."
            }                   
1
2
3
4
5
6
7

# Console Settings Changed

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000

SETTINGS A string containing the changed settings.


Response
<EVENT_DESCRIPTION> = "Console Settings Changed"
<LOGTYPE> = "23001"
<EVENT_DICT> ={
                "timestamp": ..., 
                "timestamp_std": "...", 
                "SETTINGS": "..."
            }                   
1
2
3
4
5
6
7

# Canarytokens

Most Canarytokens make use of HTTP and DNS as their underlying communication channel.

# HTTP

LOGTYPE 17001 - TOKENS HTTP REMOTE IMAGE
17003 - TOKENS HTTP CLONED SITE
17004 - TOKENS DOC MSWORD
17005 - TOKENS HTTP AWS S3
17006 - TOKENS HTTP GOOGLE DOCS
17007 - TOKENS HTTP GOOGLE SHEETS
17008 - TOKENS HTTP SIGNED EXE
17009 - TOKENS HTTP QR CODE
17012 - TOKENS HTTP AWS ID
17016 - TOKENS HTTP FAST REDIRECT
17017 - TOKENS HTTP SLOW REDIRECT
17019 - TOKENS HTTP OFFICE365 MAIL
17020 - TOKENS HTTP SLACK API
17021 - TOKENS HTTP GMAIL
17024 - TOKENS HTTP AZURE ID

type A string containing the token type.

canarytoken Unique string that acts as the Canarytoken.

headers Headers is a dict.

kind Type of Canarytoken triggered.

url URL of the HTTP Canarytoken.

geoip Geographic lookup of source ip.

ip_blocklist Lookup object of where the source ip is a known proxy, tor or vpn source.

cloned_site Cloned Site - URL of cloned site.

original_site Cloned Site - Domain of protected site.

referer Cloned Site - HTTP referer.

additional_info Stores Token specific data dependent on service, for example S3 bucket operation details received from AWS API's.


Response
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "17000 | 17001 | 17003 | 17004 | 17005 | 17006 | 17007 | 17008 | 17009 | 17012 | 17016 | 17017 | 17019 | 17020 | 17021 | 17024"
<EVENT_DICT> = {
                 "type": "http",
                 "canarytoken": "<tokenvalue>",      
                 "headers" : {                      
                   <headername_1>: <headervalue_1> , <headername_2>: <headervalue_2> , ...
                 },
                 "url": "<tokenurl>"                  
               }
1
2
3
4
5
6
7
8
9
10

# DNS

LOGTYPE 16006 - TOKENS DNS DESKTOPINI
16008 - TOKENS DNS PDF ACROBAT_READER
16009 - TOKENS DNS MSWORD MACRO
16010 - TOKENS DNS MSEXCEL MACRO
16011 - TOKENS DNS SENSITIVE CMD
17023 - TOKENS DOC MSEXCEL

type A string containing the token type.

canarytoken Unique string that acts as the Canarytoken.

hostname Hostname of the DNS Canarytoken.

generic_data Encoded additional information. See Encoding additional information in your token (opens new window)

windows_desktopini_access_username Windows Folder - Host username.

windows_desktopini_access_domain Windows Folder - Host domain.

windows_desktopini_computer_name Windows Folder - Host computer name.

ms_macro_os MS Excel / Word Macro - Host OS.

ms_macro_username MS Excel / Word Macro - Host username.

ms_macro_ip MS Excel / Word Macro - Host local ip.

cmd_computer_name Sensitive Command - Host computer name.

cmd_user_name Sensitive Command - Host user name.

cmd_invocation_id Sensitive Command - Unique identifier per command's executed instance, this changes every execution.


Response
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "16000 | 16006 | 16008 | 16009 | 16010 | 16011"
<EVENT_DICT> = {
                 "type": "dns",
                 "canarytoken": "<tokenvalue>",      
                 "hostname": "<tokenhostname>",
                 "generic_data": "<only present when additional data is encoded>",
                 "windows_desktopini_access_username": "<only present for windows folder alerts>",
                 "windows_desktopini_access_domain": "<only present for windows folder alerts>",
                 "windows_desktopini_computer_name": "<only present for windows folder alerts>",
                 "ms_macro_os": "<only present for MS Word / Excel alerts>",
                 "ms_macro_username": "<only present for MS Word / Excel alerts>",
                 "ms_macro_ip": "<only present for MS Word / Excel alerts>",
                 "cmd_computer_name": "<only present for sensitive command alerts>",
                 "cmd_user_name": "<only present for sensitive command alerts>",
                 "cmd_invocation_id": "<only present for sensitive command alerts>" 
               }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Other Tokens use their own communication channel.

# Wireguard

LOGTYPE 17022 - TOKENS WIREGUARD

type A string containing the token type

canarytoken Unique string that acts as the Canarytoken.

client_public_key Connecting client's public key.

client_session_index Connecting client session ID.


Response
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "17022"
<EVENT_DICT> = {
                 "client_public_key": "...",
                 "client_session_index": "..."
               }
1
2
3
4
5
6

# Custom TCP Service Request

The Custom TCP Service module lets the Canary administrator create simple services that either immediately prints a banner on connection, or wait for the client to send data before responding.

LOGTYPE 20001 - TCP banner sent immediately on connection.
20002 - TCP banner sent after the client sent a line.
20003 - TCP banner keep alive connection made.
20004 - TCP banner keep alive secret received.
20005 - TCP banner keep alive data received.
20006 - TCP banner connection refused.

BANNER_ID Multiple banners are supported, the id identifies which banner service was triggered.

DATA Optional. The attacker's supplied data.

FUNCTION Indicates which trigger fired, either 'DATA_RECEIVED' for when a banner was sent after the attacker sent data, or 'CONNECTION_MADE' for when a banner was sent immediately on connection.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Custom TCP Service Request"
<LOGTYPE> = "20001 | 20002 | 20003 | 20004 | 20005 | 20006"                        
<EVENT_DICT> = {
                 "BANNER_ID": "...",         
                 "DATA": "...",              
                 "FUNCTION": "...",          
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9

# Dummy Incident

Alert data sent via Syslog or Webhook when testing connections.


Response
<EVENT_DESCRIPTION> = "This is a dummy incident"
<EVENT_DICT> = {
                "ReverseDNS": "theattackers.ip.local",
                "CanaryName": "DummyDevice",
                "CanaryIP": "1.1.1.1",
                "AlertType": "CanaryIncident",
                "AdditionalDetails": {
                  "Field2": "VALUE2",
                  "Field3": "VALUE3",
                  "Field1": "VALUE1"
                },
                "CanaryID": "0000000testnode",
                "Description": "Fake Location",
                "Timestamp": "1691096157",
                "Intro": "This is a dummy incident.",
                "Flock": "flock:dummyincidentflock",
                "CanaryLocation": "Fake Location",
                "SourceIP": "2.2.2.2"
              }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# FTP Login Attempt

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "FTP Login Attempt"
<LOGTYPE> = "2000"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                   
1
2
3
4
5
6
7
8

# Git Repository Clone Attempt

HOST Git client's view of the Canary's hostname.

REPO Name of the repository the client attempted to clone.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Git Repository Clone Attempt"
<LOGTYPE> = "19001"
<EVENT_DICT> = {
                 "HOST": "...",           
                 "REPO": "..."            
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                  
1
2
3
4
5
6
7
8

# HTTP Incidents

Two types of HTTP Incidents:

  1. Page loads, triggered by GET requests. They are disabled by default as they’re noisy, and needs to be specifically enabled.
  2. Login attempts, triggered by GET requests. They are always enabled.

# HTTP API Request

Triggered by a HTTP request to a Canary configured as an API server. (opens new window)

HEADERS Headers Present in the request.

HOSTNAME Destination Hostname.

METHOD HTTP Method.

PATH Web path requested by the source.

POSTDATA Additional POST data sent by source.

RESPONSE The response code eg. 200

SKIN Which Webserver skin was used eg. nasLogin

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000

timestamp The timestamp of the request eg. 1580378197

USERAGENT Useragent of the source's browser.


Response
<EVENT_DESCRIPTION> = "HTTP API Request"
<LOGTYPE> = "3005"
<EVENT_DICT> = {
                 "POSTDATA": {
                     "...": "..."
                 }, 
                 "timestamp": ..., 
                 "HOSTNAME": "...", 
                 "RESPONSE": ..., 
                 "HEADERS": {
                     "...": "...", 
                     }, 
                 "timestamp_std": "...", 
                 "SKIN": "...", 
                 "PATH": "...", 
                 "USERAGENT": "...", 
                 "METHOD": "..."
                }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# HTTP Page Load

LOGTYPE 3000 - HTTP GET
3002 - HTTP POST
3003 - HTTP ERROR

PATH Web path requested by the source.

USERAGENT Useragent of the source's browser.

CHANNEL Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.

METHOD The HTTP request method used eg. GET/POST/DELETE

RESPONSE The response code eg. 200

SKIN Which Webserver skin was used eg. nasLogin

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Page Load"
<LOGTYPE> = "3000 | 3002 | 3003"
<EVENT_DICT> = {
                 "PATH": "...",           
                 "USERAGENT": "...",     
                 "CHANNEL": "...",        
                 "METHOD": "...",         
                 "RESPONSE": ...,         
                 "SKIN": "...",           
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                 
1
2
3
4
5
6
7
8
9
10
11
12

# HTTP Login Attempt

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

PATH Web path requested by the source.

USERAGENT Useragent of the source's browser.

CHANNEL Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.

METHOD The HTTP request method used eg. GET/POST/DELETE

RESPONSE The response code eg. 200

SKIN Which Webserver skin was used eg. nasLogin

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Login Attempt"
<LOGTYPE> = "3001"
<EVENT_DICT> = {
               "USERNAME": "...",       
               "PASSWORD": "..."       
               "PATH": "...",           
               "USERAGENT": "...",      
               "CHANNEL": "...",        
               "METHOD": "...",         
               "RESPONSE": "...",       
               "SKIN": "...",           
               "timestamp": ...,        
               "timestamp_std": "..."   
               }               
1
2
3
4
5
6
7
8
9
10
11
12
13
14

# HTTP Proxy Request

Triggered by any request through the HTTP proxy module.

USERNAME Optional. Attacker supplied proxy username.

PASSWORD Optional. Attacker supplied proxy password.

URL URL requested by the source.

USERAGENT Useragent of the source's browser.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Proxy Request"
<LOGTYPE> = "7001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "URL": "...",            
                 "USERAGENT": "..."       
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }              
1
2
3
4
5
6
7
8
9
10

# HTTP Service Scan

Triggered by scans for HTTP services

METHOD The HTTP request method used eg. GET/POST/DELETE

PATH Web path requested by the source.

RESPONSE The response code eg. 200


Response
<EVENT_DESCRIPTION> = "HTTP Service Scan"
<LOGTYPE> = "3004"
<EVENT_DICT> = {
                 "METHOD": "...",         
                 "PATH": "...",           
                 "RESPONSE": ...,         
               }            
1
2
3
4
5
6
7

# LDAP Bind Attempt

Triggered by a LDAP BIND request.

DN Distinguished Name.

MECH SASL Mechanism.

VER Version.

SEARCH_ATTRIBUTE Search Target.

REQ Request.

PASSWORD Password.

TYPE Authentication type.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "LDAP Bind Attempt Detected"
<LOGTYPE> = "31001"
<EVENT_DICT> =  {
                 "DN": "...",
                 "MECH": "...", 
                 "VER": "...", 
                 "timestamp": ..., 
                 "REQ": "...", 
                 "timestamp_std": "...", 
                 "PASSWORD": "...", 
                 "TYPE": "..."
                }
1
2
3
4
5
6
7
8
9
10
11
12

# Local Tampering Detected

Triggered by local tampering with a Canary host.

MESSAGE Tampering cause summary.

MESSAGE_THINKST Tampering cause details.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Local Tampering Detected"
<LOGTYPE> = "30001"
<EVENT_DICT> = {
                "timestamp": ..., 
                "timestamp_std": "...",
                "MESSAGE": "...",  
                "MESSAGE_THINKST": "...", 
               }     
1
2
3
4
5
6
7
8

# ModBus Request

Triggered by any valid ModBus request.

LOGTYPE 18001 - Modbus Query Function
18002 - Modbus Read Function
18003 - Modbus Write Function

UNIT_ID ModBus unit target.

FUNC_CODE ModBus function code.

FUNC_NAME Optional. ModBus function name, if available.

SFUNC_CODE Optional. ModBus subfunction code, if available.

SFUNC_NAME Optional. ModBus subfunction name, if available.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "ModBus Request"
<LOGTYPE> = "18001 | 18002 | 18003"
<EVENT_DICT> = {
                 "UNIT_ID": "...",       
                 "FUNC_CODE": "...",     
                 "FUNC_NAME": "...",     
                 "SFUNC_CODE": "...",    
                 "SFUNC_NAME": "...",    
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }      
1
2
3
4
5
6
7
8
9
10
11

# Mongo Request

Triggered by any valid MongoDB request.

LOGTYPE 28001 - Mongo Command
28002 - Mongo Auth Command

cmd Command attempted.

db Database accessed.

user Attacker supplied database username.

password Attacker supplied database password.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Mongo Authentication Attempt"
<LOGTYPE> = "28001 | 28002"
<EVENT_DICT> = {
                 "timestamp": "...",
                 "cmd": "...",
                 "db": "...",
                 "timestamp_std": "...",
                 "user": "...",
                 "password": "..."
               }      
1
2
3
4
5
6
7
8
9
10

# MSSQL Login Attempt

Triggered by any attempt to authenticate to the MS-SQL Server module.

SQL Server supports multiple authentication modes, and the fields that come through depending on the mode.

LOGTYPE 9001 for SQL Server authentication
9002 for Windows authentication

USERNAME Attacker supplied database username.

PASSWORD Optional. Attacker supplied database password.

HOSTNAME Optional. Attacker supplied hostname.

DOMANNAME Optional. Attacker supplied Active Directory name.

APPNAME Name of the app with which the query was made eg. SQLCMD

HOSTNAME Hostname of the attacker

SERVERNAME IP address of the attacker

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "MSSQL Login Attempt"
<LOGTYPE> = "9001 | 9002"                        
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "HOSTNAME": "...",       
                 "DOMAINNAME": "..."      
                 "APPNAME": "...",        
                 "HOSTNAME": "...",      
                 "SERVERNAME": "...",     
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }         
1
2
3
4
5
6
7
8
9
10
11
12
13

# MySQL Login Attempt

Triggered by an authentication attempt against the MySQL service.

The client sends a hashed password, not a cleartext password. The Canary will try to crack the hash with passwords one might expect in a brute-force.

USERNAME Attacker supplied database username.

CLIENT_HASH Attacker supplied database password hash.

SALT Attacker supplied database password hash salt.

PASSWORD Recovered password if possible, otherwise
<Password not in common list>

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "MySQL Login Attempt"
<LOGTYPE> = "8001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "CLIENT_HASH": "...",    
                 "SALT": "...",           
                 "PASSWORD": "..."        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }   
1
2
3
4
5
6
7
8
9
10

# Network Settings Roll-back

Triggered by a Canary reverting it's network settings after a settings push if it can't connect to the Console.

Rollback time The timestamp of the rollback eg. 1580378197


Response
<EVENT_DESCRIPTION> = "Network Settings Roll-back"
<LOGTYPE> = "22011"
<EVENT_DICT> = [
                 "Rollbacktime: 1580378197"
               ]  
1
2
3
4
5

# NTP Monlist Request

Triggered by the NTP Monlist command.

NTP_CMD Name of the NTP command sent. Currently is 'monlist'.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NTP Monlist Request"
<LOGTYPE> = "11001"
<EVENT_DICT> = {
                 "NTP_CMD": "..."      
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }  
1
2
3
4
5
6
7

# Port Scans

There are six types of port scans incidents.

  1. A host port scan occurs when a single Canary is port scanned by a single source.
  2. A consolidated network port scan occurs when multiple Canaries are scanned by a single source.
  3. An NMAP FIN scan was run against the Canary.
  4. An NMAP NULL scan was run against the Canary.
  5. An NMAP OS scan was run against the Canary.
  6. An NMAP XMAS scan was run against the Canary.

# Host Port Scan

LOGTYPE 5001 - PORT SYN
5002 - PORT SCAN NET
5009 - PORT RUNFINGER SCAN
5011 - PORT RUNFINGER DIALECT
5012 - PORT RUNFINGER LANMAN
ports List of comma-separated ports.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Host Port Scan"
<LOGTYPE> = "5001 | 5002 | 5003 | 5009 | 5011 | 5012"
<EVENT_DICT> = {
                 "ports": "23,80,443"         
                 "timestamp": ...,            
                 "timestamp_std": "..."       
               }
1
2
3
4
5
6
7

# Consolidated Network Port Scan

EVENT_DICT The dict's keys are port numbers, and the values are lists of IP addresses.

port Port number on the Canary

canary_IP Canaries that were targeted


Response
<EVENT_DESCRIPTION> = "Consolidated Network Port Scan"
<LOGTYPE> = "5007"
<EVENT_DICT> = {                                      
                 "<port>": [                             
                   "<canary_IP>",                     
                   "<canary_IP>"
                 ],
                 "<port>": [
                   "<canary_IP>",
                   "<canary_IP>"
                 ]
               }
1
2
3
4
5
6
7
8
9
10
11
12

# NMAP FIN Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP FIN Scan Detected"
<LOGTYPE> = "5008"
<EVENT_DICT> = {
                    "ID": "...",                 
                    "LEN": "...",                
                    "MAC": "...",               
                    "PREC": "...",               
                    "PROTO": "...",              
                    "RES": "...",                
                    "TOS": "...",                
                    "TTL": "...",                
                    "URGP": "...",               
                    "WINDOW": "...",             
                    "SYN": "...",                
                    "ACK": "...",                
                    "timestamp": ...,            
                    "timestamp_std": "..."      
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP NULL Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP NULL Scan Detected"
<LOGTYPE> = "5005"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",              
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",                
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
              }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP OS Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP OS Scan Detected"
<LOGTYPE> = "5004"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",            
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",                
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
              }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP XMAS Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP XMAS Scan Detected"
<LOGTYPE> = "5006"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",              
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",               
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
                }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# RDP Login Attempt

Triggered by an attempt to join the Canary's RDP service.

LOGTYPE 14001 - RDP NEW CONNECTION
14002 - RDP FAILED CONNECTION
14003 - RDP CONFIRMED CONNECTION
14004 - RDP LOGIN ATTEMPT
BUILD Optional. Shows the build number of the attacker's RDP client if that is exposed, otherwise absent.

DOMAINNAME Attacker supplied domain name

MAJORVERSION The major version of the attacker's RDP client (ie. 6 for 6.1).

MINORVERSION The minor version of the attacker's RDP client (ie. 1 for 6.1).

USERNAME Attacker supplied username.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "RDP Login Attempt"
<LOGTYPE> = "14001 | 14002 | 14003 | 14004"
<EVENT_DICT> = {
                  "BUILD": "...", 
                  "DOMAINNAME": "...", 
                  "MAJORVERSION": "...", 
                  "MINORVERSION": "...", 
                  "USERNAME": "...", 
                  "timestamp": ..., 
                  "timestamp_std": "..."
               }
1
2
3
4
5
6
7
8
9
10
11

# Redis Command

Triggered by an attacker connecting to the Redis service and issuing valid Redis commands.

CMD Redis command issued by the attacker.

ARGS Arguments to the command.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Redis Command"
<LOGTYPE> = "21001"
<EVENT_DICT> = {
                 "CMD": "...",        
                 "ARGS": "..."       
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               } 
1
2
3
4
5
6
7
8

# Shared File Opened

Triggered by the opening of a file on the Canary’s Windows File Share.

LOGTYPE 5000 - SMB FILE OPEN
5010 - SMB LOGIN
5013 - SMB GROUP ENUM

5014 - SMB SHARE CONNECT

USER Username supplied by the attacker.

FILENAME Name of file on the Canary that was accessed.

AUDITACTION Type of file action. Currently, only 'pread'.

DOMAIN Name of domain or workgroup.

LOCALNAME Windows Name of Canary machine.

MODE 'workgroup' or 'domain'

OFFSET Starting position of the read.

REMOTENAME Windows Name of the client machine.

SHARENAME Name of the share on which the file resides.

SIZE Amount of bytes read.

SMBARCH Guess of the remote machine's Windows version.

SMBVER Version of the SMB protocol that was used.

STATUS Result of the file read. Currently, only 'ok'.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Shared File Opened"
<LOGTYPE> = "5000 | 5010 | 5013 | 5014"
<EVENT_DICT> = {
                 "USER": "...",                       
                 "FILENAME": "...",                   
                 "AUDITACTION": "...",                
                 "DOMAIN": "...",                    
                 "LOCALNAME": "...",                  
                 "MODE": "...",                       
                 "OFFSET": "...",                     
                 "REMOTENAME": "...",                 
                 "SHARENAME": "...",                  
                 "SIZE": "...",                       
                 "SMBARCH": "...",                    
                 "SMBVER": "...",                     
                 "STATUS": "..."                     
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# SIP Request

Triggered by an attacker connecting to the SIP service and issuing a valid SIP request.

HEADERS Dict of the SIP headers included in the request.


Response
<EVENT_DESCRIPTION> = "SIP Request"
<LOGTYPE> = "15001"
<EVENT_DICT> = {
                 "HEADERS": {                          
                   "<header_name1>": "<header_value1>",
                   "<header_name2>": "<header_value2>",
                   "<header_name3>": "<header_value3>",
                   "...": "..."
                 }
               }
1
2
3
4
5
6
7
8
9
10

# SNMP Request

Triggered by an incoming SNMP query against the Canary.

COMMUNITY_STRING SNMP community string supplied by the attacker.

REQUESTS SNMP OID requested by the attacker.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "SNMP Request"
<LOGTYPE> = "13001"
<EVENT_DICT> = {
                 "COMMUNITY_STRING": "...",          
                 "REQUESTS": "..."                   
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8

# SSH Login Attempt

Triggered by an attempt to login to the Canary using SSH. Both password-based and key-based authentication is possible.

It is also possible to configure “Watched Credentials”, which says to only alert if the attacker-supplied credentials match a configured list.

LOGTYPE 4000 - SSH NEW CONNECTION
4001 - SSH REMOTE VERSION SENT
4002 - SSH LOGIN ATTEMPT

USERNAME Username supplied by the attacker.

PASSWORD Optional. The attacker's supplied password in password-based auth.

LOCALVERSION Canary's SSH version string.

REMOTEVERSION The attacker's supplied version string.

KEY Optional. The attacker's supplied public key in key-based auth.

WATCHED_CREDENTIALS Optional. Set to 'Yes' if Watched Credentials are enabled.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "SSH Login Attempt"
<LOGTYPE> = "4000 | 4001 | 4002"
<EVENT_DICT> = {
                 "USERNAME": "...",              
                 "PASSWORD": "...",             
                 "LOCALVERSION": "...",          
                 "REMOTEVERSION": "...",         
                 "KEY": "...",                   
                 "WATCHED_CREDENTIALS": "...",   
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10
11
12

# Telnet Login Attempt

Triggered by a Telnet authentication attempt.

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

TERMSIZE The size of the terminal

TERMTYPE The terminal type

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Telnet Login Attempt"
<LOGTYPE> = "6001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "TERMSIZE": "..."        ,
                 "TERMTYPE": "..."        ,
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10

# TFTP request

Triggered by a TFTP request against the Canary.

FILENAME Name of file the attacker tried to act on.

OPCODE File action, either 'READ' or 'WRITE'

MODE TFTP defines three modes of transfer: netascii, octet, and mail.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "TFTP Request"
<LOGTYPE> = "10001"
<EVENT_DICT> = {
                 "FILENAME": "...",        
                 "OPCODE": "..."           
                 "MODE": "..."             
                 "timestamp": ...,         
                 "timestamp_std": "..."    
               }
1
2
3
4
5
6
7
8
9

# TN3270 Login

Triggered by a TN3270 request against the Canary.

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "TN3270 Login Attempt"
<LOGTYPE> = "32001"
<EVENT_DICT> = {
                 "USERNAME": "...",        
                 "PASSWORD": "..."
               }
1
2
3
4
5
6

# VNC Login Attempt

Triggered by an attempt to login to Canary’s password-protected VNC service.

VNC passwords are not transmitted in the clear. Instead, a hashed version is sent. The Canary will test the hashed password against a handful of common passwords to guess the password, but the hash parameters are also reported so the administrator can crack the hash on more powerful rigs.

PASSWORD Cracked password if very weak.

SERVER_CHALLENGE VNC password hashing parameter.

CLIENT_RESPONSE VNC password hashing parameter.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "VNC Login Attempt"
<LOGTYPE> = "12001"
<EVENT_DICT> = {
                 "PASSWORD": "...",               
                 "SERVER_CHALLENGE": "...",       
                 "CLIENT_RESPONSE": "...",        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9

# WinRM Login Attempt

Triggered by an attempt to connect to the Canary using a WinRM agent.

USERNAME Attacker supplied username.

PASSWORD Optional. Attacker supplied password. This will not be present for Kerberos or NTLM authentication.

WORKSTATION Present for Kerberos auth attempts. Gives the workstation name of the attacker.

DOMAINNAME Attacker supplied domain name.

USERAGENT Optional. Gives the agent used by the attacker to connect.

AUTHTYPE The authentication type used to connect to WinRM. If present, this will be one of 'basic', 'ntlm', 'certificate', 'kerberos' or 'digest', otherwise this will be 'unknown'.

SNAME Present for Kerberos auth attempts. Gives the service name of the request.

REALM Present for Kerberos auth attempts. Gives the Kerberos realm.

TKTVNO Present for Kerberos auth attempts. Gives the ticket format version number of the request.

WINRMPAYLOAD The xml payload of the WinRM connection attempt.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "WinRM Login Attempt"
<LOGTYPE> = "29001"
<EVENT_DICT> = {
                  "AUTHTYPE": "...",
                  "PASSWORD": "...",
                  "USERAGENT": "...",
                  "USERNAME": "...",
                  "WINRMPAYLOAD": "..."
               }
1
2
3
4
5
6
7
8
9