# Incident Objects

Each log entry is termed an event, and consists of actions such as a single SSH login attempt, or a single POST to a website, or a single SIP request. An event will result in an incident being created, but subsequent similar events from the same source will be bundled together if they occur in close proximity. This means that if someone launches a brute-force attack, there is a single incident created with an event assigned to each login attempt.

The incident object contains a record of the individual events that constitute the incident.

# Basic Structure

Incident feeds have this basic structure:

updated Human readable date when the incident was updated

updated_std The date/time when the incident was updated in the format YYYY-MM-DD HH:MM:SS TZ

updated_time Timestamp of the updated time eg. 1574945951

created Timestamp of the incident creation time eg. 1574945951

created_std The date/time when the incident was created in the format YYYY-MM-DD HH:MM:SS TZ

dst_host Optional - The destination IP address of the attack

dst_port Optional - The destination port of the attack

events_count Number of events for the incident

flock_id ID of the Flock in which the incident occurred

flock_name Name of the Flock in which the incident occurred

name Optional - The name of the device on which the incident occurred

node_id Optional - The node_id of the device on which the incident occurred

src_host The source IP address of the attacker

src_host_reverse The source hostname of the attacker

src_port The source port of the attacker


Response
{
  "feed": "Unacknowledged Incidents",
[...]
  "incidents": [
    {
      "id": "...",
      "summary": "<EVENT_DESCRIPTION>",
      "updated": "...",           
      "updated_std": "...",       
      "updated_time": "..."       
[...]
      "description": {
[...]
        "logtype": "<LOGTYPE>",
        "description": "<EVENT_DESCRIPTION>",
        "created": "...",         
        "created_std": "...",     
        "dst_host": "...",        
        "dst_port": "...",        
        "events": [
          <EVENT_DICT>,
          <EVENT_DICT>,
          ...,
        ]
        "events_count": "...",      
        "flock_id": "...",
        "flock_name": "...",
        "name": "...",              
        "node_id": "...",           
        "src_host": "...",          
        "src_host_reverse": "...",  
        "src_port": "..."           
      }
    }
  ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

The “events” field contains a list of <EVENT_DICT> s. In the incident types below, only the <EVENT_DESCRIPTION> and <EVENT_DICT> values are defined as the rest of the incident object is the same across the various incident types.

All fields will be present in each incident, unless noted otherwise.

The actual data returned by the API may include additional fields. However, any field not described in this document should be considered experimental and likely to disappear.

# Canary Disconnected

EVENT_DICT Empty, no additional event data.


Response
<EVENT_DESCRIPTION> = "Canary Disconnected"
<LOGTYPE> = "1004"
<EVENT_DICT> = { }                    
1
2
3

# Canarytokens

There are two types of Canarytokens, HTTP and DNS.

# HTTP

type A string containing the token type [http or dns]

canarytoken Unique string that acts as the Canarytoken

headers Headers is a dict. Only present for HTTP Canarytokens.

url URL of the HTTP Canarytoken


Response
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "17000"
<EVENT_DICT> = {
                 "type": "http",
                 "canarytoken": "<tokenvalue>",      
                 "headers" : {                      
                   <headername_1>: <headervalue_1> , <headername_2>: <headervalue_2> , ...
                 },
                 "url": "<tokenurl>",                  
               }
1
2
3
4
5
6
7
8
9
10

# DNS

type A string containing the token type (http or dns)

canarytoken Unique string that acts as the Canarytoken.

hostname Hostname of the DNS Canarytoke


Response
<EVENT_DESCRIPTION> = "Canarytoken triggered"
<LOGTYPE> = "16000"
<EVENT_DICT> = {
                 "type": "dns",
                 "canarytoken": "<tokenvalue>",      
                 "hostname": "<tokenhostname>"       
               }
1
2
3
4
5
6
7

# Custom TCP Service Request

The Custom TCP Service module lets the Canary administrator create simple services that either immediately prints a banner on connection, or wait for the client to send data before responding.

LOGTYPE 20001 - Banner sent immediately on connection.
20002 - Banner sent after the client sent a line.

BANNER_ID Multiple banners are supported, the id identifies which banner service was triggered.

DATA Optional. The attacker's supplied data.

FUNCTION Indicates which trigger fired, either 'DATA_RECEIVED' for when a banner was sent after the attacker sent data, or 'CONNECTION_MADE' for when a banner was sent immediately on connection.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Custom TCP Service Request"
<LOGTYPE> = "20001"                          
<LOGTYPE> = "20002"                          
<EVENT_DICT> = {
                 "BANNER_ID": "...",         
                 "DATA": "...",              
                 "FUNCTION": "...",          
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10

# FTP Login Attempt

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "FTP Login Attempt"
<LOGTYPE> = "2000"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                   
1
2
3
4
5
6
7
8

# Git Repository Clone Attempt

HOST Git client's view of the Canary's hostname.

REPO Name of the repository the client attempted to clone.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Git Repository Clone Attempt"
<LOGTYPE> = "19001"
<EVENT_DICT> = {
                 "HOST": "...",           
                 "REPO": "..."            
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                  
1
2
3
4
5
6
7
8

# HTTP Incidents

Two types of HTTP Incidents:

  1. Page loads, triggered by GET requests. They are disabled by default as they’re noisy, and needs to be specifically enabled.
  2. Login attempts, triggered by GET requests. They are always enabled.

# HTTP Page Load

PATH Web path requested by the source.

USERAGENT Useragent of the source's browser.

CHANNEL Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.

METHOD The HTTP request method used eg. GET/POST/DELETE

RESPONSE The response code eg. 200

SKIN Which Webserver skin was used eg. nasLogin

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Page Load"
<LOGTYPE> = "3000"
<EVENT_DICT> = {
                 "PATH": "...",           
                 "USERAGENT": "...",     
                 "CHANNEL": "...",        
                 "METHOD": "...",         
                 "RESPONSE": ...,         
                 "SKIN": "...",           
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }                 
1
2
3
4
5
6
7
8
9
10
11
12

# HTTP Login Attempt

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

PATH Web path requested by the source.

USERAGENT Useragent of the source's browser.

CHANNEL Optional. Set to 'TLS' if an encrypted site is configured, otherwise absent.

METHOD The HTTP request method used eg. GET/POST/DELETE

RESPONSE The response code eg. 200

SKIN Which Webserver skin was used eg. nasLogin

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Login Attempt"
<LOGTYPE> = "3001"
<EVENT_DICT> = {
               "USERNAME": "...",       
               "PASSWORD": "..."       
               "PATH": "...",           
               "USERAGENT": "...",      
               "CHANNEL": "...",        
               "METHOD": "...",         
               "RESPONSE": "...",       
               "SKIN": "...",           
               "timestamp": ...,        
               "timestamp_std": "..."   
               }               
1
2
3
4
5
6
7
8
9
10
11
12
13
14

# HTTP Proxy Request

Triggered by any request through the HTTP proxy module.

USERNAME Optional. Attacker supplied proxy username.

PASSWORD Optional. Attacker supplied proxy password.

URL URL requested by the source.

USERAGENT Useragent of the source's browser.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "HTTP Proxy Request"
<LOGTYPE> = "7001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "URL": "...",            
                 "USERAGENT": "..."       
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }              
1
2
3
4
5
6
7
8
9
10

# HTTP Service Scan

Triggered by scans for HTTP services

METHOD The HTTP request method used eg. GET/POST/DELETE

PATH Web path requested by the source.

RESPONSE The response code eg. 200


Response
<EVENT_DESCRIPTION> = "HTTP Service Scan"
<LOGTYPE> = "3004"
<EVENT_DICT> = {
                 "METHOD": "...",         
                 "PATH": "...",           
                 "RESPONSE": ...,         
               }            
1
2
3
4
5
6
7

# ModBus Request

Triggered by any valid ModBus request.

LOGTYPE 18001 - Modbus Query Function
18002 - Modbus Read Function
18003 - Modbus Write Function

UNIT_ID ModBus unit target.

FUNC_CODE ModBus function code.

FUNC_NAME Optional. ModBus function name, if available.

SFUNC_CODE Optional. ModBus subfunction code, if available.

SFUNC_NAME Optional. ModBus subfunction name, if available.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "ModBus Request"
<LOGTYPE> = "18001 | 18002 | 18003"
<EVENT_DICT> = {
                 "UNIT_ID": "...",       
                 "FUNC_CODE": "...",     
                 "FUNC_NAME": "...",     
                 "SFUNC_CODE": "...",    
                 "SFUNC_NAME": "...",    
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }      
1
2
3
4
5
6
7
8
9
10
11

# MSSQL Login Attempt

Triggered by any attempt to authenticate to the MS-SQL Server module.

SQL Server supports multiple authentication modes, and the fields that come through depending on the mode.

LOGTYPE 9001 for SQL Server authentication
9002 for Windows authentication

USERNAME Attacker supplied database username.

PASSWORD Optional. Attacker supplied database password.

HOSTNAME Optional. Attacker supplied hostname.

DOMANNAME Optional. Attacker supplied Active Directory name.

APPNAME Name of the app with which the query was made eg. SQLCMD

HOSTNAME Hostname of the attacker

SERVERNAME IP address of the attacker

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "MSSQL Login Attempt"
<LOGTYPE> = "9001 | 9002"                        
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "HOSTNAME": "...",       
                 "DOMAINNAME": "..."      
                 "APPNAME": "...",        
                 "HOSTNAME": "...",      
                 "SERVERNAME": "...",     
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }         
1
2
3
4
5
6
7
8
9
10
11
12
13

# MySQL Login Attempt

Triggered by an authentication attempt against the MySQL service.

The client sends a hashed password, not a cleartext password. The Canary will try to crack the hash with passwords one might expect in a brute-force.

USERNAME Attacker supplied database username.

CLIENT_HASH Attacker supplied database password hash.

SALT Attacker supplied database password hash salt.

PASSWORD Recovered password if possible, otherwise
<Password not in common list>

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "MySQL Login Attempt"
<LOGTYPE> = "8001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "CLIENT_HASH": "...",    
                 "SALT": "...",           
                 "PASSWORD": "..."        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }   
1
2
3
4
5
6
7
8
9
10

# NTP Monlist Request

Triggered by the NTP Monlist command.

NTP_CMD Name of the NTP command sent. Currently is 'monlist'.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NTP Monlist Request"
<LOGTYPE> = "11001"
<EVENT_DICT> = {
                 "NTP_CMD": "..."      
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }  
1
2
3
4
5
6
7

# Port Scans

There are six types of port scans incidents.

  1. A host port scan occurs when a single Canary is port scanned by a single source.
  2. A consolidated network port scan occurs when multiple Canaries are scanned by a single source.
  3. An NMAP FIN scan was run against the Canary.
  4. An NMAP NULL scan was run against the Canary.
  5. An NMAP OS scan was run against the Canary.
  6. An NMAP XMAS scan was run against the Canary.

# Host Port Scan

ports List of comma-separated ports.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Host Port Scan"
<LOGTYPE> = "5003"
<EVENT_DICT> = {
                 "ports": "23,80,443"         
                 "timestamp": ...,            
                 "timestamp_std": "..."       
               }
1
2
3
4
5
6
7

# Consolidated Network Port Scan

EVENT_DICT The dict's keys are port numbers, and the values are lists of IP addresses.

port Port number on the Canary

canary_IP Canaries that were targeted


Response
<EVENT_DESCRIPTION> = "Consolidated Network Port Scan"
<LOGTYPE> = "5007"
<EVENT_DICT> = {                                      
                 "<port>": [                             
                   "<canary_IP>",                     
                   "<canary_IP>"
                 ],
                 "<port>": [
                   "<canary_IP>",
                   "<canary_IP>"
                 ]
               }
1
2
3
4
5
6
7
8
9
10
11
12

# NMAP FIN Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP FIN Scan Detected"
<LOGTYPE> = "5008"
<EVENT_DICT> = {
                    "ID": "...",                 
                    "LEN": "...",                
                    "MAC": "...",               
                    "PREC": "...",               
                    "PROTO": "...",              
                    "RES": "...",                
                    "TOS": "...",                
                    "TTL": "...",                
                    "URGP": "...",               
                    "WINDOW": "...",             
                    "SYN": "...",                
                    "ACK": "...",                
                    "timestamp": ...,            
                    "timestamp_std": "..."      
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP NULL Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP NULL Scan Detected"
<LOGTYPE> = "5005"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",              
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",                
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
              }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP OS Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP OS Scan Detected"
<LOGTYPE> = "5004"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",            
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",                
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
              }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# NMAP XMAS Scan

ID IP packet ID

LEN Length of IP packet

MAC First N bytes from the packet. Destination MAC (i.e. Canary) is the first 6 bytes, source MAC is the next 6 bytes, and the remainder is a peek into the reset of the packet

PREC Precedent bits, almost always 0x00

PROTO The protocol used

RES Reserved bits, almost always 0x0

TOS IP Type of Service field, almost always 0x00

TTL Time-to-live on the IP packet

URGP Indicates whether the TCP Urgent Pointer is used in the packet. Indicates the offset. 0 indicates it’s not used.

WINDOW TCP Window size

SYN Indicates whether the SYN flag is set. Present if the flag is there, absent otherwise.

ACK Indicates whether the ACK flag is set. Present if the flag is there, absent otherwise.

timestamp The timestamp of the request eg. 1580378197.

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "NMAP XMAS Scan Detected"
<LOGTYPE> = "5006"
<EVENT_DICT> = {
                  "ID": "...",                 
                  "LEN": "...",                
                  "MAC": "...",                
                  "PREC": "...",               
                  "PROTO": "...",              
                  "RES": "...",                
                  "TOS": "...",                
                  "TTL": "...",               
                  "URGP": "...",               
                  "WINDOW": "...",             
                  "SYN": "...",                
                  "ACK": "...",                
                  "timestamp": ...,            
                  "timestamp_std": "..."       
                }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# RDP Login Attempt

Triggered by an attempt to join the Canary's RDP service.

BUILD Optional. Shows the build number of the attacker's RDP client if that is exposed, otherwise absent.

DOMAINNAME Attacker supplied domain name

MAJORVERSION The major version of the attacker's RDP client (ie. 6 for 6.1).

MINORVERSION The minor version of the attacker's RDP client (ie. 1 for 6.1).

USERNAME Attacker supplied username.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "RDP Login Attempt"
<LOGTYPE> = "14003"
<EVENT_DICT> = {
                  "BUILD": "...", 
                  "DOMAINNAME": "...", 
                  "MAJORVERSION": "...", 
                  "MINORVERSION": "...", 
                  "USERNAME": "...", 
                  "timestamp": ..., 
                  "timestamp_std": "..."
               }
1
2
3
4
5
6
7
8
9
10
11

# Redis Command

Triggered by an attacker connecting to the Redis service and issuing valid Redis commands.

CMD Redis command issued by the attacker.

ARGS Arguments to the command.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Redis Command"
<LOGTYPE> = "21001"
<EVENT_DICT> = {
                 "CMD": "...",        
                 "ARGS": "..."       
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               } 
1
2
3
4
5
6
7
8

# Shared File Opened

Triggered by the opening of a file on the Canary’s Windows File Share.

USER Username supplied by the attacker.

FILENAME Name of file on the Canary that was accessed.

AUDITACTION Type of file action. Currently, only 'pread'.

DOMAIN Name of domain or workgroup.

LOCALNAME Windows Name of Canary machine.

MODE 'workgroup' or 'domain'

OFFSET Starting position of the read.

REMOTENAME Windows Name of the client machine.

SHARENAME Name of the share on which the file resides.

SIZE Amount of bytes read.

SMBARCH Guess of the remote machine's Windows version.

SMBVER Version of the SMB protocol that was used.

STATUS Result of the file read. Currently, only 'ok'.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Shared File Opened"
<LOGTYPE> = "5000"
<EVENT_DICT> = {
                 "USER": "...",                       
                 "FILENAME": "...",                   
                 "AUDITACTION": "...",                
                 "DOMAIN": "...",                    
                 "LOCALNAME": "...",                  
                 "MODE": "...",                       
                 "OFFSET": "...",                     
                 "REMOTENAME": "...",                 
                 "SHARENAME": "...",                  
                 "SIZE": "...",                       
                 "SMBARCH": "...",                    
                 "SMBVER": "...",                     
                 "STATUS": "..."                     
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# SIP Request

Triggered by an attacker connecting to the SIP service and issuing a valid SIP request.

HEADERS Dict of the SIP headers included in the request.


Response
<EVENT_DESCRIPTION> = "SIP Request"
<LOGTYPE> = "15001"
<EVENT_DICT> = {
                 "HEADERS": {                          
                   "<header_name1>": "<header_value1>",
                   "<header_name2>": "<header_value2>",
                   "<header_name3>": "<header_value3>",
                   "...": "..."
                 }
               }
1
2
3
4
5
6
7
8
9
10

# SNMP Request

Triggered by an incoming SNMP query against the Canary.

COMMUNITY_STRING SNMP community string supplied by the attacker.

REQUESTS SNMP OID requested by the attacker.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "SNMP Request"
<LOGTYPE> = "13001"
<EVENT_DICT> = {
                 "COMMUNITY_STRING": "...",          
                 "REQUESTS": "..."                   
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8

# SSH Login Attempt

Triggered by an attempt to login to the Canary using SSH. Both password-based and key-based authentication is possible.

It is also possible to configure “Watched Credentials”, which says to only alert if the attacker-supplied credentials match a configured list.

USERNAME Username supplied by the attacker.

PASSWORD Optional. The attacker's supplied password in password-based auth.

LOCALVERSION Canary's SSH version string.

REMOTEVERSION The attacker's supplied version string.

KEY Optional. The attacker's supplied public key in key-based auth.

WATCHED_CREDENTIALS Optional. Set to 'Yes' if Watched Credentials are enabled.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "SSH Login Attempt"
<LOGTYPE> = "4002"
<EVENT_DICT> = {
                 "USERNAME": "...",              
                 "PASSWORD": "...",             
                 "LOCALVERSION": "...",          
                 "REMOTEVERSION": "...",         
                 "KEY": "...",                   
                 "WATCHED_CREDENTIALS": "...",   
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10
11
12

# Telnet Login Attempt

Triggered by a Telnet authentication attempt.

USERNAME Attacker supplied username.

PASSWORD Attacker supplied password.

TERMSIZE The size of the terminal

TERMTYPE The terminal type

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "Telnet Login Attempt"
<LOGTYPE> = "6001"
<EVENT_DICT> = {
                 "USERNAME": "...",       
                 "PASSWORD": "..."        
                 "TERMSIZE": "..."        ,
                 "TERMTYPE": "..."        ,
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9
10

# TFTP request

Triggered by a TFTP request against the Canary.

FILENAME Name of file the attacker tried to act on.

OPCODE File action, either 'READ' or 'WRITE'

MODE TFTP defines three modes of transfer: netascii, octet, and mail.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "TFTP Request"
<LOGTYPE> = "10001"
<EVENT_DICT> = {
                 "FILENAME": "...",        
                 "OPCODE": "..."           
                 "MODE": "..."             
                 "timestamp": ...,         
                 "timestamp_std": "..."    
               }
1
2
3
4
5
6
7
8
9

# VNC Login Attempt

Triggered by an attempt to login to Canary’s password-protected VNC service.

VNC passwords are not transmitted in the clear. Instead, a hashed version is sent. The Canary will test the hashed password against a handful of common passwords to guess the password, but the hash parameters are also reported so the administrator can crack the hash on more powerful rigs.

PASSWORD Cracked password if very weak.

SERVER_CHALLENGE VNC password hashing parameter.

CLIENT_RESPONSE VNC password hashing parameter.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "VNC Login Attempt"
<LOGTYPE> = "12001"
<EVENT_DICT> = {
                 "PASSWORD": "...",               
                 "SERVER_CHALLENGE": "...",       
                 "CLIENT_RESPONSE": "...",        
                 "timestamp": ...,        
                 "timestamp_std": "..."   
               }
1
2
3
4
5
6
7
8
9

# WinRM Login Attempt

Triggered by an attempt to connect to the Canary using a WinRM agent.

USERNAME Attacker supplied username.

PASSWORD Optional. Attacker supplied password. This will not be present for Kerberos or NTLM authentication.

WORKSTATION Present for Kerberos auth attempts. Gives the workstation name of the attacker.

DOMAINNAME Attacker supplied domain name.

USERAGENT Optional. Gives the agent used by the attacker to connect.

AUTHTYPE The authentication type used to connect to WinRM. If present, this will be one of 'basic', 'ntlm', 'certificate', 'kerberos' or 'digest', otherwise this will be 'unknown'.

SNAME Present for Kerberos auth attempts. Gives the service name of the request.

REALM Present for Kerberos auth attempts. Gives the Kerberos realm.

TKTVNO Present for Kerberos auth attempts. Gives the ticket format version number of the request.

WINRMPAYLOAD The xml payload of the WinRM connection attempt.

timestamp The timestamp of the request eg. 1580378197

timestamp_std Human readable timestamp of the request eg. 2020-01-30 09:56:37 UTC+0000


Response
<EVENT_DESCRIPTION> = "WinRM Login Attempt"
<LOGTYPE> = "29001"
<EVENT_DICT> = {
                  "AUTHTYPE": "...",
                  "PASSWORD": "...",
                  "USERAGENT": "...",
                  "USERNAME": "...",
                  "WINRMPAYLOAD": "..."
               }
1
2
3
4
5
6
7
8
9