Syslog Example Logs

Your Canary Console can be configured to send alerts via Syslog. We support the RFC5424 format for marking up Syslog lines with semantic information. RFC5424 is supported by most Syslog sinks; in the event yours doesn't support RFC5424 instead your alerts can be sent in a custom text-based format. If you'd like to configure Syslog support on your Console, please contact support.

Basic Structure

Every RFC5424 log line has this basic structure:

<$PRI>$VER $TIMESTAMP $HOSTNAME $APPNAME $PROCID $MSGID $STRUCTURED_DATA

PRI Syslog priority value, depending on the Syslog facility and severity. This is admin-configurable, but defaults to the LOCAL0 facility with EMERGENCY severity.

VER Syslog version, currently 1.

TIMESTAMP Alert timestamp, in the format YYYY-MM-DD<T>HH:MM:SS.sssss+ZZ:ZZ. Timestamps are always provided in the UTC zone.

HOSTNAME Local hostname of the Canary Console. This is fixed per customer and will not change.

APPNAME Fixed string ThinkstCanary.

PROCID Opaque numeric field, indicates source process ID

MSGID Type of message. Currently only one type is support newincident, indicating a new incident has been created on the Canary Console.

STRUCTURED_DATA Alert data structured according to RFC5424

The structured data depends on the type of incident that's being reported. We include additional details for each incident type, and the contents of the additional details will depend on both the type of incident as well as how the attacker interacted with the service. Below we provide an example log line for each incident type, however it is not exhaustive in the additional details for each incident type. While the examples below are formatted to wrap neatly, the actual Syslog records don't contain newlines.

Structured Data

The structured data consists of two structured data elements:

1. BasicIncidentDetails
2. AdditionalIncidentDetails

Both structured data elements are bound to our unique constant private enterprise number 51136.

BasicIncidentDetails

The BasicIncidentDetails section contains following elements common to all incidents:

eventid Field identifying the type of incident. See the logtype field in the incidents object.

CanaryID The unique constant identifier for a Canary. Also known as the node_id.

CanaryIP The Canary's IP address at the time of the incident.

CanaryLocation Contents of the Canary's location (description) field.

CanaryName User-friendly name of the Canary.

CanaryPort TCP or UDP port of the service which triggered the alert. Not always present.

Description Text description of the incident.

IncidentHash Unique identifier for this incident.

ReverseDNS Hostname of the attacker's IP address, if available.

SourceIP Attacker's IP address.

Timestamp Time at which the incident was created.

AdditionalIncidentDetails

The contents of the AdditionalIncidentDetails section will vary depending on the type of incident. Its purpose is to provide additional context to the incident.

Example Syslog Entries

Here we provide example Syslog entries that might be sent, in RFC5424 format. Each subheading is an incident type, and the block that follows is a Syslog message. Below each block is a link to more information on the attributes specific to that incident type.

Canarytokens Incidents

HTTP

  <130>1 2025-04-30T12:09:54.681299+00:00 mycompany-com ThinkstCanary 3545385 newincident
  [BasicIncidentDetails@51136 Description="Web Bug Canarytoken triggered"
  Timestamp="2025-04-30 12:07:53 (UTC)" Reminder="q" Token="d7a7phdpurh2vs8gs1jbniyhb"
  SourceIP="192.168.1.97" IncidentHash="40a96cf3ba4596a81f18990143916b3c" eventid="17000"]

  [AdditionalIncidentDetails@51136
  Abbr="SAST" Accept="text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
  Accept-Encoding="gzip, deflate" Accept-Language="en-GB,en-US;q=0.9,en;q=0.8,ro;q=0.7"
  BackgroundContext="You have had 214 incidents from 192.168.1.97 previously."
  Browser="Chrome" Cache-Control="max-age=0" City="Cape Town" Connection="keep-alive"
  ContinentCode="AF" Country="South Africa" CountryCode="ZA" CountryCode3="ZAF" CurrencyCode="ZAR"
  Date="2025-04-30" DstPort="80" Enabled="1" Host="123456789abe[.\]o3n[.\]io" HostDomain=""
  Hostname="" Id="Africa/Johannesburg" Installed="1" Ip="192.168.1.97" IsBogon="False"
  IsProxy="False" IsTor="False" IsV4Mapped="False" IsV6="False" IsVpn="False" Language="en-GB"
  LanguageCode="zu" Latitude="-33.925552" Longitude="18.422857"
  Mimetypes="Portable Document Format;pdf;application/pdf|||Portable Document Format;pdf;text/pdf|||"
  Name="South Africa Standard Time" Offset="+02:00" Os="Macintosh" Platform="MacIntel"
  Region="Western Cape" RegionCode="WC" SrcPort="54290" Time="14:07:53.846452"
  Upgrade-Insecure-Requests="1"
  User-Agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
  Valid="True" Vendor="Google Inc." Version="135.0.0.0"]
  A Web Bug Canarytoken was triggered by '192.168.1.97'.

Attribute description: Canarytoken HTTP.

DNS

  <130>1 2025-04-30T12:54:52.796337+00:00 mycompany-com ThinkstCanary 3557764 newincident
  [BasicIncidentDetails@51136 Description="DNS Canarytoken triggered"
  Timestamp="2025-04-30 12:52:49 (UTC)" Reminder="q" Token="vv4x12n26ivmcgyd33pkb3drr"
  SourceIP="1.1.1.1" IncidentHash="adaa8486af78cc450417b027e2821a22" eventid="16000"]

  [AdditionalIncidentDetails@51136 BackgroundContext="This alert is the first from 1.1.1.1."
  DstPort="53" Hostname="VV4x12N26IvMcgyd33pKB3DRr[.\]123456789abe[.\]o3N[.\]Io" SrcPort="48908"]
  A DNS Canarytoken was triggered by a DNS query from the source IP 1.1.1.1.
  Please note that the source IP refers to a DNS resolver, rather than the host that triggered the token.

Attribute description: Canarytoken DNS.

Wireguard

  <130>1 2025-04-30T12:56:11.569505+00:00 mycompany-com ThinkstCanary 3557764 newincident
  [BasicIncidentDetails@51136 Description="WireGuard VPN Canarytoken triggered"
  Timestamp="2025-04-30 12:54:09 (UTC)" Reminder="x" Token="zcowdkas4t07sedssypwiy8pi"
  SourceIP="192.168.1.97" IncidentHash="e2888f4ae944ef9eb11f716a67602d01" eventid="17022"]

  [AdditionalIncidentDetails@51136 BackgroundContext="You have had 216 incidents from 192.168.1.97 previously."
  ClientPublicKey="xEUY2sgyvP/+3SaBY5OAS679m/LhMVQ3Ey8xDHBFKAc="
  ClientSessionIndex="3154879465" DstPort="51820" SrcPort="57505"]
  A WireGuard VPN Canarytoken was triggered by '192.168.1.97'.

Attribute description: Canarytoken Wireguard.

Canary Disconnected

  <130>1 2018-08-13T15:24:15.672152+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="1004" CanaryName="intranet03.mycompany.com"
  Description="Canary Disconnected" Timestamp="2018-08-13 15:24:14 (UTC)"
  IncidentHash="7e90c25b733d48fc46ce257efef497e1" CanaryLocation="Rack22 above switch"
  SourceIP="" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 PreviousIP="192.168.1.69"]
  One of your Canaries (intranet03.mycompany.com) previously at 192.168.1.69 has disconnected.

Attribute description: Canary Disconnected.

Canary Reconnected

  <130>1 2018-08-13T14:12:45.238658+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="1004" CanaryName="intranet03.mycompany.com"
  Description="Canary Reconnected" Timestamp="2018-06-19 07:07:30 (UTC)"
  IncidentHash="d0e47e37d0515e2b2b0765aaaa2d584e" CanaryLocation="Rack22 above switch"
  SourceIP="" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 PreviousIP="192.168.1.69"]
  One of your Canaries (intranet03.mycompany.com) previously at 192.168.1.69 has reconnected.

Canary Settings Changed

  <130>1 2023-08-02T17:26:15.611322+00:00 mycompany-com ThinkstCanary 32264 newincident
  [BasicIncidentDetails@51136 eventid="23002" CanaryName="SRV01"
  Description="Canary Settings Changed" CanaryPort="443" Timestamp="2023-08-02 17:24:14
  (UTC)" CanaryIP="abc123.canary.tools" IncidentHash="4f9eb17f8e470455e070a669d73a1615"
  CanaryLocation="" SourceIP="1.1.1.1" CanaryID="00000000fc738ff7"]

  [AdditionalIncidentDetails@51136 Settings="userid=admin@canary.console,ftp.enabled=True,
  telnet.enabled=True,...\x0aModified by admin@canary.console"
  BackgroundContext="This alert is the first from 1.1.1.1."]
  The canary 00000000fc738ff7 settings were changed by 1.1.1.1

Attribute description: Canary Settings Changed.

Console Settings Changed

  <130>1 2023-08-03T20:51:29.402623+00:00 mycompany-com ThinkstCanary 31760 newincident
  [BasicIncidentDetails@51136 eventid="23001" CanaryName="Console"
  Description="Console Settings Changed" Timestamp="2023-08-03 20:49:29 (UTC)"
  CanaryIP="abc123.canary.tools" IncidentHash="88bee65ef162f7d00be81ab86ceea7e3"
  CanaryPort="443" SourceIP="1.1.1.1" CanaryID="Console"]

  [AdditionalIncidentDetails@51136 Settings="Globally Enforced 2FA Disabled:
  New: Disabled, Old: Enabled\\x0aModification by admin@canary.console"
  BackgroundContext="You have had 3 incidents from 1.1.1.1 previously."]
  The console settings were changed by 1.1.1.1

Attribute description: Console Settings Changed.

Flock Settings Changed

  <130>1 2025-04-30T22:42:19.845759+00:00 mycompany-com ThinkstCanary 3602455 newincident
  [BasicIncidentDetails@51136
  Description="Flock Settings Changed" Timestamp="2025-04-30 22:40:17 (UTC)"
  CanaryName="Flock" CanaryID="flock_change" CanaryIP="abc123.canary.tools"
  SourceIP="196.61.107.19" CanaryPort="443"
  IncidentHash="7a3b1b7b0cd1889d2c0f1e625926dde2" eventid="23003"]
  [AdditionalIncidentDetails@51136
  Settings="enable_emails_notifications=True\\x0aModified by user"
  BackgroundContext="You have had 217 incidents from 196.61.107.19 previously."]
  The flock Default Flock settings were changed by 196.61.107.19

Attribute description: Flock Settings Changed.

Consolidated Network Port Scan

  <130>1 2018-08-13T13:50:35.127637+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="5007" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="hyphen-hyphen" Description="Consolidated Network Port Scan" CanaryPort="80"
  Timestamp="2018-08-13 13:50:34 (UTC)" CanaryIP="192.168.1.29"
  IncidentHash="c307d1830441cbb238c42eef88b024bf" CanaryLocation="DC 5, Rack 17, Blade E, Unit 2"
  SourceIP="192.168.1.82" CanaryID="00027550afb6819c"]

  [AdditionalIncidentDetails@51136 Source="192.168.1.82"
  Incident="Consolidated Network Port Scan" Targets="192.168.1.29, 192.168.1.69"]
  A portscan has been done on several of your canaries by the host 192.168.1.82.

Attribute description: Consolidated Network Port Scan.

Custom TCP Service Request

  <130>1 2018-08-13T13:32:13.416516+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="20001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="Custom TCP Service Request" CanaryPort="8001"
  Timestamp="2018-08-13 13:32:13 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="26cb5305fefca8f6dd5a25618dd94b69" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 FunctionName="New Connection Made" FunctionData="" TCPBannerID="1"]
  Custom TCP Service Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Custom TCP Service Request.

Dummy Incident

  <130>1 2023-08-02T17:02:11.371589+00:00 mycompany-com ThinkstCanary 32264 newincident
  [BasicIncidentDetails@51136 eventid="111111" ReverseDNS="attacker-ip.local"
  CanaryName="VirtualCanary-unnamed" Description="Dummy Incident" CanaryPort="8080"
  Timestamp="2023-08-02 17:02:11 (UTC)" CanaryIP="1.1.1.1"
  IncidentHash="aa875f255f94e3ffe40dc85cf1a8b1e0" CanaryLocation="Server room A"
  SourceIP="2.2.2.2" CanaryID="000246ec65ef9476"]

  [AdditionalIncidentDetails@51136 Field2="VALUE2" Field3="VALUE3" Field1="VALUE1"]
  This is a fake intro.

Attribute description: Dummy Incident.

FTP Login Attempt

  <130>1 2018-08-13T13:18:28.803233+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="2000" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="FTP Login Attempt" CanaryPort="21"
  Timestamp="2018-08-13 13:18:28 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="1358e614a0eb2500208dd34ce61300ca" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="admin" Password="password"]
  FTP Login Attempt has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: FTP Login Attempt.

Git Repository Clone Attempt

  <130>1 2018-08-13T13:33:27.671646+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="19001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="Git Repository Clone Attempt"
  CanaryPort="9418" Timestamp="2018-08-13 13:33:27 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="e42ff3137f6c034c79b820cb92101809" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136] Git Repository Clone Attempt has been
  detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Git Repository Clone Attempt.

Host Port Scan

  <130>1 2018-08-13T14:40:54.238093+00:00 mycompany-com ThinkstCanary 7792 newincident
  [BasicIncidentDetails@51136 eventid="5003" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="Host Port Scan" CanaryPort="256"
  Timestamp="2018-08-13 14:40:53 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="0d105c8aafc12484f7363a415b8c63f8" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 PartialPorts="443, 80, 256, 1720, 445"]
  Host Port Scan has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Host Port Scan.

HTTP Incidents

HTTP API Request

  <130>1 2023-08-03T19:39:17.338417+00:00 mycompany-com ThinkstCanary 31760 newincident

  [BasicIncidentDetails@51136 eventid="3005" ReverseDNS="" CanaryName="SRV01"
  Description="HTTP API Request" CanaryPort="80" Timestamp="2023-08-03 19:37:17 (UTC)"
  CanaryIP="192.168.1.104" IncidentHash="afbd5fdee00c4169a3297fdd9b5b368a" CanaryLocation=""
  SourceIP="1.1.1.1" CanaryID="00000000fc738ff7"]

  [AdditionalIncidentDetails@51136 Path="/api/v1/post-test" User-Agent="curl/8.1.2"
  Headers="{'host': '192.168.1.104', 'content-type': 'application/x-www-form-urlencoded',
  'content-length': '11', 'accept': '*/*'}"
  BackgroundContext="You have had 115 incidents from 1.1.1.1 previously."]
  HTTP API Request has been detected against one of your Canaries (SRV01) at 192.168.1.104.

Attribute description: HTTP API Request.

HTTP Login Attempt

  <130>1 2018-08-13T13:22:07.159097+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="3001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="HTTP Login Attempt" CanaryPort="80"
  Timestamp="2018-08-13 13:22:07 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="09ea9afbd8fdab5cdfd76322c9436bdd" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="admin" Password="admin" User-Agent="curl/7.54.0"]
  HTTP Login Attempt has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: HTTP Login Attempt.

HTTP Page Load

  <130>1 2025-04-30T13:43:32.453578+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="HTTP Page Load"
  Timestamp="2025-04-30 13:41:31 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="80" IncidentHash="e254a07fb49885f5cdde47731d3602d0" eventid="3000"]

  [AdditionalIncidentDetails@51136 Path="/" User-Agent="python-requests/2.31.0"
  Headers="{'connection': 'keep-alive', 'host': '192.168.1.69', 'accept': '*/*', 'accept-encoding': 'gzip, deflate'}"
  BackgroundContext="You have had 163 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  HTTP Page Load has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: HTTP Page Load.

HTTP Post Error

  <130>1 2025-04-30T14:38:14.359286+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="HTTP Login Attempt"
  Timestamp="2025-04-30 14:36:13 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="34.248.192.232" CanaryLocation="VPC vpc-0ddb2a123456789ab"
  ReverseDNS="attacker.in.mycompany.com" CanaryPort="80"
  IncidentHash="d9b1815e21d80fb240ca9b2d17120ad1" eventid="3006"]

  [AdditionalIncidentDetails@51136 User-Agent="python-requests/2.31.0"
  Headers="{'host': '3.4.5.6', 'connection': 'keep-alive', 'content-length': '0', 'accept-encoding': 'gzip, deflate', 'accept': '*/*'}"
  BackgroundContext="You have had 176 incidents from 34.248.192.232 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  HTTP Login Attempt has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: HTTP Post Error.

HTTP Service Scan

  <130>1 2025-04-30T14:07:02.183648+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="Website Scan"
  Timestamp="2025-04-30 14:05:01 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="80" IncidentHash="65693b99a976d66ae8e1d68cfd05d33e" eventid="3004"]

  [AdditionalIncidentDetails@51136 Path="/b0669"
  BackgroundContext="You have had 231 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  Website Scan has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: HTTP Service Scan.

HTTP Proxy Request

  <130>1 2018-08-13T13:22:41.146736+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="7001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="HTTP Proxy Request" CanaryPort="8080"
  Timestamp="2018-08-13 13:22:40 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="4e232c109368b43b47166cca733e9aad" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="proxy" URL="http://google.com/" Password="proxypass"
  User-Agent="curl/7.54.0"] HTTP Proxy Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: HTTP Proxy Request.

Local Tampering Detected

  <130>1 2023-08-03T20:22:38.421418+00:00 mycompany-com ThinkstCanary 13487 newincident
  [BasicIncidentDetails@51136 eventid="30001" ReverseDNS="" CanaryName="SRV01-12345"
  Description="Local Tampering Detected" CanaryPort="-1"
  Timestamp="2023-08-03 20:20:38 (UTC)" CanaryIP="192.168.5.200" Flock="Renoster 3.x.5"
  CanaryLocation="" SourceIP="" IncidentHash="8d64f579666fe2029b12c87baa6dec41"
  CanaryID="0000000005bb4998"]

  [AdditionalIncidentDetails@51136 Incident="Local Tampering Detected"
  Message="A local user on your bird (uid 0) ran tripwired commands: /usr/bin/curl,http://google.com"]
  Local Tampering Detected has been detected against one of your Canaries (SRV01-12345) at 192.168.5.200.

Attribute description: Local Tampering Detected.

LDAP Bind Attempt

  <130>1 2023-08-02T17:41:44.856428+00:00 mycompany-com ThinkstCanary 32264 newincident
  [BasicIncidentDetails@51136 eventid="31001" ReverseDNS="" CanaryName="SRV01"
  Description="LDAP Bind Attempt Detected" CanaryPort="389"
  Timestamp="2023-08-02 17:39:44 (UTC)" CanaryIP="192.168.1.104"
  IncidentHash="e1d3afbbfe6ac5c5a4da497df92da3e0" CanaryLocation="" SourceIP="1.1.1.1"
  CanaryID="00000000fc738ff7"]

  [AdditionalIncidentDetails@51136 DistinguishedName="cn=testuser"
  Request="bindRequest" Password="pass"
  BackgroundContext="You have had 111 incidents from 1.1.1.1 previously."]
  LDAP Bind Attempt Detected has been detected against one of your Canaries (SRV01) at 192.168.1.104.

Attribute description: LDAP Bind Attempt.

MARK Message

  <130>syslog	info	rsyslogd	-- MARK --

ModBus Request

  <130>1 2018-08-13T13:34:28.905941+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="18001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="ModBus Request" CanaryPort="502"
  Timestamp="2018-08-13 13:34:28 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="dfc7b90a4d88315281b76283766e347b" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Functioncode="17" Functionname="Report Slave ID"]
  ModBus Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: ModBus Request.

Mongo Request

  <130>1 2025-04-30T13:28:43.263119+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="Mongo Authentication Attempt"
  Timestamp="2025-04-30 13:26:42 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="27017" IncidentHash="3ba686459d3e3319ab877fb3bbf31fa3" eventid="28002"]

  [AdditionalIncidentDetails@51136 User="mongo1"
  PasswordHash="353GBkv67L1bpgt3PQUEr4536qRn4NR6" Command="saslStart" Database="admin"
  BackgroundContext="You have had 135 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  Mongo Authentication Attempt has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Mongo Request.

MSSQL Server Login Attempt

  <130>1 2018-08-13T13:50:28.649855+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="9001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="MSSQL Login Attempt" CanaryPort="1433"
  Timestamp="2018-08-13 13:50:28 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="6d46c8cae1854c5ee0983674213771d3" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="admin" Password="pass"
  Hostname="attacker.local"]
  MSSQL Login Attempt has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: MSSQL Login Attempt.

MySQL Login Attempt

  <130>1 2018-08-13T13:35:33.585011+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="8001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="MySQL Login Attempt" CanaryPort="3306"
  Timestamp="2018-08-13 13:35:33 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="62275c71db5d67925163f7a20f7e3220" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="user"
  ClientHash="b4794dd3a41ea7bd904ef5bc366a71fab3ea6c9c"
  Password="password" Salt="xiT{J|.i<92>y9>$b:/J"]
  MySQL Login Attempt has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: MySQL Login Attempt.

Network Settings Roll-back

  <130>1 2025-04-30T15:26:32.393844+00:00 mycompany-com ThinkstCanary 3602455 newincident
  [BasicIncidentDetails@51136 Description="Network Settings Roll-back"
  Timestamp="2025-04-30 15:24:31 (UTC)" CanaryName="SRV-SMB-AFTER"
  CanaryID="00000000c2249f3b" CanaryIP="192.168.1.206" CanaryLocation=""
  IncidentHash="e296e8f097cd7fd18810a03d8fcc85c0" eventid="22001"]

  [AdditionalIncidentDetails@51136 CanaryStatus="Canary is currently ONLINE."
  Erroneousnetworksettings="Canary IP address: 192.168.1.206; Netmask: 255.255.255.0; Gateway: 192.168.1.1; DNS server 1: 8.7.6.5; DNS server 2: 8.7.6.5; DHCP: Disabled"
  Restorednetworksettings="Canary IP address: 192.168.1.206; DHCP: Enabled"
  User="user"]
  Network Settings Roll-back has been detected against one of your Canaries (SRV-SMB-AFTER).

Attribute description: Network Settings Roll-back

Nmap NULL Scan

  <130>1 2018-08-13T13:33:02.192002+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="5005" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="NMAP NULL Scan Detected" CanaryPort="3306"
  Timestamp="2018-08-13 13:33:02 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="a0ac716679dc47a19346236c47598595" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136] NMAP NULL Scan Detected has been detected against
  one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: NMAP NULL Scan.

Nmap FIN Scan

  <130>1 2018-08-13T13:32:53.697117+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="5008" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="NMAP FIN Scan Detected" CanaryPort="993"
  Timestamp="2018-08-13 13:32:53 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="8fd5f15a5d1ad3e4d9ef40a97b8d36a8" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136] NMAP FIN Scan Detected has been detected against
  one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: NMAP FIN Scan.

Nmap OS Scan

 <130>1 2018-08-13T13:32:36.910136+00:00 mycompany-com ThinkstCanary 6051 newincident
 [BasicIncidentDetails@51136 eventid="5004" ReverseDNS="attacker.in.mycompany.com"
 CanaryName="intranet03.mycompany.com" Description="NMAP OS Scan Detected" CanaryPort="21"
 Timestamp="2018-08-13 13:32:36 (UTC)" CanaryIP="192.168.1.69"
 IncidentHash="dc163f9dbf7dd35745d2e28995f89d68" CanaryLocation="Rack22 above switch"
 SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

 [AdditionalIncidentDetails@51136] NMAP OS Scan Detected has been detected against
 one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: NMAP OS Scan.

Nmap Xmas Scan

  <130>1 2018-08-13T13:32:46.469290+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="5006" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="NMAP XMAS Scan Detected" CanaryPort="3306"
  Timestamp="2018-08-13 13:32:46 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="2d4298166ba5a2045915f5cff38f2ff7" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136] NMAP XMAS Scan Detected has been detected against
  one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: NMAP XMAS Scan.

NTP Monlist Request

  <130>1 2018-08-13T13:34:58.739325+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="11001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="NTP Monlist Request" CanaryPort="123"
  Timestamp="2018-08-13 13:34:58 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="6a58a52cc6388163cd223bc6746795f4" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 NTPCommand="monlist"]
  NTP Monlist Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: NTP Monlist Request.

RDP Login Attempt

  <130>1 2025-04-30T13:30:31.803745+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="RDP Login Attempt"
  Timestamp="2025-04-30 13:28:30 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="3389" IncidentHash="eb607ac4c94cf5103189f1e38fba6228" eventid="14003"]

  [AdditionalIncidentDetails@51136
  BackgroundContext="You have had 137 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  RDP Login Attempt has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: RDP Login Attempt.

Redis Command

  <130>1 2018-08-13T13:33:52.151406+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="21001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="Redis Command" CanaryPort="6379"
  Timestamp="2018-08-13 13:33:51 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="f5fb29672cd13f30bb7e59351eed622e" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136]
  Redis Command has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Redis Command.

SIP Request

  <130>1 2018-08-13T13:54:36.259297+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="15001" ReverseDNS="rogue.phone.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="SIP Request" CanaryPort="5060"
  Timestamp="2018-08-13 13:54:36 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="c8994d29e39632c1cf2ae12b7398f3f2" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.30" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 content-length="0" expires="60"
  from="<sip:sipuser@192.168.1.69;transport=UDP>;tag=3864bd77"
  via="SIP/2.0/UDP 129.205.140.132:46849;branch=z9hG4bK-524287-1---6232828c8a6a35b5;received=192.168.1.30;rport"
  allow-events="presence, kpml, talk" user-agent="Zoiper rv2.8.97-mod"
  to="<sip:sipuser@192.168.1.69;transport=UDP>"
  contact="<sip:sipuser@192.168.1.30:46849;rinstance=164258fa1b2705d4;transport=UDP>"
  cseq="9 REGISTER" allow="INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE"
  max-forwards="70" call-id="56XIpFpoDXyQ-J8N3qmd_g.."]
  SIP Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: SIP Request.

SNMP Request

  <130>1 2018-08-13T13:21:23.127789+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="13001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="SNMP Request" CanaryPort="161"
  Timestamp="2018-08-13 13:21:22 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="699378356f7d605da4e47822d91de89c" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 CommunityString="public" OIDs="1.3.6.1.2.1.1"]
  SNMP Request has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: SNMP Request.

SSH Login Attempt (Password)

  <130>1 2018-08-13T14:23:07.413167+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="4002" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet02.mycompany.com" Description="SSH Login Attempt" CanaryPort="22"
  Timestamp="2018-08-13 14:23:07 (UTC)" CanaryIP="192.168.1.29"
  IncidentHash="163532a3093341608393cab25c132c69"
  CanaryLocation="DC 5, Rack 17, Blade E, Unit 2" SourceIP="192.168.1.82" CanaryID="00027550afb6819c"]

  [AdditionalIncidentDetails@51136 Username="root" Password="hello"]
  SSH Login Attempt has been detected against one of your Canaries
  (intranet02.mycompany.com) at 192.168.1.29.

Attribute description: SSH Login Attempt.

SSH Login Attempt(key-based)

  <130>1 2018-08-13T14:16:01.152948+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="4002" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet02.mycompany.com" Description="SSH Login Attempt" CanaryPort="22"
  Timestamp="2018-08-13 14:16:00 (UTC)" CanaryIP="192.168.1.29"
  IncidentHash="ef1e4bac00843e2b30d1ddc052a76186" CanaryLocation="DC 5, Rack 17, Blade E, Unit 2"
  SourceIP="192.168.1.82" CanaryID="00027550afb6819c"]

  [AdditionalIncidentDetails@51136 Username="root"
  Key="ssh-rsa AAAAB3NzaC1yc2EA+...jYX80uCHk0SuAEAWkhXdks2ifSxGHBP9JeR5G0ulkL35/uhmCZ"]
  SSH Login Attempt has been detected against one of your Canaries
  (intranet02.mycompany.com) at 192.168.1.29.

Attribute description: SSH Login Attempt.

Telnet Login Attempt

  <130>1 2018-08-13T13:19:51.015053+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="6001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="Telnet Login Attempt" CanaryPort="23"
  Timestamp="2018-08-13 13:19:50 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="c467345a6e41651cc6c6398ece27d8ef" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Username="supervisor" Password="password123"]
  Telnet Login Attempt has been detected against one of your Canaries
  (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: Telnet Login Attempt.

TFTP Request

  <130>1 2018-08-13T13:25:37.021004+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="10001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="TFTP Request" CanaryPort="69"
  Timestamp="2018-08-13 13:25:36 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="6e79bb7c281780a5130c1a54b64759a0" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 Action="READ" Filename="/etc/passwd"]
  TFTP Request has been detected against one of your Canaries (intranet03.mycompany.com)
  at 192.168.1.69.

Attribute description: TFTP Request.

TN3270 Login Attempt

  <130>1 2025-04-30T15:10:30.912872+00:00 mycompany-com ThinkstCanary 3602455 newincident
  [BasicIncidentDetails@51136 Description="TN3270 Login Attempt" Timestamp="2025-04-30 15:08:29 (UTC)"
  CanaryName="intranet03.mycompany.com" CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69"
  CanaryPublicIP="3.4.5.6" SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab"
  ReverseDNS="" CanaryPort="1023" IncidentHash="9410561b83074787818463a41a54e1c6" eventid="32001"]

  [AdditionalIncidentDetails@51136 Username="USER100" Password="passwd1"
  BackgroundContext="You have had 248 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  TN3270 Login Attempt has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: TN3270 Login.

VNC Login Attempt

  <130>1 2018-08-13T13:28:58.532033+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="12001" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet03.mycompany.com" Description="VNC Login Attempt" CanaryPort="5900"
  Timestamp="2018-08-13 13:28:58 (UTC)" CanaryIP="192.168.1.69"
  IncidentHash="77fae8e893ea04d5fb6c72b177779131" CanaryLocation="Rack22 above switch"
  SourceIP="192.168.1.82" CanaryID="0000000018a22bf1"]

  [AdditionalIncidentDetails@51136 VNCServerChallenge="49cad65c054ce8f1b9b6495919c98f49"
  VNCClientResponse="3b049ba5d7e44732a7513a834c899486"
  VNCPassword="<Password was not in the common list>"] VNC Login Attempt has been detected
  against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: VNC Login Attempt.

Windows File Share Incidents

Attribute description: Windows File Share Incidents.

Windows Shared File Opened

  <130>1 2018-08-13T13:56:39.819028+00:00 mycompany-com ThinkstCanary 6051 newincident
  [BasicIncidentDetails@51136 eventid="5000" ReverseDNS="attacker.in.mycompany.com"
  CanaryName="intranet02.mycompany.com" Description="Shared File Opened"
  CanaryPort="445" Timestamp="2018-08-13 13:56:39 (UTC)" CanaryIP="192.168.1.29"
  IncidentHash="7d2e642a5974173de0214e66427de22c" CanaryLocation="DC 5, Rack 17, Blade E, Unit 2"
  SourceIP="192.168.1.82" CanaryID="00027550afb6819c"]

  [AdditionalIncidentDetails@51136 User="guest" Filename="Sales Brochure 2017.pdf"]
  Shared File Opened has been detected against one of your Canaries
  (intranet02.mycompany.com) at 192.168.1.29.

Windows File Share Login Incident

  <130>1 2025-04-30T13:53:03.465190+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="File Share Login" Timestamp="2025-04-30 13:51:02 (UTC)"
  CanaryName="intranet03.mycompany.com" CanaryID="0000000018a22bf1" CanaryIP=""
  CanaryPublicIP="3.4.5.6" SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab"
  ReverseDNS="" CanaryPort="445" IncidentHash="a7480e533297c63713ded75eaa23dd1a" eventid="5010"]

  [AdditionalIncidentDetails@51136 LoginType="guest" Success="True" User="guest"
  RemoteSMBName="nmap" Domain="AWS-NEW-I-0ABCD"
  BackgroundContext="You have had 173 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  File Share Login has been detected against one of your Canaries (intranet03.mycompany.com) at .

Windows File Share Enumeration Incident

  <130>1 2025-04-30T15:05:25.607807+00:00 mycompany-com ThinkstCanary 3602455 newincident
  [BasicIncidentDetails@51136 Description="File Share Group Enumeration"
  Timestamp="2025-04-30 15:03:24 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="" CanaryPublicIP="3.4.5.6" SourceIP="172.31.6.128"
  CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS="" CanaryPort="445"
  IncidentHash="d16786119d7e88da67ac76b54a17cd5d" eventid="5013"]

  [AdditionalIncidentDetails@51136 User="Administrator" ShareName="IPC$" Domain="CORP"
  Success="success" WindowsAPIQueried="NetLocalGroup"
  BackgroundContext="You have had 2 incidents from 172.31.6.128 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  File Share Group Enumeration has been detected against one of your Canaries (intranet03.mycompany.com) at .

Windows File Share Connected Incident

  <130>1 2025-04-30T13:53:04.553584+00:00 mycompany-com ThinkstCanary 3557748 newincident
  [BasicIncidentDetails@51136 Description="File Share Connection"
  Timestamp="2025-04-30 13:51:03 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="445" IncidentHash="b25a7ebe9a2d4ff5c5ac531cb739728b" eventid="5014"]

  [AdditionalIncidentDetails@51136 User="guest" ShareName="ADMIN$"
  Domain="AWS-NEW-I-0ABCD" RemoteSMBName="nmap" SMBVersion="NT1"
  BackgroundContext="You have had 173 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  File Share Connection has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

WinRM Login Attempt

  <130>1 2025-04-30T15:15:58.979526+00:00 mycompany-com ThinkstCanary 3602455 newincident
  [BasicIncidentDetails@51136 Description="WinRM Login Attempt"
  Timestamp="2025-04-30 15:13:57 (UTC)" CanaryName="intranet03.mycompany.com"
  CanaryID="0000000018a22bf1" CanaryIP="192.168.1.69" CanaryPublicIP="3.4.5.6"
  SourceIP="172.31.6.248" CanaryLocation="VPC vpc-0ddb2a123456789ab" ReverseDNS=""
  CanaryPort="5986" IncidentHash="b9cb8a238f907e27c24132500296ba26" eventid="29001"]

  [AdditionalIncidentDetails@51136 Username="adam" Domain="corp"
  BackgroundContext="You have had 249 incidents from 172.31.6.248 previously."
  EC2InstanceID="i-0abcd9876543210ef" EC2Region="eu-west-1a"]
  WinRM Login Attempt has been detected against one of your Canaries (intranet03.mycompany.com) at 192.168.1.69.

Attribute description: WinRM Login Attempt.