What's New

Canary is a continually evolving product, and new features, fixes and improvements get rolled out frequently. Catch up with our updates here.

Users of Gmail and Google Inbox's web mail UI will now see an action button on their Canary alert mails called "Jump to incident". Click on it to take you directly to the incident details in your console.

Google mail action button

Added rollback functionality to birds which will allow them to revert to previous working settings if you accidentally push a broken network configuration to them.

Updated the update channel, allowing for future patches to be pulled via HTTP or DNS both remotely and locally.

Improvements to the communication channel, catering for networks that don't play nicely with longer DNS query lengths. Our new DNS doctor will prescribe the optimum DNS query length.

Canary v2.1 ships with a brand new MacOS X personality. This personality includes exactly what you would expect: a Mac OS X IP Stack fingerprint, a file share, an Apple MAC address and other preselected services to make it look legit.

OS X Personality

Canary v2 ships with awesome new hardware. It's faster, it's more reliable and it's so pretty you'll almost not want to send it to your datacenter.

Canary v2

Canarytokens allow you to create mini tripwires in 3rd party sites or applications (In fact you can use them all over the place!). This version brings you your own, customisable token server. Get alerts when your sites are cloned, documents are viewed or directories are browsed!

Dashboard view of deployed Canarytoken

We have a bunch of new “fake” services with something for everyone: ICS fans get Modbus. Developers get GIT repositories and lovers of NoSQL get a safe implementation of our favorite key/value store (Redis!).

Talking to Redis

This release brings through a bunch of new personalities. WindowsXP and Rockwell. It’s all in there, and all deployable with just a few clicks!

Rockwell getting Nmapped

Web Servers now have lots of options. JBoss, VMWare, Sharepoint and a host of friends.

VMware ESXi server page

If you feel like it, now you can even upload your own document root (or trivially wrap your service in SSL)!

Service wrapped in SSL

The Windows file share service is now much nicer to use, with an improved Explorer-like interface that supports nested files and directories.

New interface for creating files/folders

Canary cloaking allows your Canary to be completely invisible to port-scanners and asset inventory systems.

Now you see me, now you don't

We've added new OS Personalities to Canary. Deploy convincing and interactive Cisco routers, Dell switches, Windows or Linux servers (with a host of different services), in the standard 4-minute setup time you've come to expect.

OS personalities
Canary looks like a Cisco router

Choosing an OS Personality will now automatically prepare your Canary with an appropriate MAC address.

Dell profile gets a (selectable) Dell MAC prefix

This makes the fakery more complete and has a local segment NMAP looking more believable than ever!

Canary is reported as a Dell switch

Canarys aren't supposed to generate lots of notifications, but what happens if there's a sudden flood of them? (Or if you only check your alerts after a horrible week?) Figuring out exactly what happened from a list of events can be sub-optimal. To help with this, your console now has a handy graph-view.

Clicking on the graph-view icon maps out the activity visually.

Look for the graph icon on your dashboard

Graph view is fully interactive, allowing an easy way to mass-delete events (but also just makes it trivial to spot what's going on).

Graph view is an alternative to the list view

Alert pruning allows mass deletion of alerts that have accumulated on your console over time. If alerts go above a certain threshold (and have been present for a while on your console) the “Alert Pruning” option will pop up to allow you to quickly delete older events.

Displayed for many old events

Known systems like vulnerability scanners, asset management / inventory servers or an SCCM service scan easily be added to a white list to ensure that they don't set off alerts when interacting with Canary.

In order to ignore alerts from specific IP addresses, ranges or ports, simply add them to the “Ignore these IPs and ports” list on your settings page

Find under the Settings tab

Similar to IP address whitelisting, specific SNMP Object Identifiers (OID) can also be ignored. This is done by adding the SNMP OID to the whitelist on your settings page. Once enabled, SNMP OID whitelisting follows the same format as the IP address and port whitelisting.

Find under the Settings tab

Now your Canaries can be managed from your console. Whether applying a completely new personality or making subtle changes to the device, you can do it from the comfort of your console! Simply click on your Canary, and then select the “Remote management” option available on each Canary.

Open the settings page, then click on the device

You will be able to configure your Canary settings exactly as if you were connected directly to it!.

Remote configuration page

Apparent port scan activity is common on noisy networks. In order to avoid bothering you with several Port Scan notifications, we’ve added functionality to roll-up multiple port scan alerts and present them as a single consolidated alert.

New Consolidated Port Scan incident

Canary notifications can be sent as text messages (or SMS, depending on your dialect) directly to your mobile phone. In order to receive alerts via SMS, you must add your mobile number to the “SMS notifications” field on your settings page. Make sure to enter your country code!

Open the settings page, toggle SMS notifications

You will receive an SMS notification indicating that you’ve been successfully setup.

Confirmation SMS

Now, when an alert is triggered on your Canary, a notification will be sent to your mobile number.

Alert SMS

Everybody loves Slack and HipChat. (We do too!) Canary alerts can be sent directly to either with quick configuration on your settings page. This makes it even easier to be notified of activity on your birds.

To set this up, simply enable “Webhook incident Reporting” on your Console settings page.

Open the settings page, toggle webhooks

Then click on either the “Add to Slack” or “Add to HipChat” options:

Easy installation

After adding your Slack details, you simply choose the destination for your Canary Alerts.

After a quick authorisation prompt, you will start receiving your alerts in your channel of choice.

Alerts on a Slack channel

You can also enable a generic webhook if you have your own endpoint, under the “Generic” tab.

Sometimes you’d like to know more about an attacking IP. Have you ever seen it before? Has it attacked a Canary before today? Don't worry, we’ve got you covered.

Look for the Related incidents line on the incident report

Click on the link to see what other incidents were attributed to the same source.

Attack history