What's New

Canary is a continually evolving product, and new features, fixes and improvements get rolled out frequently. Catch up with our updates here.

With the strategic partnership formed between Atlassian and Slack and their decision to discontinue HipChat, we have decided to also take the steps to remove HipChat integration from consoles to help our customers with a smooth and timely transition. For consoles with working HipChat integrations, we will continue to support the configuration option and functionality, but by default this configuration will no longer be available. For more details on the deprecation of HipChat integration, you can head over to our KB item.

We've beefed up our Slack alerts to allow you to directly Acknowledge and Delete alerts from your Slack channels. Read all about it here.

Do you make use of the generic webhook to get data into your application and want another? Cool! Just like with Slack and MS Teams, you can now enable multiple Generic webhooks in your console. (This is super useful for users who are building automation on top of Canary Alerts). For more details on how to set up your generic webhooks, you can head over to our KB item.

Canaries (now that they are deployed all over the planet) have a great view of whether specific alerts are actually useful. Despite our initial intuition, they have been unanimous about the SNMP service: it offers little value in detecting breaches (and crowds out real alerts). Unlike the star services (like Windows File Share 😍) SNMP failed to live up to the promise we thought it had at the beginning. We pride ourselves in our signal to noise ratio (above almost anything else) so we'll begin deprecating and disabling the Canary SNMP service for all customers from the 24 September 2018. For those rare quiet networks where it's useful, get in touch, and we'll keep it enabled. More details are here.

Passwords used to probe your Canary are handy (paired with usernames) to know if an attacker has stolen real credentials. Those passwords should of course be reset promptly, but Canary Consoles now mask passwords in alert notifications to minimise possibly leaving useful information lying around. To view passwords from incidents, you can still view this info on your Console.

Want to get your Canary alerts straight into your Microsoft Teams workspaces? We’ve got your back! We’ve added Microsoft Teams to our growing pile of webhook options (it joins Slack and the generic webhook)! For more details, you can head over to our KB item.

It is now possible to manage users manually. Add/remove users to your heart's content! Other options available are disabling a user and forcing a user to use 2fa. For more details, you can head over to our KB item.

Virtual Canary 2.1.2

Customers who use Virtual Canary can now look forward to having all the benefits of the Canary 2.1.1 physical devices. The main attraction of this is the ability to remotely join your Virtual Canaries to your Active Directory. This can be easily achieved by taking a look at our Remote AD Join KB item.

Other new features include a new HTTP update channel, automatic DNS adjustments, network config rollback on errors, new OS personalities, plus a bunch of tweaks and fixes.

For setup instructions, take a look at our step by step guide which includes steps for using an OVA or VMX image.

Users of Gmail and Google Inbox's web mail UI will now see an action button on their Canary alert mails called "Jump to incident". Click on it to take you directly to the incident details in your console.

Google mail action button

For those very specific cases where it is needed, you can now specify a preferred Domain Controller to use when joining an Active Directory.

Custom TCP services now have the ability to be marked as long-lived connections. This lets you send through a secret string that tells the connection to keep-alive, allowing you to leave more crumbs that point to your bird.

Added a Windows 2003 personality.

Added a Windows 7 personality.

Added an IBM z/OS personality.

The portscan module was behaving erratically on FIN scans. This is now covered (so you will detect attackers from the 90's again).

We now modify the TTL of active connections to correctly match the personality of the bird, making it even harder to fingerprint a Canary.

Added rollback functionality to birds which will allow them to revert to previous working settings if you accidentally push a broken network configuration to them.

Updated the update channel, allowing for future patches to be pulled via HTTP or DNS both remotely and locally.

Improvements to the communication channel, catering for networks that don't play nicely with longer DNS query lengths. Our new DNS doctor will prescribe the optimum DNS query length.

Canary v2.1 ships with a brand new MacOS X personality. This personality includes exactly what you would expect: a Mac OS X IP Stack fingerprint, a file share, an Apple MAC address and other preselected services to make it look legit.

OS X Personality

Canary v2 ships with awesome new hardware. It's faster, it's more reliable and it's so pretty you'll almost not want to send it to your datacenter.

Canary v2

Canarytokens allow you to create mini tripwires in 3rd party sites or applications (In fact you can use them all over the place!). This version brings you your own, customisable token server. Get alerts when your sites are cloned, documents are viewed or directories are browsed!

Dashboard view of deployed Canarytoken

We have a bunch of new “fake” services with something for everyone: ICS fans get Modbus. Developers get GIT repositories and lovers of NoSQL get a safe implementation of our favorite key/value store (Redis!).

Talking to Redis

This release brings through a bunch of new personalities. WindowsXP and Rockwell. It’s all in there, and all deployable with just a few clicks!

Rockwell getting Nmapped

Web Servers now have lots of options. JBoss, VMWare, Sharepoint and a host of friends.

VMware ESXi server page

If you feel like it, now you can even upload your own document root (or trivially wrap your service in SSL)!

Service wrapped in SSL

The Windows file share service is now much nicer to use, with an improved Explorer-like interface that supports nested files and directories.

New interface for creating files/folders

Canary cloaking allows your Canary to be completely invisible to port-scanners and asset inventory systems.

Now you see me, now you don't

We've added new OS Personalities to Canary. Deploy convincing and interactive Cisco routers, Dell switches, Windows or Linux servers (with a host of different services), in the standard 4-minute setup time you've come to expect.

OS personalities
Canary looks like a Cisco router

Choosing an OS Personality will now automatically prepare your Canary with an appropriate MAC address.

Dell profile gets a (selectable) Dell MAC prefix

This makes the fakery more complete and has a local segment NMAP looking more believable than ever!

Canary is reported as a Dell switch

Canarys aren't supposed to generate lots of notifications, but what happens if there's a sudden flood of them? (Or if you only check your alerts after a horrible week?) Figuring out exactly what happened from a list of events can be sub-optimal. To help with this, your console now has a handy graph-view.

Clicking on the graph-view icon maps out the activity visually.

Look for the graph icon on your dashboard

Graph view is fully interactive, allowing an easy way to mass-delete events (but also just makes it trivial to spot what's going on).

Graph view is an alternative to the list view

Alert pruning allows mass deletion of alerts that have accumulated on your console over time. If alerts go above a certain threshold (and have been present for a while on your console) the “Alert Pruning” option will pop up to allow you to quickly delete older events.

Displayed for many old events

Known systems like vulnerability scanners, asset management / inventory servers or an SCCM service scan easily be added to a white list to ensure that they don't set off alerts when interacting with Canary.

In order to ignore alerts from specific IP addresses, ranges or ports, simply add them to the “Ignore these IPs and ports” list on your settings page

Find under the Settings tab

Similar to IP address whitelisting, specific SNMP Object Identifiers (OID) can also be ignored. This is done by adding the SNMP OID to the whitelist on your settings page. Once enabled, SNMP OID whitelisting follows the same format as the IP address and port whitelisting.

Find under the Settings tab

Now your Canaries can be managed from your console. Whether applying a completely new personality or making subtle changes to the device, you can do it from the comfort of your console! Simply click on your Canary, and then select the “Remote management” option available on each Canary.

Open the settings page, then click on the device

You will be able to configure your Canary settings exactly as if you were connected directly to it!.

Remote configuration page

Apparent port scan activity is common on noisy networks. In order to avoid bothering you with several Port Scan notifications, we’ve added functionality to roll-up multiple port scan alerts and present them as a single consolidated alert.

New Consolidated Port Scan incident

Canary notifications can be sent as text messages (or SMS, depending on your dialect) directly to your mobile phone. In order to receive alerts via SMS, you must add your mobile number to the “SMS notifications” field on your settings page. Make sure to enter your country code!

Open the settings page, toggle SMS notifications

You will receive an SMS notification indicating that you’ve been successfully setup.

Confirmation SMS

Now, when an alert is triggered on your Canary, a notification will be sent to your mobile number.

Alert SMS

Everybody loves Slack and HipChat. (We do too!) Canary alerts can be sent directly to either with quick configuration on your settings page. This makes it even easier to be notified of activity on your birds.

To set this up, simply enable “Webhook incident Reporting” on your Console settings page.

Open the settings page, toggle webhooks

Then click on either the “Add to Slack” or “Add to HipChat” options:

Easy installation

After adding your Slack details, you simply choose the destination for your Canary Alerts.

After a quick authorisation prompt, you will start receiving your alerts in your channel of choice.

Alerts on a Slack channel

You can also enable a generic webhook if you have your own endpoint, under the “Generic” tab.

Sometimes you’d like to know more about an attacking IP. Have you ever seen it before? Has it attacked a Canary before today? Don't worry, we’ve got you covered.

Look for the Related incidents line on the incident report

Click on the link to see what other incidents were attributed to the same source.

Attack history