What is an Outside Bird?
Canaries do best when they are deployed on internal segments and aren't exposed to the naked Internet. When they are touched, you know you have a problem.
Some customers want to place Canaries outside their firewall - to collect attacker-IP addresses. We don't want those Canaries to create extra noise. We handle this through the use of "Outside Birds".
Canaries marked as Outside Birds can be exposed to the public internet without the risk of missing the high quality signals from your local Canaries.
Outside birds won't generate alerts when they are attacked. No incident will be created on the Canary console. We will instead keep a record of the attackers IP address and a running count of the number of times the service was targeted, and you can access that information from your Console or via the API.
(Outside Birds also won't send alert notifications (Email , SMS etc) but can be configured to send information to a separate webhook if needed)
Toggling Outside Bird Mode
To setup a Canary as an Outside Bird simply head over to the Device Configuration tab and you'll find the setting under General Canary Settings.
Your Canary will now behave like an Outside Bird.
Because the Outside Birds do not generate alerts on the Console, any alert info for a specific device can be accessed on the device modal or via the API.
Richer alert information can be found after hitting "View All":
The Outside Birds are expected to generate a lot of alerts. We recommend managing their alerts via the API which you can find here.
We link to a cursor-based pagination list on the device modal to get you started but more detailed info can be found in our API documentation.
Below is an example of a few alerts from the paginated list:
"SSH Login Attempt": 13
"Custom TCP Service Request": 4,
"HTTP Proxy Request": 2
Setting up a webhook
From the Outside Bird section, you'll also be able to configure hooks to which we'll send you alerts in real-time.
Select "View All":
Expand "Outside Bird Webhooks":
Enter your Webhook link:
All done :) - Here's a snippet of the info the hook will send through:
"description": "SSH Login Attempt",