Skip to main content

Search

Configuring your device as an Outside Bird

What is an Outside Bird?

Canaries do best when they are deployed on internal segments and aren't exposed to the naked Internet. When they are touched, you know you have a problem.

Some customers want to place Canaries outside their firewall - to collect attacker-IP addresses. We don't want those Canaries to create extra noise. We handle this through the use of "Outside Birds".

Canaries marked as Outside Birds can be exposed to the public internet without the risk of missing the high quality signals from your local Canaries.

Outside birds won't generate alerts when they are attacked. No incident will be created on the Canary console. We will instead keep a record of the attackers IP address and a running count of the number of times the service was targeted, and you can access that information from your Console or via the API.

(Outside Birds also won't send alert notifications (Email , SMS etc) but can be configured to send information to a separate webhook if needed).

If you would like to make use of Outside Bird, you can send a support request to support@canary.tools asking for the feature to be enabled.

Toggling Outside Bird Mode

To setup a Canary as an Outside Bird simply head over to the Device Configuration tab and you'll find the setting under General Canary Settings.

mceclip0.png

Your Canary will now behave like an Outside Bird.

mceclip1.png

Alert Info

Because the Outside Birds do not generate alerts on the Console, any alert info for a specific device can be accessed on the device modal or via the API.

mceclip2.png

Richer alert information can be found after hitting "View All":

Screenshot_2021-02-21_at_15.17.58.png

Raw Data

The Outside Birds are expected to generate a lot of alerts. We recommend managing their alerts via the API which you can find here.

We link to a cursor-based pagination list on the device modal to get you started but more detailed info can be found in our API documentation.

Below is an example of a few alerts from the paginated list: 

{
  "cursor": {
    ...
  },
  "page_num": 1,
  "page_total": 21,
  "result": "success",
  "src_ips": [
  {
    "count": 13,
    "incident_counts": {
      "SSH Login Attempt": 13
    },
    "ip_address": <IP_ADDRESS>,
    "node_id": "000101ad7a556f92"
  },
  {
    "count": 6,
    "incident_counts": {
      "Custom TCP Service Request": 4,
      "HTTP Proxy Request": 2
    },
    "ip_address": <IP_ADDRESS>,
    "node_id": "000101ad7a556f92"
  },
  ...
}

Setting up a webhook

From the Outside Bird section, you'll also be able to configure hooks to which we'll send you alerts in real-time.

Select "View All":

mceclip3.png

Expand "Outside Bird Webhooks":

mceclip5.png

 

Enter your Webhook link:
_webhooks.png


All done :) - Here's a snippet of the info the hook will send through:

{
  "logtype": 4002,
  "node_id": "0000000testnode",
  "incidents_seen_previously": 4,
  "description": "SSH Login Attempt",
  "src_host": <IP_ADDRESS>
}

 

 

Was this article helpful?
6 out of 7 found this helpful
Return to top