Canary is designed to alert when they are absolutely sure an attacker shows malicious intent.

What is malicious intent?

An SSH login, or an attacker copying files off a Windows File Share is a sure sign someone is up to no good on the Canary. What exactly counts as a malicious intent, depends on the type of service, but typically a login or trying to (ab)use a service crosses the alerting threshold.

Simply opening a connection to a service will typically not trigger an alert. By default just browsing the HTTP Web service login page on a Canary won't do this, and nor will just opening a connection to the Windows File Share service. On most networks, there are devices that continually probe local network devices over HTTP or SMB, and setting that threshold too low spams insignificant alerts. However, someone trying an HTTP Web server login page, or copying files off the Windows File Share will get a loud and clear alert.

Service Specific Alerting Thresholds

HTTP Web Service

By default the HTTP Web Service on the Canary won't trigger alert on a regular browse of an HTTP page. It gets tripped frequently on most networks as HTTP services are commonly probed by many devices.

On a well-understood quiet network it may be worthwhile to alert page browse as well. In that case, contact to change the alerting threshold to this. It is prone to generating noise those, so we'd be happy to turn it back off if it turns out to not be signalling active malicious intent. 

Windows File Share

By default, the Windows File Share service, won't alert on a connect. It's very common that devices on a network may probe the service to discover printers hundreds of times a day. However, copying files of a Windows File Share is a rare and noteworthy event (and has picked up many otherwise unnoticed breaches.)

To instead setup the Canary to be alerted when a device (or even phone) makes a connection to ports 139 and 445 to access this server. Disable the Windows File Share service and use Custom TCP  described below on ports 443 and 139. Whenever a connection is made, you will receive an alert. For now, the tradeoff is that there is no longer a viewable share or a share that can be discovered on the network, but support for this feature is on our roadmap. Get in touch if you want to be notified when it lands.


By default the SSH service, alerts on login attempts with passwords and keys. To instead being alerted on every connection TCP connection to the SSH port 22, simply enable Custom TCP on port 22. Uncheck Alert only if client sends blank. (See below on Custom TCP Service.)

Custom TCP Service

The Custom TCP service can run on many ports, and generates an alert when a connection is made. This is a useful service for triggering an alert on connecting. Depending on the Canary's network, some ports get routinely spammed with connections (which don't mean anything malicious is happening). However, well-chosen ports or a quiet and well-understood network for Canary, will have the Custom TCP services alerting at the first sign of trouble.  We have a full write up on Custom TCP service here