An incident occurs when a Canary is probed on a listening port or service AND the attacker interacts with that port.

Note: Should an attacker connect to a listening service on the Canary, and disconnect immediately, an incident may not be generated. Active interaction with the service (eg. entering a username and password for SSH, copying a file for Windows File Sharing) would generate an incident. This is expected behaviour, designed to minimise false positives

For example, if an attacker connects to the SSH service on a listening Canary, and tries to enter a password or three:

3 x failed SSH attempts

The Canary will report all 3 of these attempts to the console, where correlation occurs:

The console therefore generates a single incident, and send out a single alert, via E-mail, SMS, API or Webhook.

We group events together into a single incident if: * a) the Source IP is the same * b) the Canary service is the same * c) if they occur within a small timeframe of each other

Clicking on the incident in the console will provide you with more information regarding the attempts: