Canary Alerts, Part 2 - Bonus Flavours

Canaries and Canarytokens are tripwires that can alert you to intrusions. When alerts trigger, we want to make sure you get them where you need them. While our Slack integration is cool, you might prefer to send alerts through your SIEM. Or to a security automation tool. Maybe you want to leverage our API to integrate Canary alerts into a custom SOC tool. Want to turn a smart light bulb red and play the Imperial March? You could do that too.
IFTTT screenshot of an applet that makes a light blink when a Canary alert is received

Your way or the highway

We often puzzle at products that require customers to totally revamp how they do things. We never presume to be the most important tool in your toolbox, which is why our product is designed to be installed, configured, and (somewhat) forgotten, in minutes. We’d rather disappear into your existing workflow, only becoming visible again when you need us most.

Our customers dictate where and how they see our alerts. To enable this, we provide a wide variety of flexible options for sending and consuming alerts.

By default, you’ll get alerts on your console...

In your email…


...and as a text message.

And that’s not all…

For those of you wondering where the SIEM love is at, don’t worry. We can send syslog where you need it, as secure as you need it. A quick email to support@canary.tools with the details for your syslog endpoint will get the logs flowing in no time.


For Splunk fans, we have a Splunk app that works with both Splunk Enterprise and Splunk Cloud. Details on installing and configuring the Splunk app can be found in our help documentation.

Email can also be an easy way to integrate Canary alerts with other tools. For example, most task and ticket management systems support creating tickets or tasks with an email. ServiceNow, BMC Remedy are common in large enterprises, but what about something simpler, with a free use plan? Something you could set up in minutes, like a Canary?

Build a SOC dashboard in 5 minutes, for free

We’re going to use Trello as an example of how flexible email can be for alert integration.

It turns out, Trello aligns well with the spirit of simple, fast and ‘just works’. Finding the custom email address that allows new card creation takes just a few clicks. Then, paste it in the email notifications list in your console settings and you’re good to go. Canary alerts will start showing up in Trello on the board and list you chose to attach the Trello email to.


A simple three-list configuration should work for basic alert triage: new alerts, acknowledged (being worked) and completed.


Any Canaries or Canarytokens triggered will result in a new card dropping into the New Alerts column immediately. Drag the card over to the Ack column and assign it to someone and Trello can notify them (based on your Trello configuration). Each card contains the full content of the alert and supports comments and attachments.

Once the investigation is complete, the card can be dragged over to the final column.

And, of course, an API

Anything you can do or view in the Canary console can be done via our fully documented API. It’s possible to control Canaries, create Canarytokens, view alerts, manage alerts and much more. Following is a simple bash script demonstrating how to grab a week’s worth of alerts and dump them into a spreadsheet-friendly format (CSV). Also available as a gist.

#!/bin/bash
# Create a CSV with the last week's worth of alerts from your Canary console
# Requires curl and jq to be in the path

# Set this variable to your API token
export token=deadbeef12345678

# Customize this variable to match your console URL
export console=ab123456.canary.tools

# Date format (one week ago)
export dateformat=`date -v-1w "+%Y-%m-%d-%H:%M:%S"`

# Filename date (right now)
export filedate=`date "+%Y%m%d%H%M%S"`

# Complete Filename
export filename=$filedate-$console-1week-alert-export.csv

# Base URL
export baseurl="https://$console/api/v1/incidents/all?auth_token=$token&shrink=true&newer_than"

# Run the jewels
echo Datetime,Alert Description,Target,Target Port,Attacker,Attacker RevDNS > $filename
curl "$baseurl=$dateformat" | jq -r '.incidents[] | [.description | .created_std, .description, .dst_host, .dst_port, .src_host, .src_host_reverse | tostring] | @csv' >> $filename


Taking Flight

Like everything else Canary-related, alerts should be dead simple and easy to work with. Though alert volumes from Canaries are incredibly low (customers with dozens of Canaries report just a handful of alerts per year) we include a bunch of options to cover everything from common requests to esoteric requirements.

If you have any clever ideas on integrating alerts or consuming them, we’d love to hear them! Drop us a message on Twitter @ThinkstCanary or via email, support at canary dot tools.

Comments

Post a Comment

Popular posts from this blog

Simple Graphs with Arbor.js

Image
We recently released a tool at http://cc.thinkst.com to capture and collect infosec conference details. We commented on it [ here ]. One of the cooler components of it, is the ability to view the relationships between speakers/researchers who have collaborated. This post is a quick introduction to the library we used to build our graphs, with enough info to get you up and running in minutes. As I mentioned, we use ArborJS library which is a a graph visualization library using web workers and the popular jQuery . The API is really well documented [ here ] but like most people, I learn best by example (and there are precious few of these). Hopefully this post will fill that niche, and by the end of it you should have a basic understanding of how to use arbor.js in your project. Our Aim: We will be building a simple contrived example as seen in the image above. Project setup : Create a new html page and include script references to the following libraries (Download them from the links...
Read more

Using the Linux Audit System to detect badness

Image
Security vendors have a mediocre track record in keeping their own applications and infrastructure safe. As a security product company, we need to make sure that we don’t get compromised. But we also need to plan for the horrible event that a customer console is compromised, at which point the goal is to quickly detect the breach. This post talks about how we use Linux's Audit System (LAS) along with ELK (Elasticsearch, Logstash, and Kibana) to help us achieve this goal. Background Every Canary customer has multiple Canaries on their network (physical, virtual, cloud) that reports in to their console which is hosted in AWS. Consoles are single tenant, hardened instances that live in an AWS region. This architecture choice means that a single customer console being compromised, won’t translate to a compromise of other customer consoles. ( In fact, customers would not trivially even discover other customer consoles, but that's irrelevant for this post. ) Hundreds of consoles runn...
Read more

Good UNIX tools

Image
aka:   Small things done well  We spend a lot of time sweating the details when we build Canary. From our user flows to our dialogues, we try hard to make sure that there’s very few opportunities for users to be stuck or confused. We also never add features just because they sound cool. Do you “explode malware”? No.  Export to STYX? No.  Darknet AI IOCs? No. No. No..  Vendors add rafts of “check-list-development” features as a crutch. They hope that one more integration (or one more buzz-word) can help make the sale. This is why enterprise software looks like it does, and why it’s probably the most insecure software on your network. This also leads to a complete lack of focus. To quote industry curmudgeon (and all around smartypants) Kelly Shortridge : " it is better to whole-ass one thing than to half-ass many" . We feel this deeply. Most of us cut our teeth on UNIX and UNIX clones and cling pretty fastidiously to the original Unix philosophies ¹ : Make each...
Read more