One of the features originally planned and promised for Canary was alerts. Finally we have delivered that and a few new features to the Canary website.
In this update, we have introduced the new Alert system. At the moment it is set up to only alert you if there is an incoming sample that has your Canary account’s e-mail address contained within–more on the future of this will be explained later. This feature is included with all accounts both current and future–we can outright disable it for your account if requested. Alerts are triggered shortly after the data has been analysed and will be tripped regardless of who submitted the data.
By default you should expect the above screen but in the event that there is an alert, you’ll be able to see and acknowledge them as follows:
In addition, you’ll be able to enable the e-mailing of alerts (disabled by default) so if an alert comes in you’ll be able to know without having to log into the website–this can be done by enabling it via the “configuring alerts” tab.
Down the road we’re working on the following for the site:
- Keyword-based alerting in addition to the e-mail address you’ve signed up with. All accounts will have a maximum of three keywords and requests for more will be a paid feature. It should be kept in mind that alerts are not based on search queries so the usual triggers (!http, !ip, et cetera) will not apply here.
- Regular expression-based alerting will be available on a pay-basis. Details are still being worked on this but we’ve had requests for regex-based searching in the past and would like to act upon it in some way.
- API access to alerts which will be useful for those of you who are looking to integrate this into Splunk, LogRhythm, ArcSight, and so forth.
Stay tuned for more on alerting.
Public Data Submission
One of the things that we are aiming for is to make Canary more engaged with the community. As such, we’ve gone ahead and introduced a much simpler way to send us data. If you look on the top-right of the page, you’ll see a page available to you provided you’re logged in with an account:
You’ll be able to see on this page a list of your previously submitted items (if any of course) but in addition to that you’ll also be presented with a submission form where you can submit data:
Any data posted via this submission form is only accessible to those with registered accounts. Data shared via this service is by default not exposed to the public unless either it has already been submitted before and was made public or we decided to make it public for whatever reason. Your account details are attached to the submission but those will not be visible to the public regardless if they’re signed in or not.
All registered users have access to this feature and we look forward to having everyone contribute whatever they can. This is meant for one-off posts that are 100 KB or less but if you’re looking to upload mass amounts of data or anything larger, please let us know as we have much better mechanisms for submitting data.
We’re going to evaluate how this feature works out so expect changes if we deem them necessary.
We’re working on changing the search mechanism as it’s producing results that are either erroneous, a bit too verbose, or are simply not what users should and want to expect. This is a known problem and we’re working to resolve this. Making use of the triggers will allow for better results.