Skip to content

[opencanary]: Sets all log message event.kind == alert leading to unwanted alert noise in Elastic Security #12911

New issue
New issue
Closed
#13162
#13970
Closed
[opencanary]: Sets all log message event.kind == alert leading to unwanted alert noise in Elastic Security#12911
#13162
#13970
Assignees
mohitjha-elastic
Labels
Integration:opencanaryOpenCanary (Community supported)Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]maintainer:CommunityCommunity supported integrationmapping/pipeline issueneeds:triage
@colin-stubbs

Description

@colin-stubbs
colin-stubbs
opened on Feb 26, 2025

Integration Name

OpenCanary [opencanary]

Dataset Name

opencanary.events

Integration Version

0.3.0

Agent Version

8.17.2

Agent Output Type

elasticsearch

Elasticsearch Version

9.0.0

OS Version and Architecture

Not Applicable

Software/API Version

All

Error Message

opencanary.events ingest pipeline contains this code,

  - set:
      description: Set event.kind
      tag: set_event_kind
      field: event.kind
      value:
        - alert
      ignore_failure: true

This sets ALL logs generated by OpenCanary with event.kind == alert.

This leads to the default External Alerts rule in Elastic Security generating unwanted noise alerts when OpenCanary honeypots restart.

The ingest pipeline should selectively set event.kind to "alert" ONLY when it's clear the log message is an actual canary interaction from a network client.

From the look of it we can do this using the log.logger field, as the boot time message are ID 1000-10006, e.g. translated as "LOG_BASE_MSG"

While Elastic Security exceptions can be made, it would be better if the integration just worked and didn't generate noise immediately.

Example noise,

Image

Event Original

{
    "dst_host": "",
    "dst_port": -1,
    "local_time": "2025-02-24 16:45:09.388562",
    "local_time_adjusted": "2025-02-24 16:45:09.388591",
    "logdata": {
        "msg": {
            "logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"
        }
    },
    "logtype": 1001,
    "node_id": "opencanary-1",
    "src_host": "",
    "src_port": -1,
    "utc_time": "2025-02-24 16:45:09.388586"
}

and

{
    "dst_host": "",
    "dst_port": -1,
    "local_time": "2025-02-24 16:45:09.388754",
    "local_time_adjusted": "2025-02-24 16:45:09.388766",
    "logdata": {
        "msg": {
            "logdata": "Canary running!!!"
        }
    },
    "logtype": 1001,
    "node_id": "opencanary-1",
    "src_host": "",
    "src_port": -1,
    "utc_time": "2025-02-24 16:45:09.388762"
}

What did you do?

Deployed integration, received noise.

What did you see?

Noise.

What did you expect to see?

Not noise.

Anything else?

Setting "message" at the same time so that the default Elastic Security "Rule name override" will set a more useful alert description would be great. e.g. "OpenCanary triggered by 127.0.0.1 to port 21" etc.

Metadata

Metadata

Assignees

Labels

Integration:opencanaryOpenCanary (Community supported)Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]maintainer:CommunityCommunity supported integrationmapping/pipeline issueneeds:triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions