[opencanary]: Sets all log message event.kind == alert leading to unwanted alert noise in Elastic Security

[colin-stubbs]

Integration Name

OpenCanary [opencanary]

Dataset Name

opencanary.events

Integration Version

0.3.0

Agent Version

8.17.2

Agent Output Type

elasticsearch

Elasticsearch Version

9.0.0

OS Version and Architecture

Not Applicable

Software/API Version

All

Error Message

opencanary.events ingest pipeline contains this code,

  - set:
      description: Set event.kind
      tag: set_event_kind
      field: event.kind
      value:
        - alert
      ignore_failure: true

This sets ALL logs generated by OpenCanary with event.kind == alert.

This leads to the default External Alerts rule in Elastic Security generating unwanted noise alerts when OpenCanary honeypots restart.

The ingest pipeline should selectively set event.kind to "alert" ONLY when it's clear the log message is an actual canary interaction from a network client.

From the look of it we can do this using the log.logger field, as the boot time message are ID 1000-10006, e.g. translated as "LOG_BASE_MSG"

While Elastic Security exceptions can be made, it would be better if the integration just worked and didn't generate noise immediately.

Example noise,

Event Original

{
    "dst_host": "",
    "dst_port": -1,
    "local_time": "2025-02-24 16:45:09.388562",
    "local_time_adjusted": "2025-02-24 16:45:09.388591",
    "logdata": {
        "msg": {
            "logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"
        }
    },
    "logtype": 1001,
    "node_id": "opencanary-1",
    "src_host": "",
    "src_port": -1,
    "utc_time": "2025-02-24 16:45:09.388586"
}

and

{
    "dst_host": "",
    "dst_port": -1,
    "local_time": "2025-02-24 16:45:09.388754",
    "local_time_adjusted": "2025-02-24 16:45:09.388766",
    "logdata": {
        "msg": {
            "logdata": "Canary running!!!"
        }
    },
    "logtype": 1001,
    "node_id": "opencanary-1",
    "src_host": "",
    "src_port": -1,
    "utc_time": "2025-02-24 16:45:09.388762"
}

What did you do?

Deployed integration, received noise.

What did you see?

Noise.

What did you expect to see?

Not noise.

Anything else?

Setting "message" at the same time so that the default Elastic Security "Rule name override" will set a more useful alert description would be great. e.g. "OpenCanary triggered by 127.0.0.1 to port 21" etc.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)