A canary file is a file that alerts via email when a file is accessed, and a percentage of the file has been read by an application. By default, canary files are not protected from writes unless specified set.
Rule name - Name of the rule
Target file folder - This is the folder that contains the file to be monitored
Target file name - The name of the file to be monitored (currently, this needs to be manually entered)
Write protect this file - If set, the file cannot be modified. If an application does attempt to modify the file, these modifications will be silently blocked.
Email address(es) - Here you can specify the email address to send the notification to. If multiple addresses are required, separate with a comma (,).
Message - The message that is to be sent along with the notification.
Advanced - Create a canary file from the terminal
ANVIL/{7d975523-8ac8-45cd-abf5-baf4e62b4d09}[C:]>create -t:canary_file
The name of this alert [Canary file, monitor file access]>
The base folder, for the target file. >\My Important Files\
The target file, it must be relative to the attached rule's folder. >Important File.txt
Write protect the file [N]>n
The contact email address(es) (+ or - values to existing line, use "?" for more info) >warning@email.com
The percentage of the file read before triggering (0 percent will report ANY read access) [50]> The message to be displayed in the email notification >Someone is accessing my important file!
When creating a canary file from the terminal, you can also specify a percentage the file that needs to be read before an alert is sent.
Canary files vs Intrusion detection
Comments
0 comments
Article is closed for comments.