Each time a tracked document is opened, Signal Canary captures detailed information about the access event. Here's everything you can learn from each document open.
Data Captured on Each Access
| Data Point | Description | Example |
|---|---|---|
| Timestamp | Exact date and time of access | Dec 20, 2024 at 2:34 PM UTC |
| IP Address | Network address of the viewer | 203.45.67.89 |
| City | Approximate city location | San Francisco |
| Region | State, province, or region | California |
| Country | Country of origin | United States |
| Device Type | Desktop, mobile, or tablet | Desktop |
| Operating System | OS name and version | Windows 11 |
| Browser/App | Application used to open document | Microsoft Word 16.0 |
| Repeat Opens | Number of times opened | 3 opens from same IP |
Organization Detection
Signal Canary attempts to identify the organization behind each access:
- Company Name - Identified from IP registration data
- ASN (Network Owner) - The organization that owns the IP range
- Network Type - Corporate, ISP, cloud provider, VPN, etc.
Organization detection works best for corporate IPs. Residential ISP users and VPN users will show the ISP or VPN provider instead of their employer.
Network Type Classifications
| Type | What It Means |
|---|---|
| Corporate | Direct company network - high confidence identification |
| ISP | Residential or small business internet provider |
| Cloud | AWS, Azure, GCP - may be automated or proxied |
| VPN | VPN service - true location hidden |
| TOR | Anonymizing network - origin intentionally hidden |
Device Information
The User-Agent string reveals details about how the document was opened:
- Application - PDF reader, Word, browser, etc.
- Version - Specific version of the application
- Operating System - Windows, macOS, Linux, iOS, Android
- Device Type - Desktop, laptop, tablet, or mobile phone
Device information can help distinguish between human access (desktop Word) and automated scanning (cloud-based security tools).
Understanding Your Data
What Indicates Human Access
- Corporate IP address
- Desktop device with standard office software
- Access during business hours
- Single access or reasonable number of opens
What May Indicate Automated Access
- Cloud provider IP (AWS, Azure)
- Multiple rapid-fire accesses
- Non-standard User-Agent strings
- Access from security scanning services
Signal Canary helps identify access patterns, but cannot definitively prove who opened a document. Always consider the full context when interpreting access data.