Description: When an Azure Entra ID Login Canarytoken is used in one of your Azure tenant's Entra ID login pages, you will get notified when it is hosted on another domain, which will include legitimate domains sometimes used internally. To ignore alerts coming from legitimate domains, you must add them to the "Domain ignore list" of the Canarytoken.
Note: The Domain ignore list used for Cloned CSS and Azure Entra ID Login Canarytokens is slightly different to the regex-based Ignore list used by the Cloned Web Canarytoken.
Follow the steps below to add a legitimate site to an Azure Entra ID Canarytoken "Domain ignore list":
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Enter the name of the Azure Entra ID Login Canarytoken you want to update the ignore list on.
Step 4:
Select the token.
Step 5:
To add a specific entry to the ignore list, enter it in the "Domain ignore list" area, Press "Enter" and click "Save".
Entries added to the Domain ignore list can be a specific URL or a subdomain. The entry supports:
- Wildcards (*) to create glob patterns. For example: *.iyoni-corp.com or *.dev.iyoni-corp.com
- Options lists to ignore any string in a list. For example: (subA|subB|subC).iyoni-corp.com matches one of the options, either subA.iyoni-corp.com, subB.iyoni-corp.com or subC.iyoni-corp.com.
- Protocol matching by making use of the '^' prefix. For example: ^http(s|)://iyoni-corp.com will match both http://iyoni-corp.com and https://iyoni-corp.com. Similarly with other protocols such as ^file://* to match file://webdev/iyoni-corp/index.html.
Step 6:
If you have many subdomains you would like to add to the ignore list, on both http & https, then using a wildcard (*) with the protocol prefix (^) is a more suitable approach, for example:
^http(s|)://*.inyoni-corp.com
This will exclude entries like https://staging.inyoni-corp.com and http://pre-prod.test.inyoni-corp.com from alerts.
Add the entry, press "Enter", then press "Save" to apply the changes.
Now you shouldn't be receiving any more alerts from those legitimate domains.
You're done! ;-)