Why am I seeing this note?
While we’ve worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour. The same thing happens with Canarytokens (essentially Canarytokens that contain macros)
We want to let you know this is happening, but we also want to let you know that from our vantage point, this doesn’t look like a full-blown attack.
We use these tiny but visible annotations of alerts to let you know our thoughts.
What's Palo Alto Wildfire?
Palo Alto Wildfire is a malware analysis engine that is used by Palo Alto Networks. When your Palo Alto Network's appliance encounters MS Word or MS Excel documents that contain macros, these documents are uploaded to Palo Alto Wildfire.
Palo Alto Wildfire will open and run these Canarytoken'ed documents in a sandbox to try to determine whether they are malicious (and in their view they are). When Wildfire opens these documents and subsequently runs their macros, it will trigger an alert that someone has opened your MS Word or MS Excel Macro'ed Canarytoken.
If you have seen this annotation, we have deduced that the alert looks sufficiently like Palo Alto Wildfire opening and running your Canarytoken. This does not mean that the event should be ignored.
We annotate it here as an attempt to add some context to why you may be seeing this incident.
If you are running Palo Alto Wildfire, please mail support so we can help you.