Why am I seeing this note?
While we’ve worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour.
We want to let you know this is happening, but we also want to let you know that from our vantage point, this doesn’t look like a full-blown attack.
We use these tiny but visible annotations of alerts to let you know our thoughts.
ServiceNow is a SaaS-based product that provides organizations with technical management support. This includes asset discovery and inventory which causes ServiceNow modules to scan local networks.
So what does this mean?
If you have seen this annotation, we have deduced that the alert looks sufficiently like a port scan from ServiceNow. This does not mean that the event should be ignored.
We annotate it here as an attempt to add some context to why you may be seeing this incident.
You can add the source to an ignore list to avoid future alerts from this host, or mail support so we can help.