Why am I seeing this note?
While we’ve worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour. The same thing happens with Canarytokens.
We want to let you know this is happening, but we also want to let you know that from our vantage point, this doesn’t look like a full-blown attack.
We use these tiny but visible annotations of alerts to let you know our thoughts.
What's Palo Alto Wildfire?
Palo Alto Wildfire is a malware analysis engine that is used by Palo Alto Networks.
So what does this mean?
When your Palo Alto Network's appliance encounters suspicious Adobe PDF Documents, these documents are uploaded to Palo Alto Wildfire.
Palo Alto Wildfire will open and run these Canarytoken'ed documents in a sandbox to try to determine whether they are malicious (and in their view they are). When Wildfire opens these documents, it will trigger an alert that someone has opened your Adobe PDF Document Canarytoken.
If you have seen this annotation, we have deduced that the alert looks sufficiently like Palo Alto Wildfire opening and running your Canarytoken. This does not mean that the event should be ignored.
We annotate it here as an attempt to add some context to why you may be seeing this incident.
If you are running Palo Alto Wildfire and it is preventing you from deploying tokens, you can add an exception, or please mail support so we can help you.