Why am I seeing this note?
While we’ve worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour. We want to let you know this is happening, but we also want to let you know that from our vantage-point, this doesn’t look like a full-blown attack. We add these tiny but visible annotations to alerts to let you know our thoughts.
What’s an Azure ATP Scan?
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.
If you have seen this annotation, we have deduced that the activity detected by this Canary looks sufficiently like an Azure ATP scan. This does not mean that the event should be ignored. The scan is easy enough to mimic so could be used to mask actual malicious activity. We annotate it here as an attempt to add some context to why you might have seen it.
Before adding this to your ignore list, it's worth confirming if the Source IP is expected to be running Azure ATP scans. If it is, you can easily ignore this by adding a specific entry to your ignore list similar to the below:
10.0.0.20:3389 # Azure ATP Scan
(Note: in the above example we are presuming that the Source IP is 10.0.0.20)