Why am I seeing this note?
While we've worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour. We want to let you know this is happening, but we also want to let you know that from our vantage point, this doesn't look like a full-blown attack. We add these tiny but visible annotations to alerts to let you know our thoughts.
What's a Microsoft Defender for Identity Scan?
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a Cloud based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.
If you have seen this annotation, we have deduced that the activity detected by this Canary looks sufficiently like an Microsoft Defender for Identity scan. This does not mean that the event should be ignored. The scan is easy enough to mimic so could be used to mask actual malicious activity. We annotate it here as an attempt to add some context to why you might have seen it.
Before adding this to your ignore list, it's worth confirming if the Source IP is expected to be running Microsoft Defender for Identity scans. If it is, you can easily ignore this by adding a specific entry to your ignore list similar to the below:
10.0.0.20:3389 # Microsoft Defender for Identity Scanin the above example we are presuming that the Source IP is 10.0.0.20