Why am I seeing this?
Many security teams rely on vulnerability scanners to identify exposed systems and risky configurations. These scanners like Tenable Nessus, Rapid7, and Qualys will interact with Canaries in a way that can look like attacker behaviour.
In the event that we are able to fingerprint a known scanner we will send you an additional vulnerability scanner alert, these alerts use events from multiple services on the Canary to create a single high-fidelity alert. This feature can help detect unauthorised or unexpected vulnerability scanners or help you identify the originating IP address for your configured scanners.
Ignoring alerts from the scanner
To prevent noise from a known scanner, you may want to ignore alerts from the scanner's IP address. You can do this by hitting Ignore scanner IP on the alert and ignoring the IP or following our our more detailed guide for ignoring IPs and specific ports.