Why am I seeing this?
While we’ve worked hard to make sure that when a Canary chirps, you know that it matters, some network devices will occasionally touch Canaries in ways that look a lot like attacker behaviour. We want to let you know this is happening, but we also want to let you know that from our vantage point, this doesn’t look like a full-blown attack. We use these tiny but visible annotations to alert to let you know our thoughts.
What causes these alerts?
Microsoft Defender periodically scans devices on your network as part of its automated endpoint detection efforts. These can trigger your Canary in different ways, depending on how it has been configured. These incidents are usually recognisable as they follow a certain pattern, so your console will attempt to annotate anything that looks like one of these routine scans.
Ignoring annotated alerts
Annotations allow us to reduce noise in the alert feed, while still keeping track of activity that hits your Canaries. When a user chooses to mark these annotated alerts as ignorable, they will no longer show up as incidents in your console. However, they are still recorded along with the usual incident data under the Ignored Alerts section in the Global Settings, categorised by annotation.
To distinguish scans originating from Microsoft Defender, we also rely on SIP being enabled on the Bird as Defender make a unique SIP connection. This provides a more reliable method compared to just relying on the standard port scans.
Follow the steps below to enable the SIP service on your Canary:
Step 1. Login to your Console
Step 2. Select the Canary
Step 3. Configure Canary
Step 4. Enable SIP