I’ve got a canary folder set up on my Windows 10 box in my documents folder and it’s triggered every time I log in. I’m not opening the folder, I’m just logging in.
Is that normal behavior?
I also had to whitelist a handful of domains to get the tokens to fire:
.mobile.pipe.aria.microsoft.com
.mobile.events.data.trafficmanager.net # CNAME for (mobile.pipe.aria.microsoft.com)
.onedscolprduks05.uksouth.cloudapp.azure.com # CNAME for (mobile.pipe.aria.microsoft.com)
.canarytokens.com
.api.mixpanel.com # I believe this is a part of canarytokens