When performing authorized server scans using CA Configuration Automation, security alerts are triggered in Microsoft Defender for Endpoint. Observed activities flagged as suspicious include:

• Multiple SSH sessions from the management server to production nodes.
• Automated SCP file transfers.
• Execution of temporary scripts/binaries, specifically in the /tmp/ directory (e.g., /tmp/ToUTF8).

Alerts may classify these actions as "Suspicious lateral movement," "Remote service execution," or "Malicious file behavior."

Configuration Automation 12.9
Microsoft Defender for Endpoint

Create some exclusion rules in Microsoft 365 Defender for this Configuration Automation server and these actions (SCP, SSH and execution of /tmp/ToUTF8)

1. Go to Microsoft 365 Defender Portal
   
   
2. Navigate to Settings - Endpoints - Alerts - Alert suppressions rules
   
   
3. Add a suppression rule
   
   And configure the rules with the details. Process name should be CCAServer.exe (or CCAGridNode.exe)
   Action is suppress alert