Hello @Dan Schneider ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I checked internally and could find another customer who reported the same issue and below are the details for your reference:
IP: 168.63.129.16 is an Azure wire Server IP and the below doc explains why it is used for.
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
One of the main components running by the IP address is Azure Guest agent.
The Microsoft Azure Virtual Machine Agent (VM Agent) is a secure, lightweight process that manages virtual machine (VM) interaction with the Azure Fabric Controller. The guest agent will communicates with the Azure Fabric Controller continuously to share the status of your virtual machine.
Below doc explains what is Guest Agent and what automatic logs are collected from the VM:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-windows#windows-guest-agent-automatic-logs-collection
From the above 2 points, we can validate why the IP address attempted a probe to the VM and as the notification implies, the probe was to identify the operating system.
We have also checked the TrendMicro document regarding this issue and you can find the below document explaining on the triggered alert on this incident.
https://help.deepsecurity.trendmicro.com/10_1/aws/Events-Alerts/reconnaissance-detected.html#:~:text=Types%20of%20reconnaissance%20scans&text=Computer%20OS%20Fingerprint%20Probe%3A%20The,ratio%20of%20IPs%20to%20ports
From the triggered notification,
The incident level is Warning.
The scan type is: Computer OS Fingerprint Probe: The agent or appliance detects an attempt to discover the computer's OS.
It mentions that the IP attempted to identify the Operating System.
Also, the document has the below suggested actions.
When you receive a Reconnaissance Detected alert, double-click it to display more detailed information, including the IP address that is performing the scan. Then, you can try one of these suggested actions:
The alert may be caused by a scan that is not malicious. If the IP address listed in the alert is known to you and the traffic is okay, you can add the IP address to the reconnaissance allow list
If we check the Scope of the Wire Server IP, the communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address.
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16#scope-of-ip-address-1686312916
Per the suggested actions, you can authorize the Wire Server IP address in your tool. Because, if this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 is a virtual IP of the host node and as such it is not subject to user defined routes.
However, if you would like to do a deeper investigation on this issue, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.