Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 30, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Alexander Bunk's avatar
Alexander Bunk
Copper Contributor
Dec 30, 2022
We have the same experience. Any updates on this?
Jacampbell's avatar
Jacampbell
Icon for Microsoft rankMicrosoft
Jan 27, 2023
Hey - have you opened a support ticket
  • DefenderAdmin's avatar
    DefenderAdmin
    Brass Contributor
    Jan 27, 2023
    no, i didn't open a support ticket yet. i was hoping that an agent update will solve the issue, which didn't happened yet. But to be honest, i don't have the time or nerve right now for handling a Microsoft ticket case with some indian MS supporter...
    • Jacampbell's avatar
      Jacampbell
      Icon for Microsoft rankMicrosoft
      Jan 27, 2023

      DefenderAdmin 

       

      So LDAP and SAMR detections were added to the Honeytoken tagged entities. 
       
      Points to note with this:
      1. There will never be a false positive scenario for the honey token despite that being an option under the manage alert drop down in M365.
      2. We cannot exclude the device for this Honeytoken activity 
      Please review EVERY tool that is associated with LDAP and SAMR and queries users. If any tool or service queries a Honeytoken tagged account, it will create and activity. So based on the frequency of your activity, you should be able to narrow down what service/tool is querying the users on these trusted domains. Does any service/tool come to mind?
      • waydaws's avatar
        waydaws
        Copper Contributor
        Jan 30, 2023

        Jacampbell 

        This change moves honeytoken accounts into something that one knew was unlikely to be a false positive to one which will have many false positives, going by the SAM-R and LDAP alerts that are populated by vulnerability scanners, products like tanium, and users the use the /domain switch to the net command.  

        You already had reconnaissance alerts.   The honeytoken accounts were for direct authentication attempts using them, which is the traditional purpose for them.   I can't see a good reason to do this.  

    • Jacampbell's avatar
      Jacampbell
      Icon for Microsoft rankMicrosoft
      Jan 27, 2023
      I am on the MDI team. I work EST hours. If you open a ticket you can request my assistance by putting my email in the case summary. Jacampbell@microsoft.com

      I believe this is a deeper issue and I need another support ticket to show that. Please humor me, open a support ticket, and request to work with me. Jacampbell@microsoft.com / Microsoft Defender for Identity / Threat Analytics

Resources