Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 29, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Jan 30, 2023
Thanks for your let's say support on that. 😉

For me, the honeytoken functionality has become useless as it is right now. That is very sad, because honeytoken alerts were one of the alerts that popped up when we did internal penetration tests and they were(!) always accurate. Now, in our case, they are useless 😞
Daniel Naim's avatar
Daniel Naim
Former Employee
Jan 31, 2023

DefenderAdmin 

 

MDI will only trigger alert when a honey token is specifically being scanned. Scanning identities specifically shouldn't be ever the case as this should act as a honeypot. Even for vulnerability scanners.

If that's not the case (in example, triggering an alert when it's domain wide queries) I'd love to know. 

 

Having said that, we are splitting the honeytoken alerts to different alerts, so they will be able to exclude the honeytoken specifically from query alert. Let me know if they want us to jump on a call and show that live. 

The alerts will be (name can change in the GA release)

  • Honeytoken was queried
  • Honeytoken group membership change
  • Honeytoken logon attempts
  • Honeytoken attribute change
  • Rob_Gouw's avatar
    Rob_Gouw
    Copper Contributor
    Feb 22, 2023

    Could it be that the usage of the SAM-R protocol is not exclusive use for the Defender for Identity Directory Service Account? We are experiencing the same alert in Defender. 

    https://learn.microsoft.com/en-us/defender-for-identity/remote-calls-sam

    Could someone from Microsoft ellaborate on this?

  • MichaelG666's avatar
    MichaelG666
    Brass Contributor
    Feb 03, 2023

    Daniel Naim our Lansweeper server is generating these false positive honeytoken alerts every time it does a regular "domain wide" full AD scan which happens 3 times a day:

    This started on November 30th and there is no way to exclude the Lansweeper server from setting off that alert. This essentially made the honeytoken alert completely useless and we are forced to turn it off. So by introducing this new "feature" (really a bug), you made it completely useless for the majority of your customers. How can I whitelist this particularly query from this particular server (using a specific service account)?

    This is not a query specifically for the honeytoken account - this is a domain wide query. It's easily reproducible by installing a trial of Lansweeper and doing a general AD scan like pictured in the screenshot. We have the same issue with the Netwrix Auditor software. It's generating a false positive alert every time it does a domain wide query.