Forum Discussion
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Just to give anybody an update on this:
This weekend, the security portal started to create alerts for the honeytoken activity; this is kind of new because recently, those alerts were only shown within the "old" Defender for Identity portal and also the MCAS alert overview.
Long story short:
As i didn't find a solution for our scenario yet, i "deleted" the honeytoken user from the MDI honeytoken settings. Not useful any longer 😞
This weekend, the security portal started to create alerts for the honeytoken activity; this is kind of new because recently, those alerts were only shown within the "old" Defender for Identity portal and also the MCAS alert overview.
Long story short:
As i didn't find a solution for our scenario yet, i "deleted" the honeytoken user from the MDI honeytoken settings. Not useful any longer 😞
DefenderAdmin version 1.98 should fix it. Do you have it deployed already? Please see the what's new page for the info.
- Yes, we are using 2.198.16173.18440 which should be the most recent version.
I've seen in the release notes that there are now several alert conditions and the one which got triggered A LOT is "Honeytoken user was queried via SAM-R"
I will give it another shot and maybe if i can whitelist or ignore the SAM-R events at least all other events are "useful" again.- Exactly. Now you can make sure only the SAMR is being whitelisted.
- Ok, now there is a exclusion for "Honeytoken user was queried via SAM-R" and i tried to add my honeytoken user as an excluded user. But (of course) alerts for SAM-R queries are still coming. I think i'd have to add all of those users and clients which are triggering the SAM-R honeytoken request? If yes, in my case this is really tough to do because there are so many from all different kinds of users. It will take a lot of time and effort to add all of them as they appear as an alert.
Is there a way to "disable" the alert definition for "Honeytoken user was queried via SAM-R" as a whole?