Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 30, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Daniel Naim's avatar
Daniel Naim
Iron Contributor
Feb 27, 2023

DefenderAdmin version 1.98 should fix it. Do you have it deployed already? Please see the what's new page for the info. 

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Feb 27, 2023
Yes, we are using 2.198.16173.18440 which should be the most recent version.
I've seen in the release notes that there are now several alert conditions and the one which got triggered A LOT is "Honeytoken user was queried via SAM-R"

I will give it another shot and maybe if i can whitelist or ignore the SAM-R events at least all other events are "useful" again.
  • Daniel Naim's avatar
    Daniel Naim
    Iron Contributor
    Feb 27, 2023
    Exactly. Now you can make sure only the SAMR is being whitelisted.
    • DefenderAdmin's avatar
      DefenderAdmin
      Brass Contributor
      Feb 27, 2023
      Ok, now there is a exclusion for "Honeytoken user was queried via SAM-R" and i tried to add my honeytoken user as an excluded user. But (of course) alerts for SAM-R queries are still coming. I think i'd have to add all of those users and clients which are triggering the SAM-R honeytoken request? If yes, in my case this is really tough to do because there are so many from all different kinds of users. It will take a lot of time and effort to add all of them as they appear as an alert.

      Is there a way to "disable" the alert definition for "Honeytoken user was queried via SAM-R" as a whole?
      • Rob_Gouw's avatar
        Rob_Gouw
        Copper Contributor
        Jun 05, 2023
        Defender for Identity release 2.201
        Released March 27, 2023

        We're in the process of disabling the SAM-R honeytoken alert. While these types of accounts should never be accessed or queried, we're aware that certain legacy systems may use these accounts as part of their regular operations. If this functionality is necessary for you, you can always create an advanced hunting query and use it as a custom detection. Additionally, we'll be reviewing the LDAP honeytoken alert over the coming weeks, but it will remain functional for now.
        Source: https://learn.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2201

Resources