Forum Discussion
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Can we ignore below alerts as we are receiving a greater number of alerts on daily basis?
| Alert name | Count |
| Honeytoken was queried via SAM-R | 258 |
| Honeytoken was queried via LDAP | 217 |
| Honeytoken authentication activity | 20 |
Wouldn't it be easier to exclude the host devices that performed this activity as its benign? Then you don't lose the functionality when it's performed from an abnormal source.
- Hi Daniel, Could you please share the playbook for the below honey token alert? Like When to consider alert as FP and on what basis do we need to exclude the host's devices?
