Forum Discussion
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Just exclude the honeytoken itself from this alert, not the triggering user / device.
That's what i tried, but i'm afraid that didn't work, i excluded the same user which i defined as a honeytoken user within the "honeytoken SAM-R" (user) exclusions -> alerts for SAM-R honeytoken activity are still coming in "like crazy" 😞
Maybe the exclusion takes some time to sink in?
Maybe the exclusion takes some time to sink in?
- The for Defender for Endpoint Agent release nr. 2.199 has a working whitelisting option for the alert "SAM-R honeytoken" (whatever it is exactly called) where you can define your honeytoken user, this will prevent incidents/alarms from popping up.
As there are numerous other honeytoken alerts now, this is a solution/workaround for us. (thanks to Daniel Naim and his guys for support)
We also had the thing about the honeytoken SAM-R alerts, we couldn't figure out what caused them either -> so, i just whitelisted them and that's working since the last release (2.199) Daniel Naim I see communication about this topic stopped on Feb 27. We are having the same issue described in these posts. Our Network team has not been able to determine what application is causing the SAM-R queries hitting the honeytoken accounts. Do we have any options? Can we disable the alert or utilize Threat Hunting or something else to either determine what app is causing the issue?
- i just sent you a mail with current settings and an example which got triggered AFTER i defined the honeytoken user again.
- By the way, exclusions should take effect immediately.
- Shoot me a screenshot of the exclusion and the alert id that was created past that please!
DANAIM@microsoft.com
