SOLVED

Honeytoken Limit?

%3CLINGO-SUB%20id%3D%22lingo-sub-1592993%22%20slang%3D%22en-US%22%3EHoneytoken%20Limit%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592993%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20am%20setting%20up%20some%20honeytokens%20in%20Azure%20ATP%20with%20a%20customer%2C%20and%20there%20seems%20to%20be%20a%20limit%20of%2010%20possible%20account%20names%20reported%20in%20the%20Entity%20Tag%5CHoney%20Token%20Accounts%20query%20box%2C%20meaning%20we%20never%20get%20to%20see%20and%20pick%20all%20the%20desired%20honeytokens.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20arises%20as%20the%20environment%20is%20quite%20large%20with%20multiple%20honeytokens%20of%20the%20same%20name%20in%20multiple%20domains.%20e.g.%20When%20searching%20for%20a%20honeytoken%20of%20'admin'%20this%20brings%2010%20account%20names%20with%20'admin'%20in%20the%20titles%2C%20as%20there%20are%20legitimate%20accounts%20all%20over%20the%20world%20called%20things%20like%2C%20%22front%20desk%20admin%22%2C%20so%20they%20never%20see%20or%20get%20to%20select%20their%20'admin'%20honeytokens.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20does%20not%20seem%20possible%20to%20use%20a%20domain%5Cuser%20or%20%3CA%20href%3D%22mailto%3Auser%40domain%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser%40domain%3C%2FA%3E%26nbsp%3Bquery%20to%20narrow%20the%20scope%2C%26nbsp%3Bso%20is%20it%20possible%20to%20increase%20the%20list%20of%20items%20reported%20in%20such%20a%20query%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20enclosed%20a%20forced%20example%20of%20the%20behaviour%20here%20from%20a%20test%20environment%2C%20but%20you%20can%20see%20the%20limitation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593017%22%20slang%3D%22en-US%22%3ERe%3A%20Honeytoken%20Limit%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593017%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F761817%22%20target%3D%22_blank%22%3E%40swans1998%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20known%20issue%2C%20and%20we%20have%20a%20simple%20workaround%20for%20this.%3C%2FP%3E%0A%3CP%3E(We%20didn't%20increase%20the%20limit%2C%20as%20for%20some%20customers%20even%2030%20won't%20be%20enough%20for%20searching%20%22admin%20...%22)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20workaround%20is%20to%20temporarily%20add%20a%20differentiating%20string%20to%20the%20honey%20token%20*Display%20Name*.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWait%20a%20few%20minutes%20for%20the%20change%20to%20sync%20to%20AATP%2C%20then%20you%20can%20search%20by%20this%20string%2C%20as%20we%20do%20filter%20on%20Display%20names%20as%20well.%3C%2FP%3E%0A%3CP%3EOnce%20you%20selected%20the%20account%20and%20saved%2C%20you%20can%20revert%20the%20display%20name%20change%2C%20and%20it%20will%20be%20fine%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eas%20behind%20the%20scenes%20we%20don't%20keep%20the%20name%2C%20we%20keep%20the%20ID%2C%20and%20that%20won't%20change.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1593020%22%20slang%3D%22en-US%22%3ERe%3A%20Honeytoken%20Limit%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1593020%22%20slang%3D%22en-US%22%3EThank%20you%20Eli.%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hi, I am setting up some honeytokens in Azure ATP with a customer, and there seems to be a limit of 10 possible account names reported in the Entity Tag\Honey Token Accounts query box, meaning we never get to see and pick all the desired honeytokens. 

 

This arises as the environment is quite large with multiple honeytokens of the same name in multiple domains. e.g. When searching for a honeytoken of 'admin' this brings 10 account names with 'admin' in the titles, as there are legitimate accounts all over the world called things like, "front desk admin", so they never see or get to select their 'admin' honeytokens. 

 

It does not seem possible to use a domain\user or user@domain query to narrow the scope, so is it possible to increase the list of items reported in such a query?

 

I've enclosed a forced example of the behaviour here from a test environment, but you can see the limitation. 

 

 

2 Replies
Highlighted
Best Response confirmed by swans1998 (Microsoft)
Solution

@swans1998 

This is a known issue, and we have a simple workaround for this.

(We didn't increase the limit, as for some customers even 30 won't be enough for searching "admin ...")

 

The workaround is to temporarily add a differentiating string to the honey token *Display Name*.  

Wait a few minutes for the change to sync to AATP, then you can search by this string, as we do filter on Display names as well.

Once you selected the account and saved, you can revert the display name change, and it will be fine, 

as behind the scenes we don't keep the name, we keep the ID, and that won't change.

 

Eli

Highlighted
Thank you Eli.