Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone).Normally, in the past this kind of alert only appeared during planed penetration tests and the alert was accurate. But right now, we do have honeytoken activity from around 185 sources (clients) with sam-r queries so far, counting!It seems to be a bug and we will wait for the next releases from Defender for Identity, so far we couldn't find a cause which makes sense that this alert keeps being triggered... (meaning no signs of a real attack, no idea what update or other config changes could have started this behaviour) Maybe someone else experiences the same right now, this is meant as an information... BR

Jacampbell This change moves honeytoken accounts into something that one knew was unlikely to be a false positive to one which will have many false positives, going by the SAM-R and LDAP alerts that are populated by vulnerability scanners, products like tanium, and users the use the /domain switch to the net command. You already had reconnaissance alerts. The honeytoken accounts were for direct authentication attempts using them, which is the traditional purpose for them. I can't see a good reason to do this.

DefenderAdmin MDI will only trigger alert when a honey token is specifically being scanned. Scanning identities specifically shouldn't be ever the case as this should act as a honeypot. Even for vulnerability scanners. If that's not the case (in example, triggering an alert when it's domain wide queries) I'd love to know. Having said that, we are splitting the honeytoken alerts to different alerts, so they will be able to exclude the honeytoken specifically from query alert. Let me know if they want us to jump on a call and show that live. The alerts will be (name can change in the GA release) Honeytoken was queried Honeytoken group membership change Honeytoken logon attempts Honeytoken attribute change

Could it be that the usage of the SAM-R protocol is not exclusive use for the Defender for Identity Directory Service Account? We are experiencing the same alert in Defender. Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Microsoft LearnCould someone from Microsoft ellaborate on this?

Ok, now there is a exclusion for "Honeytoken user was queried via SAM-R" and i tried to add my honeytoken user as an excluded user. But (of course) alerts for SAM-R queries are still coming. I think i'd have to add all of those users and clients which are triggering the SAM-R honeytoken request? If yes, in my case this is really tough to do because there are so many from all different kinds of users. It will take a lot of time and effort to add all of them as they appear as an alert.Is there a way to "disable" the alert definition for "Honeytoken user was queried via SAM-R" as a whole?

The for Defender for Endpoint Agent release nr. 2.199 has a working whitelisting option for the alert "SAM-R honeytoken" (whatever it is exactly called) where you can define your honeytoken user, this will prevent incidents/alarms from popping up.As there are numerous other honeytoken alerts now, this is a solution/workaround for us. (thanks to Daniel Naim and his guys for support)We also had the thing about the honeytoken SAM-R alerts, we couldn't figure out what caused them either -> so, i just whitelisted them and that's working since the last release (2.199)

Honeytoken alerts FP | Microsoft Community Hub

Saicharan_Nagapuri
Copper Contributor
Apr 19, 2023
DefenderAdmin

Can we ignore below alerts as we are receiving a greater number of alerts on daily basis?

Alert name Count
Honeytoken was queried via SAM-R 258
Honeytoken was queried via LDAP 217
Honeytoken authentication activity 20
- Daniel Naim
  Microsoft
  Apr 19, 2023
  Saicharan_Nagapuri
  
  Wouldn't it be easier to exclude the host devices that performed this activity as its benign? Then you don't lose the functionality when it's performed from an abnormal source.
  - Saicharan_Nagapuri
    Copper Contributor
    Apr 19, 2023
    Hi Daniel, Could you please share the playbook for the below honey token alert? Like When to consider alert as FP and on what basis do we need to exclude the host's devices?
DefenderAdmin
Brass Contributor
Apr 11, 2023
Just for your information, for all of them who it may concern:
"We're in the process of disabling the SAM-R honeytoken alert. While these types of accounts should never be accessed or queried, we're aware that certain legacy systems may use these accounts as part of their regular operations. If this functionality is necessary for you, you can always create an advanced hunting query and use it as a custom detection. Additionally, we'll be reviewing the LDAP honeytoken alert over the coming weeks, but it will remain functional for now."

Source:
https://learn.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2201
DefenderAdmin
Brass Contributor
Feb 27, 2023
Just to give anybody an update on this:
This weekend, the security portal started to create alerts for the honeytoken activity; this is kind of new because recently, those alerts were only shown within the "old" Defender for Identity portal and also the MCAS alert overview.

Long story short:
As i didn't find a solution for our scenario yet, i "deleted" the honeytoken user from the MDI honeytoken settings. Not useful any longer 😞
- Daniel Naim
  Microsoft
  Feb 27, 2023
  DefenderAdmin version 1.98 should fix it. Do you have it deployed already? Please see the what's new page for the info.
  - DefenderAdmin
    Brass Contributor
    Feb 27, 2023
    Yes, we are using 2.198.16173.18440 which should be the most recent version.
    I've seen in the release notes that there are now several alert conditions and the one which got triggered A LOT is "Honeytoken user was queried via SAM-R"
    
    I will give it another shot and maybe if i can whitelist or ignore the SAM-R events at least all other events are "useful" again.
Jacampbell
Microsoft
Jan 27, 2023
DefenderAdmin

Were you able to get an answer for this?
- DefenderAdmin
  Brass Contributor
  Jan 27, 2023
  @Jacampbell: nope, it is still happening even after the latest agent updates. Do you see that issue by yourself as well?
  - Jacampbell
    Microsoft
    Jan 27, 2023
    DefenderAdmin I am working on a case with similar symptoms. Have you opened a support ticket for this?
Alexander Bunk
Copper Contributor
Dec 30, 2022
We have the same experience. Any updates on this?
- Jacampbell
  Microsoft
  Jan 27, 2023
  Hey - have you opened a support ticket
  - DefenderAdmin
    Brass Contributor
    Jan 27, 2023
    no, i didn't open a support ticket yet. i was hoping that an agent update will solve the issue, which didn't happened yet. But to be honest, i don't have the time or nerve right now for handling a Microsoft ticket case with some indian MS supporter...

Forum Discussion

Honeytoken alerts FP

Share

Resources

Alert name	Count
Honeytoken was queried via SAM-R	258
Honeytoken was queried via LDAP	217
Honeytoken authentication activity	20