# Monitoring honeypot (honeytoken) identities

Vectra AI’s network and identity detection response capabilities enable teams to detect activity from identities deployed as honeypot tokens in the network. This allows honeypot alerts to be integrated directly into the Vectra console. Vectra monitors for honeypot activity from identities over RDP, SMB, RPC, NTLM, and Kerberos.

Honeypot monitoring and alerting are enabled through Vectra AI’s Threat Intel Integration. Onboarding a new identity takes less than 5 minutes and is supported for both Respond UX and Quadrant UX deployments.

## Steps to Enable

1. [Create a STIX 1.2 file](#id-1.-create-stix-1.2-file) that includes the desired indicators.
2. [Enable monitoring](#id-2.-enable-monitoring-in-the-vectra-ui) in the Vectra UI.
3. [Examine any **Threat Intelligence Match** alerts](#id-3.-examine-threat-intelligence-alerts) that may be generated.
4. [Update the Threat Feed with new STIX 1.2 files](#id-4.-update-the-threat-feed-with-new-stix-1.2-files-as-the-desired-indicators-change) as the desired indicators change.

## 1. Create STIX 1.2 File

* A simple single account STIX template is attached to this document (attached below) called `vectra-honeypot-template.xml`.
* To leverage this template, open the file in a text editor and change `YOUR_HONEYPOT_IDENTITY_WITHOUT_DOMAIN` to the name of the honeypot account.
  * Be sure to remove any domain information as shown in the file, e.g., user not `user@corp.com`, only add the `user` part.
* More than one account can be monitored by adding a new indicator block as documented in the template.
* The end time of the sample indicator in the STIX example is set for Aug 14, 2034. Update this as required for your deployment.

## 2. Enable Monitoring in the Vectra UI

* Navigate in your Vectra UI to *Configration → COVERAGE → Threat Feeds* and click **Create Threat Feed**.
* Complete the dialog box with the following:
  * **Threat Feed Name** - Enter a name of your choosing.
  * **Indicator Type** - Watchlist is suggested.
  * **Category** - Lateral is suggested.
  * **Certainty** - High is suggested.
  * **Duration** - 90 is the maximum (suggested) but the expiry of the indicator in the STIX file will override this Duration setting.
    * The end time of the sample indicator in the STIX example included as an attachment to this article is set for Aug 14, 2034.

<img src="/files/ekk2ebXmZLSIbrxlOTzh" alt="" width="563">

* Click **Create and Open**.
* In the subsequent **Manage Threat Feed** dialog, click **Upload STIX file** and choose your STIX file.
* After uploading your STIX file, confirm the information is correct.

<img src="/files/Jrls5LkM1It0bgnsTSHy" alt="" width="563">

* Click **Save**.

## 3. Examine Threat Intelligence Alerts

* Once the feed is saved, Vectra will begin monitoring for any interaction with the named honeypot token. If it’s observed, a **Threat Intelligence Match** alert will trigger on the host from where the identity was accessed.
* In the example detection below, the name of the account indicator was **Honeypot**. This is just an example and not likely a good candidate for production traffic.

![](/files/xZniI0xae0tIqsoOP2KP)

## 4. Update the Threat Feed with new STIX 1.2 files as the desired indicators change

* When you wish to change the indicators in use in the Threat Feed or update the expiry of indicators, simply edit the Threat Feed configuration by clicking on the edit icon next to it.

![](/files/Zph0luhGY6jRXsWiihTe)

* Change the indicators in your source file, and then **Upload STIX file** and **Save**.

<img src="/files/jBgHP7leiUUDhiV2KGja" alt="" width="563">

### Attachments

{% file src="/files/wLQoTF4pxIfUT7Q1jsKn" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/operations/analyst-guidance/monitoring-honeypot-honeytoken-identities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.