Monitoring honeypot (honeytoken) identities

Monitor honeypot identities with Vectra Threat Intel to detect activity over RDP, SMB, RPC, NTLM, and Kerberos.

Vectra AI’s network and identity detection response capabilities enable teams to detect activity from identities deployed as honeypot tokens in the network. This allows honeypot alerts to be integrated directly into the Vectra console. Vectra monitors for honeypot activity from identities over RDP, SMB, RPC, NTLM, and Kerberos.

Honeypot monitoring and alerting are enabled through Vectra AI’s Threat Intel Integration. Onboarding a new identity takes less than 5 minutes and is supported for both Respond UX and Quadrant UX deployments.

Steps to Enable

Create a STIX 1.2 file that includes the desired indicators.
Enable monitoring in the Vectra UI.
Examine any Threat Intelligence Match alerts that may be generated.
Update the Threat Feed with new STIX 1.2 files as the desired indicators change.

1. Create STIX 1.2 File

A simple single account STIX template is attached to this document (attached below) called vectra-honeypot-template.xml.
To leverage this template, open the file in a text editor and change YOUR_HONEYPOT_IDENTITY_WITHOUT_DOMAIN to the name of the honeypot account.
- Be sure to remove any domain information as shown in the file, e.g., user not [email protected], only add the user part.
More than one account can be monitored by adding a new indicator block as documented in the template.
The end time of the sample indicator in the STIX example is set for Aug 14, 2034. Update this as required for your deployment.

2. Enable Monitoring in the Vectra UI

Navigate in your Vectra UI to Configration → COVERAGE → Threat Feeds and click Create Threat Feed.
Complete the dialog box with the following:
- Threat Feed Name - Enter a name of your choosing.
- Indicator Type - Watchlist is suggested.
- Category - Lateral is suggested.
- Certainty - High is suggested.
- Duration - 90 is the maximum (suggested) but the expiry of the indicator in the STIX file will override this Duration setting.
  - The end time of the sample indicator in the STIX example included as an attachment to this article is set for Aug 14, 2034.

Click Create and Open.
In the subsequent Manage Threat Feed dialog, click Upload STIX file and choose your STIX file.
After uploading your STIX file, confirm the information is correct.

Click Save.

3. Examine Threat Intelligence Alerts

Once the feed is saved, Vectra will begin monitoring for any interaction with the named honeypot token. If it’s observed, a Threat Intelligence Match alert will trigger on the host from where the identity was accessed.
In the example detection below, the name of the account indicator was Honeypot. This is just an example and not likely a good candidate for production traffic.

4. Update the Threat Feed with new STIX 1.2 files as the desired indicators change

When you wish to change the indicators in use in the Threat Feed or update the expiry of indicators, simply edit the Threat Feed configuration by clicking on the edit icon next to it.

Change the indicators in your source file, and then Upload STIX file and Save.

Attachments

2KB

vectra-honeypot-template.xml

Open

PreviousUnderstanding Vectra AI detections NextTriggering detections for testing purposes

Last updated 6 days ago

Was this helpful?