When you configure any deception technology in InsightIDR, an alert will automatically fire when anything attempts to access it. Once an alert has been fired, InsightIDR will automatically open an Investigation, where you can see all the details related to the honey item.
View honey alerts
- From the left menu, select Investigations.
- You will see all the open investigations set within the time window specified in the filter.
- For quick access, enter "honey" in the "Alert Type" search field. The graph and the investigation list will then only display honey items.
- An Investigation Alert displays when the honey item is triggered. The number after the title "Honey Access" designates the number of attempts the honey user made. Select the Honey Item Investigation to see further details and a full list of occurrences.
- Once in the Investigation, you can scroll through the timeline of events. Select the Evidence button to see specific details about each access attempt.
- Like other investigations and alerts, you also have the option to add additional data or export the data to a PDF document or a data exporter, such as ServiceNow for ticketing.
Ignore or Alert on honey items
When you close the Investigation, you may either ignore or alert on the incident for future Honey Alerts in the "Close investigation" menu in the top right corner.
If a source asset is known and expected to regularly scan the network, you can add it to your allowlist to ensure successful connection attempts. One example of a known source asset that you would likely want to allow is a vulnerability scanner.