Honey Alerts

When you configure any deception technology in InsightIDR, a detection will automatically fire when anything attempts to access it. Once a detection has been fired, InsightIDR will automatically open an Investigation, where you can see all the details related to the honey item.

View honey alerts

  1. From the left menu, select Investigations.
  2. You will see all the open investigations set within the time window specified in the filter.
  3. For quick access, enter "honey" in the "Alert Type" search field. The investigation list will then only display honey items.
  4. An investigation is created when the honey item is triggered. Select the investigation to see further details and a full list of occurrences.
  5. Once in the Investigation, you can scroll through the timeline of events. Select the Evidence button to see specific details about each access attempt.
  6. Like other investigations and alerts, you also have the option to add additional data or export the data to a PDF document or a data exporter, such as ServiceNow for ticketing.

Ignore or detect on honey items

When you close the investigation, you may either ignore or detect on the incident for future Honey Alerts.

If a source asset is known and expected to regularly scan the network, you can add it to your allowlist to ensure successful connection attempts. One example of a known source asset that you would likely want to allow is a vulnerability scanner.