When you configure any of the deception technology InsightIDR offers, such as honeypots or honey users, an alert will automatically fire when anything attempts to access it. Once an alert has been fired, it will automatically open an Investigation, where you can see all the details of the honey item access.
To see these honey alerts:
- Select the Investigations page on the lefthand menu of InsightIDR.
- You will see all the open investigations set within the time window specified in the filter.
- For quick access, enter "honey" in the "Alert Type" search field. The graph and the investigation list will then only display honey items.
- An Investigation Alert displays when the honey item is triggered. The number after the title "Honey Access" designates the number of attempts the honey user made. Select the Honey Item Investigation to see further details and a full list of occurrences.
- Once in the Investigation, you can scroll through the timeline of events. Select the blue Evidence button to see specific details about each access attempt.
- Like other investigations and alerts, you also have the option to add additional data or export the data to a PDF document or a data exporter, such as ServiceNow for ticketing.
Whitelist Honey Items
When you close the Investigation, you may either whitelist (ignore) or blacklist (alert) the incident for future Honey Alerts in the "Close investigation" menu in the top right corner.
You can whitelist connection attempts from the source asset if it is known and expected to regularly scan the network. One example of a known source asset that you would likely want to whitelist is a vulnerability scanner.