Monitor Honeytoken Triggers Enterprise
After deploying honeytokens, use the Honeytokens page to see which decoys have fired and review what was captured.
Checking for triggers
Open Honeytokens in the sidebar. Use the Triggered tab to see honeytokens that have fired at least once, and Untriggered to see decoys that have not yet been accessed.
Each row shows the honeytoken type, your placement note, and how many times it has fired.
Investigating a trigger
Click a honeytoken to open its detail page. You can see:
- Total triggers and unique source IPs -- whether access is coming from one address or many
- Event log -- a timestamped list of every interaction, including source IP, and browser or device details if fingerprinting was enabled at creation
If the same IP appears many times in quick succession, it is likely automated scanning. If access comes from an internal IP or an address you do not recognize, open the corresponding incident on the Incidents page to investigate further.
Deleting a honeytoken
Delete a honeytoken when it is no longer deployed. The token URL stops working immediately, but any incidents it already generated remain on the Incidents page.
Only Administrators and Members can delete honeytokens.
Next steps
- Incidents and Threat Graph -- acknowledge and investigate honeytoken incidents
- Creation : add more honeytokens
- Alerting -- configure notifications for honeytoken triggers
