{"id":133,"date":"2020-07-08T10:43:46","date_gmt":"2020-07-08T10:43:46","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=133"},"modified":"2024-04-01T13:51:46","modified_gmt":"2024-04-01T05:51:46","slug":"honey-file-security-monitoring","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/honey-file-security-monitoring\/","title":{"rendered":"Honey File Monitoring"},"content":{"rendered":"<p>This time, we are going to discuss honey file monitoring.<\/p>\n\n\n<style>.kadence-column133_f29ab4-4b > .kt-inside-inner-col{display:flex;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col,.kadence-column133_f29ab4-4b > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column133_f29ab4-4b > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column133_f29ab4-4b > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column133_f29ab4-4b{position:relative;}@media all and (max-width: 1024px){.kadence-column133_f29ab4-4b > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column133_f29ab4-4b > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column133_f29ab4-4b\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id133_4111be-eb .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-a-honey-file\">What is a Honey File?<\/h2>\n\n\n\n<p>In a nutshell, a honey file is a fake file(s) intentionally put into share folder\/location in order to detect the existence of an attacker or insider. The original idea came from the honeypot, which is a vulnerable machine in the network to detect the existence of an attacker or study the behavior of the attacker. Now, the idea has evolved into different types of detection including honey user, honey credential, honey token, honey file, and honey database record.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-things-to-remember\">Things to remember<\/h2>\n\n\n\n<p>The first thing to remember is <strong>DO NOT<\/strong> intentionally set up any traps which can lead someone to commit a crime. For instance, DO NOT put a file with a copyright on the internet, lure someone to download it, and then sue someone. In fact, you are committing a crime in this case. On the contrary, the aim of honey file or honeypot is to attract the attention of cyber criminals who already want to commit a crime.<\/p>\n\n\n\n<p>Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ? Definitely, you want your adversaries discover it at the earliest stage, and blue team have enough time to handle it before the attacker cause damage. For instance, we found honey user name such as backup or test always occurred in the first round of attempt. For honey file name, we found the attacker(s) will firstly try to locate keyword such as password, key, network diagram, inventory and IP address which allow them to further pivot into other computers or network. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-options-for-honey-file-setup\">Options for honey file setup<\/h2>\n\n\n\n<p>So, what&#8217;s our options ? Both <strong>dedicated file server<\/strong> \u53ca <strong>honey file in existing file server<\/strong> are the most common options of honey file monitoring.<\/p>\n\n\n\n<p>Firstly, we will discuss <strong>dedicated file server<\/strong>, which can minimize the log size and catch whoever access the server. Surely, you will need to filter those access from vulnerability scanner or inventory scanning tools. In general, you may detect illegal network scan, enumeration or lateral movement, and all these things should be further investigated. <\/p>\n\n\n\n<p>On the other hand, if you design to put honey file in existing file server(s), you can optionally setup SACL on that particular honey file(s) or configure &#8220;Detailed File Share&#8221; to monitor all file access. The first option has higher chance to catch insider, while it creates more false positive. The second option need much more storage and license cost in case you are using commercial SIEM. However, it do it gives us more insight and context during our investigation. <\/p>\n\n\n\n<p>So, how to choose which Event Code or settings for Honey File monitoring with Splunk that consume minimum license usage ? As an illustration, below is a summary of Event Code related to share folder level logging or NTFS file system level logging.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-comparison-of-different-options\">Comparison of different options<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-background\" style=\"background-color:#f3f4f5\"><thead><tr><th><strong>GPO Settings\/SACL Settings<\/strong><\/th><th><strong>Event ID<\/strong><\/th><th><strong>Indicate Access Denied ?<\/strong><\/th><th><strong>\u670d\u52d9\u63cf\u8ff0<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Object Access -&gt;&nbsp; Audit File Share<\/td><td>5140, 5142, 5143, 5144<\/td><td>No Failure events<\/td><td>Shared Folder level logging with username and source IP (Include SYSVOL &amp; IPC$)<\/td><\/tr><tr><td>Object Access -&gt;&nbsp; Audit Detailed File Share<\/td><td>5145<\/td><td>\u662f<\/td><td>Shared Folder level logging with username, source IP and actual file path (Include SYSVOL &amp; IPC$)<\/td><\/tr><tr><td>Object Access -&gt;&nbsp; Audit File System<br>\u53ca<br>SACL<\/td><td>&nbsp;4663<\/td><td>No Failure events<\/td><td>NTFS File System level logging including local access with username but not source IP address, can target only one file or one folder with specified action<\/td><\/tr><tr><td>Object Access -&gt; Audit Handle Manipulation<br>\u53ca<br>Object Access -&gt;&nbsp; Audit File System<br>\u53ca<br>SACL<\/td><td>&nbsp;4656<\/td><td>\u662f<\/td><td>NTFS File System level logging including local access, can target only one file or one folder with specified action.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-recommendation\">Recommendation<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-1024x554.png\" alt=\"Event Code 5145\" class=\"wp-image-1124\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-1024x554.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-300x162.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-768x415.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-1536x831.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145-600x325.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/EventCode5145.png 1919w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>If there is a dedicated honey file sharing server without other production usage, then I will definitely choose Event ID 5145 and grant the permission of honey file to everyone. It provides source IP address which immediately provide analyst with direction of investigation.&nbsp;<br>On the other hand, If the use case is to place honey file on every file server, I will still choose Event ID 5145, and deny the access of honey file to everyone. In this case, only turn on failure auditing in GPO.<\/p>\n\n\n\n<p>Reference for SACL: <a href=\"https:\/\/petri.com\/how-to-audit-permission-changes-on-windows-file-servers\">https:\/\/petri.com\/how-to-audit-permission-changes-on-windows-file-servers<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ?<\/p>","protected":false},"author":2,"featured_media":362,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,44,23],"tags":[21,80,78,27,79,20],"class_list":["post-133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-honey-file","category-splunk","tag-blue-team","tag-deception","tag-decoy","tag-honey-file","tag-lure","tag-splunk"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Honey File Monitoring - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"How to choose which Event Code for Honey File monitoring with Splunk that consume minimum license usage ? Below is a summary of Event Code relateted to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/honey-file-security-monitoring\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Honey File Monitoring\" \/>\n<meta property=\"og:description\" content=\"Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/honey-file-security-monitoring\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-08T10:43:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:51:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png\" \/>\n\t<meta property=\"og:image:width\" content=\"628\" \/>\n\t<meta property=\"og:image:height\" content=\"199\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"Honey File Monitoring\",\"datePublished\":\"2020-07-08T10:43:46+00:00\",\"dateModified\":\"2024-04-01T05:51:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/\"},\"wordCount\":768,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Honey_Files.png\",\"keywords\":[\"Blue Team\",\"deception\",\"decoy\",\"Honey File\",\"lure\",\"Splunk\"],\"articleSection\":[\"Blue Team\",\"Honey File\",\"Splunk\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/\",\"name\":\"Honey File Monitoring - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Honey_Files.png\",\"datePublished\":\"2020-07-08T10:43:46+00:00\",\"dateModified\":\"2024-04-01T05:51:46+00:00\",\"description\":\"How to choose which Event Code for Honey File monitoring with Splunk that consume minimum license usage ? Below is a summary of Event Code relateted to\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Honey_Files.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Honey_Files.png\",\"width\":628,\"height\":199,\"caption\":\"Honey File Monitoring\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Splunk\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/splunk\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Honey File Monitoring\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/honey-file-security-monitoring\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Honey File Monitoring - CyberSecThreat","description":"How to choose which Event Code for Honey File monitoring with Splunk that consume minimum license usage ? Below is a summary of Event Code relateted to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/honey-file-security-monitoring\/","og_locale":"zh_TW","og_type":"article","og_title":"Honey File Monitoring","og_description":"Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ?","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/honey-file-security-monitoring\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-07-08T10:43:46+00:00","article_modified_time":"2024-04-01T05:51:46+00:00","og_image":[{"width":628,"height":199,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"4 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"Honey File Monitoring","datePublished":"2020-07-08T10:43:46+00:00","dateModified":"2024-04-01T05:51:46+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/"},"wordCount":768,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png","keywords":["Blue Team","deception","decoy","Honey File","lure","Splunk"],"articleSection":["Blue Team","Honey File","Splunk"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/","url":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/","name":"Honey File Monitoring - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png","datePublished":"2020-07-08T10:43:46+00:00","dateModified":"2024-04-01T05:51:46+00:00","description":"How to choose which Event Code for Honey File monitoring with Splunk that consume minimum license usage ? Below is a summary of Event Code relateted to","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png","width":628,"height":199,"caption":"Honey File Monitoring"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Splunk","item":"https:\/\/cybersecthreat.com\/category\/splunk\/"},{"@type":"ListItem","position":2,"name":"Honey File Monitoring"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/honey-file-security-monitoring\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":44,"label":"Honey File"},{"value":23,"label":"Splunk"}],"post_tag":[{"value":21,"label":"Blue Team"},{"value":80,"label":"deception"},{"value":78,"label":"decoy"},{"value":27,"label":"Honey File"},{"value":79,"label":"lure"},{"value":20,"label":"Splunk"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Honey_Files.png",628,199,false],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":0,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":44,"name":"Honey File","slug":"honey-file","term_group":0,"term_taxonomy_id":44,"taxonomy":"category","description":"","parent":0,"count":1,"filter":"raw","cat_ID":44,"category_count":1,"category_description":"","cat_name":"Honey File","category_nicename":"honey-file","category_parent":0},{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0}],"tag_info":[{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":80,"name":"deception","slug":"deception","term_group":0,"term_taxonomy_id":80,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":78,"name":"decoy","slug":"decoy","term_group":0,"term_taxonomy_id":78,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":27,"name":"Honey File","slug":"honey-file","term_group":0,"term_taxonomy_id":27,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":79,"name":"lure","slug":"lure","term_group":0,"term_taxonomy_id":79,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":20,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":20,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=133"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/362"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}