Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot. Learn more

Detecting Honeypot Access With Varonis

Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy,...
Michael Buckbee
3 min read
Last updated June 16, 2023
Honeypots are traps that the Blue Team (defenders) plant to catch potentially bad actors trying to exploit a vulnerability, snoop for data, or escalate privileges. Since a honeypot is a decoy, any access to it should raise a red flag.


Honeypots can be an intentionally unpatched server on the internet. For example, researcher Kevin Beaumont set up a network of vulnerable Exchange Servers he calls “ MailPot” in order to see who is trying to exploit the ProxyLogon CVEs. When he gets a “hit” on his honeypot, he can then observe the tactics, techniques, and procedures of the attackers in a controlled environment.


Get a Free Data Risk Assessment

Honeypots don’t have to be servers. They can take the form of folders or SharePoint sites with sensitive-looking data, a fake Active Directory group that grants “privileged” access, an “executive” email box, or even a Microsoft Teams channel that has fake data and conversations. The goal of the honeypot is to draw attention, so anything that looks like sensitive data or a potential pathway to sensitive data can work.

With Varonis, you can create custom real-time alerts to trigger whenever there’s activity on your honeypot, giving your Incident Response team a heads up that someone is snooping around the network. Varonis’ robust audit trail can help you quickly investigate whether that access is innocuous or concerning so that you can act quickly to prevent real sensitive data compromise.

This blog will show you how to set up a Varonis alert on a honeypot and track down a potential threat using the Varonis audit data and forensics capabilities.

Creating the Honeypot with a Custom Real-Time Alert

DatAlert provides the threat detection capabilities to the Varonis Data Security Platform. In addition to the advanced user behavior analytics and pre-built threat models, you can also create custom alerts.

First, you need to create a honeypot. There are several kinds of honeypots, and you can read this academic research all about them. We will use a low-interaction honeypot for our purposes today, which is an enticing-looking file in an insecure folder.

Our Honeypot isn't suspicious at all

Second, you need to create a custom alert on your honeypot.

In DatAdvantage, select the Tools on the menu bar and then DatAlert to open the DatAlert configuration dialog.

Create the New Rule with the Green Plus button

Click the green plus to open the dialog to add a new alert.

DatAlert General Tab

In the General tab, enter the new rule name, select the severity, which for a honeypot should be “4-Warning.” Select your Alert Category and the type of resource where your honeypot lives in the Resource Type drop-down – I selected “Lateral Movement.” You can leave the rest of the options at their defaults.

Skip the Who tab, because we want this alert to trigger if anyone accesses the honeypot.

Select the server and honeypot directory in the Where tab.

DatAlert Where tab

In the What tab, select the events related to file and folder access.

DatAlert What tab

Skip to the Alert Method tab to set instructions for a response to tripping this alert. You can send emails, trigger alerts in SIEMs, or run a PowerShell script. We use scripts to disable user accounts and then power down their computers to remove them from the network.

Click Apply and wait for someone to fall into the honeypot.

Investigate the Incident

When a user trips the alarm, you can use the WebUI to create a total picture of their movements through your network. Non-malicious users will fall into the honeypot out of simple human curiosity. They will cause some false-positives. Diving into the alert details will help weed those out.

WebUI Honeypot Access alert

In the WebUI, set the activity filter to the user that fell into the honeypot.

WebUI filtered events

With a wealth of audit data, you can easily retrace the users’ steps. This forensic data is crucial to know for data breach notification requirements and can help remediate a cyberattack.

Better Security With Behavioral Analytics

Honeypots can be important tactical tools, but they aren’t adaptive, and you certainly don’t want to depend on honeypots to detect advanced threat actors. Dynamic, behavior-based threat models like the ones that come out-of-the-box with DatAlert are much better at detecting stealthy attackers with few false positives.

Rather than set up artificial honeypots, DatAlert can detect when users begin accessing real data in abnormal ways – such as a sysadmin reading the CEO’s inbox and marking messages as unread or a service account that is accessing sensitive Office documents then connecting to the internet for the first time.

Sign up for a Varonis demo to see how we approach cybersecurity differently.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

How Honeypots Unmask Hackers & Scammers Online
How defenders use honeypots to unmask hackers, scammers, and internet catfish with tracking links
Lessons Learned from Mat Honan's Epic Hacking
” Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” If you haven’t read Gizmodo writer Mat Honan’s...
Threat Update #12 - Does Zerologon Change the Game?
Cybercriminals are using the Zerologon exploit to fast track lateral movement and privilege escalation. If left unpatched, the exploit lets attackers use the password of the primary domain controller to...
Windows Defender Turned Off by Group Policy [Solved]
Windows Defender is a common AV solution, and attackers know how to work-around it. Learn how to turn Defender back on with this easy tutorial.