Honeytoken Account Logon Activity

This query detects logon activity associated with a honeytoken account. Honeytokens are decoy accounts designed to lure attackers, and any activity on them is a strong indicator of compromise.

IdentitydetectionT1078

FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

// Detects logins involving default administrator accounts
#event_simpleName=/UserLogon.*/i
// Adjust or extend this to match your custom honeytoken accounts
| UserSid = /S-1-5-21-\d*-\d*-\d*-500/i

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.