← Back to KB index
Deception

Honeytoken triggered - investigation playbook

Z.353 honeytoken telemetry routing + investigation steps.

What just happened

A honeytoken (AWS canary key, fake admin credential, decoy URL, etc.) was accessed.

Honeytokens are pure-deception assets - any access is high-fidelity evidence of compromise

or insider snooping.

Telemetry path

  1. Honeytoken backend (AWS Lambda / SQS / Vault dummy path) fires
  2. Z.353 honeytoken_deployment.py ingests event
  3. Z.395 audit chain emits honeytoken_triggered

4. Z.353 dispatches alert via Z.400 fanout to operator + SOC L2 queue

Triage checklist

  1. Identify token - in alert payload honeytoken_id field
  2. Find the trail - source IP, user agent, parent process
  3. Block the source - use action card block-ioc from Mini App

4. Open IR case - severity High by default (Critical if Tier-0 asset adjacency)

5. Preserve evidence - Vault ciso/data/forensics//honeytoken-snapshot

Common scenarios

TokenLikely meaning
Fake AWS key from S3 bucketBucket reconnaissance
Vault decoy secretPrivileged credential dump
Decoy URL in source codeCode repo compromise
Canary Word docPhishing victim opened