I slapped a canary doc titled ‘Weekend pass roster.xlsx’ on the network printer share at 0530, and by 0617 the SIEM lit up like a range tower — containment said kill the port, but the 1SG executed the fastest IR by yanking the power cord. Anyone else run harmless traps to tune detection and muscle memory without making the BC think we got owned, or should I stick to phishing drills?
We park a canarytokened ‘LEAVE_ROSTER_Q4.xlsx’ in the printer’s scan-to-email folder and have SIEM tag hits as EXERCISE so it drills IR without waking the BC; bonus if it beacons to https://canarytokens.org with a unit tag. Just loop in @S6 and IA first so nobody files a real incident report, and log the “kill the port” step as a timed inject so the 1SG doesn’t win by yanking cords again. It’s the rare time the printer jams the bad guys, not us.
Quick tip from my last shop: we dropped a fake ‘Weekend pass roster.xlsx’ that pulls a UNC link (\honey\leave) so just previewing triggers 4663 on the server and the SIEM tags it EXERCISE — no print job, no 1SG ‘yanking the power cord’ at 0617. Only caution: Office prefetch can be noisy, so we arm it 0600–0900 and run it under a ‘TRAINING_HONEY’ account so @S6 can prove it’s a drill.