Exclusions

Whitelist has been renamed to Exclusions. Exclusions no longer make old detections disappear and only apply to new detections.

Most organizations have additional security measures in their network besides our Honeypot. Those solutions may scan the network for hosts and open ports. This may trigger your Honeypot to alert about unwanted activity. There are other sources which may trigger "false positives". You can exclude these sources to ignore their activity.

Always check the source of a detection before adding them as an exclusion! The source may seem legitimate or unharmful but you may want to check if you want the source to be able to reach your Honeypot.

We also recommend to only exclude the ports you expect to receive detections from with your Honeypot. You will not receive detections when you have excluded all ports of a source in case the source gets hacked.

It is also possible to manually add source IP's and destination Ports to your exclusions. Go to the SecurityHive Dashboard, click "Honeypots" and click "Exclusions". You can add an exclusion record by clicking "Add exclusion".

Source IP: enter the IP-address of the host you want to ignore.
​Destination Port: enter nothing (example: ) to exclude Ping sensor, wildcard to exclude all ports(*), or just the port (example: 80) you want to ignore (this applies to detections from the Source IP on Ports on the Honeypot).
​Comment: add a comment to let others in your organization know why you excluded this host.

Once your honeypot receives a detection, we will compare the data to the exclusions which are present for your organization. If the detection matches your exclusions, we'll discard the detection.

Exclusions are only evaluated at the time a detection is processed for the first time. This means we won't delete or restore old detections if your exclusion rules changed. Because of this you'll have a timeline and history based on the rules at that specific time.