Deception Signals
Deception Signals shows decoy-interaction alerts scoped to your workspace. When an attacker touches one of your decoys, you get a high-fidelity signal with almost no false positives.
Who this is for
Security teams in a workspace who want a low-noise tripwire for attacker activity. Available on Pro and Enterprise plans.
Role-based start here
- Responder: watch the signals feed and act on any decoy interaction.
- Security engineer: register decoys for your workspace and confirm they appear.
- Workspace admin: confirm the capability is enabled on your plan.
Before you start
- Confirm your plan includes Deception Signals (Pro or Enterprise).
- Have a workspace API key to register decoys through the agent API.
Step-by-step
- Register a decoy for your workspace through the agent API using your workspace API key. The decoy is scoped to your workspace.
- Open Deception Signals (
#/deception). - Review the decoy summary and the recent interactions feed.
Day-2 operations
- Triage every signal: legitimate users should never touch a decoy.
- Add decoys near sensitive paths or systems to widen coverage.
- Forward notable interactions to your incident workflow.
Self-check playbook
- Register a decoy and confirm it appears in the decoy summary.
- Fire a test interaction at the decoy and confirm it shows in the feed.
- Confirm another workspace's decoys never appear in your feed.
What each button does
- Refresh: reloads the decoy summary and recent interactions.
- Recent decoy interactions: each row is one interaction (decoy, event type, request method and path, hashed source, tags).
Troubleshooting
- "No decoys registered yet": register a decoy with your workspace API key.
- "No decoy interactions yet": decoys are registered but nothing has touched them; this is the normal quiet state.
tenant_required: sign in to a workspace; the feed is workspace-scoped.
API and automation
GET /api/deception/signalsreturns{ signals, nodes, node_count }scoped to your workspace. Authenticated, licensed workspace access is required.- Decoys enroll through the agent API; the registering API key sets the decoy's workspace.
API error quick reference
| Error | Meaning | What to do now |
|---|---|---|
401 Unauthorized | Session token or API key is missing, expired, or invalid. | Sign out and back in (or rotate the API key), then retry once. |
403 Forbidden | Your role is authenticated but not allowed to read signals, or your plan does not include deception. | Ask your workspace admin to grant access or upgrade the plan. |
404 Not Found | The route was not found in the current workspace context. | Confirm the /api/deception/signals path and workspace context, then retry. |
429 Too Many Requests | Your rate limit or quota window was exceeded. | Wait for cooldown, then retry with backoff. |
500 Internal Server Error | The backend failed unexpectedly. | Retry after a short wait. If it repeats, escalate with the UTC time. |
Next best actions
- Place decoys near your most sensitive assets.
- Route decoy interactions to TicketBridge or your SIEM.
FAQ
- Will I see other workspaces' decoys? No. The feed is strictly workspace-scoped.
- Do decoys generate noise? Almost none. A signal means something touched a decoy, which should not happen in normal use.
- Can I edit the global deception graph? No. Designing the shared decoy fabric is managed by Dralvia; workspaces consume signals.