# Create and test a honeypot

### Step 1: **Navigate to the sidebar and select Honeypots**

<figure><img src="/files/ywjREBkmPYBekRv8BeNg" alt=""><figcaption></figcaption></figure>

### Step 2: Click "**+ Set up a new honeypot"** in the top right corner

### Step 3: Configure your honeypot

To ensure your honeypots are difficult to detect, select a type that matches your existing resources and assign a name in a similar format. By clicking the "Set up honeypot" button, the app will redirect you to the honeypot's page.

<figure><img src="/files/rSQhfd04EZcjFnwrmEBv" alt=""><figcaption></figcaption></figure>

### Step 4: Click "+Create CloudFormation stack"

<figure><img src="/files/S8KZYdVplVUUc3vo8Zmx" alt=""><figcaption></figcaption></figure>

Clicking this will open your AWS account in a new tab. You may need to sign in first if you're not logged in.

### Step 5: On the CloudFormation page scroll down and click "Create stack"

This will create a CloudFormation stack for your honeypot. Pro tip: name your stack to something unique that blends in your environment.

<figure><img src="/files/8USxS26rddzFscfBldUh" alt=""><figcaption></figcaption></figure>

### Step 6: Monitor the status of your stack

It may take a minute or two for the honeypot to become active. Seeing CREATE\_COMPLETE? Great job! Your honeypot is ready! Time to test your honeypot!

<figure><img src="/files/sIyP6LNM7wniSuEpkLAI" alt=""><figcaption></figcaption></figure>

### Step 7:  Click "Open your AWS Lambda function" on the honeypot's page

Make sure that your function's ARN is the same as configured for your honeypot.

<figure><img src="/files/y6z4BwWF2kLog1sraRcI" alt=""><figcaption></figcaption></figure>

### Step 8: Scroll down and click "Test"

No need to change or save the payload. Once you Invoked the function via the Test button, you should see the following message returned: "Forwarding event to server..."

<figure><img src="/files/PCOdcbXxUp9EDeGcOo68" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5EG1iomeHtiMuobyI2Kr" alt=""><figcaption></figcaption></figure>

Now, simply wait a few minutes for AWS to send the CloudTrail events and for MazeShark to detect the alert. You can also click "Re-check" on the honeypot's page.

<figure><img src="/files/0Tb6HoXlePT3poKlhpVV" alt=""><figcaption></figcaption></figure>

### Step 9: Investigate test alert

You should see the test alert in the Alerts section:

<figure><img src="/files/CL4PrUJeMrJq5CREXoTU" alt=""><figcaption></figcaption></figure>

Click on the alert to see the details.

<figure><img src="/files/z6WDzLNNpAp8rO5ROLbl" alt=""><figcaption></figcaption></figure>

Now, it's time to set up automation!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mazeshark.gitbook.io/docs/getting-started/create-honeypot.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.