Forum Discussion
CloudMe
Oct 13, 2019Copper Contributor
No Honeytoken Activity on DC login ?
Hi,
I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account.
Is that the normal behavior? (I do receive them on workstation logon..)
Thank You.
CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...
- CloudMeCopper Contributor
Its a sensor monitored DC using AATP with audit event enabled according to this document:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-advanced-audit-policy
- EliOfekMicrosoft
CloudMe , did you enable all the event id's that are mentioned here:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection
?