Forum Discussion
CloudMe
Oct 13, 2019Copper Contributor
No Honeytoken Activity on DC login ?
Hi, I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account. Is that the normal behavior? (I do receive them on workstation logon..) Thank...
EliOfek
Microsoft
Oct 15, 2019CloudMe , did you enable all the event id's that are mentioned here:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection
?
CloudMe
Oct 16, 2019Copper Contributor
EliOfek Yes, but there is no change.
Can you confirm that on your side Honeytoken activity is being generated when Honeytoken accounts are being used to login to Domain Controllers?
- EliOfekOct 23, 2019
Microsoft
CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...
- CloudMeOct 26, 2019Copper Contributor
EliOfek , Thank you for looking into it.
Is there any plan to monitor these local DC events by the ATP agent?
Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.