We just tried the honeytoken device feature of MDI by setting up a new domain-joined server with a fake file share opened up to everyone.

But we’re now getting ‘Honeytoken authentication activity on one endpoint’ incidents because there is kerberos activity to the domain controllers. But this activity makes sense since it’s domain-joined…

Shouldn’t you be joining these honeytoken devices to the domain or what are the best practises?

It seems there isn’t much documentation around setting up honeytoken devices. Most article describe setting up accounts.

​We just tried the honeytoken device feature of MDI by setting up a new domain-joined server with a fake file share opened up to everyone. But we’re now getting ‘Honeytoken authentication activity on one endpoint’ incidents because there is kerberos activity to the domain controllers. But this activity makes sense since it’s domain-joined… Shouldn’t you be joining these honeytoken devices to the domain or what are the best practises?It seems there isn’t much documentation around setting up honeytoken devices. Most article describe setting up accounts.   Read More

​