Decoy accounts, also known as honeypot accounts, appeal to threat actors by appearing as a legitimate user. Activities triggered on this account are considered true positives for breach detection.

Configuring this account helps Arctic Wolf alert on suspicious activity against your Active Directory (AD) environment and decreases the detection time of an active attack on AD accounts within a network. The recommended AD decoy account configuration includes specific permissions to protect the account from being compromised.