* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Boosting Identity Securit...

# Boosting Identity Security with Cortex XDR/XSIAM Honey Users

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fboosting-identity-security-with-cortex-xdr-honey-users%2F)  
[](https://twitter.com/share?text=Boosting+Identity+Security+with+Cortex+XDR%2FXSIAM+Honey+Users&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fboosting-identity-security-with-cortex-xdr-honey-users%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fboosting-identity-security-with-cortex-xdr-honey-users%2F&title=Boosting+Identity+Security+with+Cortex+XDR%2FXSIAM+Honey+Users&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/&ts=markdown)  
\[\](mailto:?subject=Boosting Identity Security with Cortex XDR/XSIAM Honey Users)  
Link copied  
By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Shachar Roitman](https://www.paloaltonetworks.com/blog/author/shachar-roitman/?ts=markdown "Posts by Shachar Roitman")  
Oct 06, 2024  
5 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Identity](https://www.paloaltonetworks.com/blog/tag/identity/?ts=markdown)  
[Identity Threat Detection and Response](https://www.paloaltonetworks.com/blog/tag/identity-threat-detection-and-response/?ts=markdown)  
[ITDR](https://www.paloaltonetworks.com/blog/tag/itdr/?ts=markdown)

In today's digital landscape, identity-based attacks are becoming increasingly prevalent and sophisticated. To counter these threats, it's crucial to employ proactive defensive strategies that not only detect but also deceive attackers.

Cortex XDR/XSIAM's Identity Threat Detection and Response (ITDR) module now offers an enhanced way to safeguard your organization---through the use of **honey users**.

## What is a Honey User?

A **honey user** is a decoy account deliberately placed in your environment to appear as a legitimate user. Its purpose? To lure attackers who are probing for access and then identify their activities.

Unlike traditional user accounts, honey users have no legitimate function within the organization, making any activity involving these accounts suspicious by default. By interacting with these accounts, attackers reveal themselves to security teams before they can cause any damage.

## Why Should You Use Honey Users?

Honey users offer a proactive layer of defense against credential-based attacks, such as leaked credentials, password spraying, and brute-force attempts.

Beyond detection, they also help uncover gaps in your security posture by exposing attack vectors you may not have anticipated. Here's how honey users enhance your security in key attack scenarios:

* **Leaked Credentials**: Attackers often exploit credentials obtained from data breaches or phishing campaigns. By deploying honey users, you can quickly detect attackers who have obtained leaked or stolen credentials but are unable to distinguish between real and decoy accounts.
* **Password Spraying:** In password-spraying attacks, attackers try common passwords across multiple accounts. Strategically placed honey users attract these attempts, and a login attempt on these decoy accounts can quickly identify a password spray attack, allowing you to respond before it affects genuine user accounts.
* \*\*Brute-Force Attempts:\*\*Brute-force attacks involve systematically trying numerous passwords on a single account. Since honey users are intentionally non-functional, any brute-force activity is readily noticeable, providing early detection of potential breaches.

## Best Practices for Implementing Honey Users

To maximize the effectiveness of honey users, follow these best practices:

**Strategic Placement**

* **Diversify Locations** : Place honey users in various high-value areas such as:
  * **Critical Internal Systems**: Deploy honey users in systems like Active Directory to detect internal probing.
  * **Cloud and SaaS services**: Position honey users in cloud environments to monitor access to sensitive data.
  * **VPN Access Points**: Detect external intrusion attempts through VPNs.
* **Target Known Attack Vectors**: Deploy honey users where attackers are likely to probe, such as accounts with administrator privileges or access to financial data.

**Blend with Real Accounts**

• **Realistic Naming Conventions**: Follow the same naming conventions, job titles, and departmental affiliations as your regular accounts to make them indistinguishable from legitimate users.

•**Attractive Privileges**: Assign permissions that make honey users appealing targets while ensuring they lack access to critical systems.

• **Regular Updates**: Periodically update honey user accounts (e.g., job title changes, password resets) to ensure they appear active and legitimate.

By incorporating these realistic details, you make honey users indistinguishable from actual accounts, enhancing their effectiveness as a deception tool.

*Tip*: Consider repurposing unused accounts from former employees. These often have historical login data and group memberships, making them more convincing. Rename them with attractive titles like "Backup Admin" or "oracle" while keeping realistic naming conventions. However, ensure you update or replace the old credentials associated with these accounts and remove access permissions to prevent potential misuse. Handle this process with care to maintain robust security and avoid accidentally exposing sensitive information.

**Monitor Honey User Activity Closely**

Because honey users have no legitimate purpose, any activity related to them should trigger an immediate investigation. This allows your security team to respond promptly to potential threats and identify weaknesses in your defenses.

## How to Configure a Honey User Account in Cortex XDR/XSIAM

Setting up a honey user in Cortex XDR/XSIAM is a straightforward process that can significantly enhance your detection capabilities.

To configure a honey user:

1. In Cortex XDR/XSIAM, navigate to **Assets** \> **Asset Roles Configuration**
   ![Image 1: Asset Roles Configuration in the Cortex XDR UI](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328414-1.png)
   Image 1: Asset Roles Configuration in the Cortex XDR/XSIAM UI

2. Right-click and select the **Honey User** asset role, then click **Edit Asset Role**.

3. Choose**Add User** -\> **Add New** and input the honey user account details in the **NetBIOS\\SAM Account**format.
   ![Image 2: Adding a New User to the Asset Role](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328414-2.png)
   Image 2: Adding a New User to the Asset Role

***Note*** *: The Honey User asset role is available for customers with the* ***Identity Threat Module*** *add-on.*
![Image 3: Honey Users Asset Role in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328414-3.png)
Image 3: Honey Users Asset Role in Cortex XDR

## How Cortex XDR/XSIAM Detects Honey User Activity

Cortex's Identity Analytics continuously monitors for unusual behaviors involving honey users. Some common alerts include:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/image-88.png)

Cortex XDR/XSIAM also flags credential-based attacks like password spraying or brute-force attempts targeting honey users, helping to identify threats early in the attack lifecycle.

## XQL Usage

You can use the [getrole](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Getrole) function in XQL to filter for specific asset roles, such as honey users within your queries. This allows you to quickly query and identify activity involving honey users.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/Screenshot-2024-10-07-091053.png)

## Conclusion

Incorporating honey users into your security strategy adds a layer of deception that exposes attackers early in their campaigns, while also revealing opportunities to harden your defenses. This helps you better understand attacker tactics and improve your overall security posture before attackers can infiltrate deeper into your environment.

With Cortex XDR/XSIAM's advanced identity analytics and straightforward configuration, deploying honey users is both effective and seamless, enhancing your defenses against identity-based threats.

**Ready to elevate your identity security?** Read this [solution brief](https://www.paloaltonetworks.com/resources/techbriefs/identity-threat-detection-and-response-module) to learn more about Cortex ITDR.

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://www2.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector?](https://www2.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Introducing Malicious LDAP Query Protection for Cortex ITDR](https://www2.paloaltonetworks.com/blog/security-operations/introducing-malicious-ldap-query-protection-for-cortex-itdr/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://www2.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Demystifying Impossible Traveler Detection](https://www2.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language