If an attacker requests a service ticket for a Honeytoken account (not attempting a logon, just asking for a service ticket) should that generate a suspicious activity?
The honeytoken account never logs into a computer in this scenario. The action that should be triggering the SA (in my opinion) is the service ticket request itself.