# Access From Dormant Non-Human Identity Detects non-human identities (NHIs) who have successfully signed in via one or more integration instances in the last 1 day(s) despite not having a successful sign in across all integration instances in the last 30 days. New accounts that were created in the last 30 days will not be evaluated against this check. Accounts from newly configured integration instances will also not be evaluated against this check for 7 days. Adversaries often target improperly off-boarded NHI that still have access to the system. If a malicious actor gains access to a dormant account, they can access whatever the NHI previously had access to and/or make changes to the account to maintain persistence in the environment. Since these NHIs are dormant, the account owner may not notice that a password or MFA factor is no longer working properly, and the adversary can stay in the system undetected. #### Recommended Actions Please investigate to ensure this sign in is legitimate. If the account should no longer be in use, delete the account in the identity source as soon as possible. Consider reviewing the list of failing users on a weekly basis or setting up a notification target to receive alerts on new failures. #### Default Settings: Number of days: 30 Evaluation period: 7 #### Compatibility AWS, Microsoft Entra ID, Duo, GitHub, Google Workspace, Okta, Salesforce --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/access-from-dormant-non-human-identity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.