Access From Dormant Non-Human Identity

Detects non-human identities (NHIs) who have successfully signed in via one or more integration instances in the last 1 day(s) despite not having a successful sign in across all integration instances in the last 30 days. New accounts that were created in the last 30 days will not be evaluated against this check. Accounts from newly configured integration instances will also not be evaluated against this check for 7 days.

Adversaries often target improperly off-boarded NHI that still have access to the system.

If a malicious actor gains access to a dormant account, they can access whatever the NHI previously had access to and/or make changes to the account to maintain persistence in the environment.

Since these NHIs are dormant, the account owner may not notice that a password or MFA factor is no longer working properly, and the adversary can stay in the system undetected.

Recommended Actions

Please investigate to ensure this sign in is legitimate. If the account should no longer be in use, delete the account in the identity source as soon as possible.

Consider reviewing the list of failing users on a weekly basis or setting up a notification target to receive alerts on new failures.

Default Settings:

Number of days: 30

Evaluation period: 7

Compatibility

AWS, Microsoft Entra ID, Duo, GitHub, Google Workspace, Okta, Salesforce