IR-015identityv1.0.0

Non-Human Identity (NHI) Compromise — Service Accounts, API Keys, and CI/CD Tokens

⚠️ high⚠️ critical

⏱ Est. Time55m

📋 Steps10 steps

🔧 Tools7 required

🔗 Integrations5 platforms

📊 Avg Resolution85m

★ View on GitHub

🎯 MITRE ATT&CK

T1078.004 T1552.001 T1552.004 T1550.001 T1098.001 T1059.009 T1053.007 T1195.002

🔧 Tools Required

siemsecrets manageridentity providercloud consolecicd platformgit secret scannerthreat intelligence platform

⚡ Triggers

service_account_off_hours_activityapi_key_geographic_anomalycicd_token_unauthorized_useservice_account_permission_escalationsecrets_manager_unusual_accesssiem_nhi_behavior_anomalygit_secret_exposure_alertgithub_actions_token_abuse

🔌 Integrations

opt

hashicorp vault

Dynamic secrets, lease revocation, and audit log for NHI credential management

opt

aws iam

Service account audit, access key management, and IAM roles for workloads

opt

github advanced security

Secret scanning and push protection for detecting leaked NHI credentials in repos

opt

splunk

NHI behavior analytics — baseline service account activity and detect anomalies

opt

cyberark conjur

Secrets management and rotation for CI/CD and application credentials

Click each step to expand the full procedure, automation hints, and expected outputs.

Identify which non-human identity is compromised: service account, API key, OAuth token, CI/CD pipeline token (GitHub Actions GITHUB_TOKEN, GitLab CI_JOB_TOKEN), or machine certificate. Confirm the anomaly: off-hours API activity from a service account that normally operates 9-5, geographically impossible source IP for an API key tied to a specific cloud region, unusual resource access scope, or Git secret scanner alert on a public/private repository. Determine if the NHI is still active.

⚡ Automation Hint

AWS: aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=<key> Azure: az monitor activity-log list --query "[?contains(caller,'ServicePrincipal')]" --start-time <date> GCP: gcloud logging read 'protoPayload.authenticationInfo.serviceAccountKeyId="<key_id>"' --limit 100 GitHub Actions: GET https://api.github.com/repos/<owner>/<repo>/actions/runs?status=completed&per_page=30 GitGuardian: GET https://api.gitguardian.com/v1/incidents?status=triggered&severity=high

📤 Outputs

compromised_nhi_idnhi_typeanomaly_confirmedactivity_still_ongoing