Overview
This lab deploys detection and hunting capabilities for non-human identity (NHI) abuse in Microsoft Entra ID. Non-human identities โ service principals, managed identities, and app registrations โ outnumber human users 100:1 in most enterprise environments and are the fastest-growing attack surface in cloud security.
The lab maps detections to the OWASP Non-Human Identity Top 10 framework.
Prerequisites
- Azure subscription with Microsoft Sentinel enabled on a Log Analytics workspace
- Entra ID diagnostic settings sending
AuditLogs,ServicePrincipalSignInLogs, andManagedIdentitySignInLogsto the workspace - PowerShell 7.0+ with Azure CLI installed and authenticated
- Roles required: Microsoft Sentinel Contributor, Security Reader (for test NHI creation: Application Administrator)
Quick Start
# Deploy analytics rules and workbook
./labs/nhi-hunting/scripts/Deploy-Lab.ps1 \
-ResourceGroup "rg-sentinel-lab" \
-WorkspaceName "law-sentinel-lab"
# Deploy with test NHIs for lab telemetry
./labs/nhi-hunting/scripts/Deploy-Lab.ps1 \
-ResourceGroup "rg-sentinel-lab" \
-WorkspaceName "law-sentinel-lab" \
-CreateTestNHIs
# Generate test detections
./labs/nhi-hunting/scripts/Test-NHIDetections.ps1 \
-TenantId "your-tenant-id"
What Gets Deployed
| Resource | Type | OWASP NHI |
|---|---|---|
| LAB - Credential Added to Existing Application | Analytics Rule | NHI2, NHI7 |
| LAB - Service Principal Sign-in from Anomalous IP | Analytics Rule | NHI1, NHI2 |
| LAB - NHI Granted High-Privilege Directory Role | Analytics Rule | NHI5 |
| LAB - Dormant Service Principal Reactivation | Analytics Rule | NHI1 |
| NHI Posture Dashboard | Workbook | All |
| 7 hunting queries | KQL (manual) | NHI1-NHI10 |
Test Scenarios (with -CreateTestNHIs)
| Scenario | What Happens | Rule Triggered |
|---|---|---|
| Add credential to stale app | New secret added to lab-nhi-stale-abandoned-app | Credential Added |
| SP sign-in from your IP | Overprivileged SP authenticates from new IP | Anomalous IP |
| Assign directory role to SP | Security Reader assigned to lab-nhi-excessive-perms-app | High-Privilege Role |
Cost Estimate
- Sentinel analytics rules: Included in existing Sentinel pricing (query cost)
- Diagnostic logs: Entra ID sign-in and audit logs incur Log Analytics ingestion costs (~$2.76/GB)
- Test NHIs: No cost (Entra ID app registrations are free)
Estimated additional cost: < $5/month for lab workloads.
Cleanup
# Remove test NHIs
az ad app list --filter "startswith(displayName,'lab-nhi-')" \
--query '[].appId' -o tsv | \
ForEach-Object { az ad app delete --id $_ }
# Analytics rules and workbook: delete from Sentinel portal
Links
- Blog post: Hunting Rogue Non-Human Identities in Azure
- GitHub: j-dahl7/nhi-hunting-sentinel
- OWASP NHI Top 10: owasp.org/www-project-non-human-identities-top-10