KQL Search

Query Details

02 NI Auth Privileged Audit Actions

Query

id: b7c3d5e6-f1a2-4b8c-9d0e-1f2a3b4c5d6e
name: Non-Interactive Auth Followed by Privileged Audit Actions
version: 1.0.0
kind: Scheduled
description: |
  Detects when a user silently refreshes a token via non-interactive sign-in and then
  performs privileged Azure AD operations (role management, app management, policy changes,
  device management) within 60 minutes. This pattern is indicative of session hijack or
  compromised account performing administrative abuse while flying under the radar.
  MITRE ATT&CK: T1078 (Valid Accounts), T1098 (Account Manipulation)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1098
  - T1134
query: |
  let NonInteractiveUsers =
      AADNonInteractiveUserSignInLogs
      | where TimeGenerated > ago(2h)
      | where ResultType == 0
      | summarize LastNISignIn = max(TimeGenerated) by UserPrincipalName, IPAddress;
  AuditLogs
  | where TimeGenerated > ago(2h)
  | where Category in (
      "RoleManagement", "ApplicationManagement", "GroupManagement",
      "Policy", "DeviceManagement", "UserManagement"
    )
  | extend UPN = tostring(InitiatedBy.user.userPrincipalName)
  | where isnotempty(UPN)
  | join kind=inner NonInteractiveUsers on $left.UPN == $right.UserPrincipalName
  | where (TimeGenerated - LastNISignIn) between (0m .. 60m)
  | project
      AuditTime        = TimeGenerated,
      UserPrincipalName = UPN,
      OperationName,
      AuditResult      = Result,
      Category,
      TargetResources,
      LastNISignIn,
      IPAddress,
      TimeSinceNISignIn = (TimeGenerated - LastNISignIn)
  | order by AuditTime desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  OperationName: OperationName
  AuditCategory: Category
  MinutesSinceNISignIn: TimeSinceNISignIn
alertDetailsOverride:
  alertDisplayNameFormat: "Privileged Action After Silent Auth - {{UserPrincipalName}} performed {{OperationName}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} performed '{{OperationName}}' (category: {{Category}}) within 60 min of a non-interactive token refresh. Possible session hijack."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially suspicious activity in Azure Active Directory (Azure AD). It looks for instances where a user refreshes their authentication token without any user interaction (a non-interactive sign-in) and then performs privileged actions within 60 minutes. These actions could include managing roles, applications, policies, devices, or users. Such a pattern might indicate a session hijack or a compromised account being used for unauthorized administrative activities.

Here's a breakdown of the query's components:

  • Data Sources: The query uses logs from Azure AD, specifically non-interactive user sign-in logs and audit logs.
  • Time Frame: It examines activities within the last 2 hours.
  • Detection Logic:
    • It identifies users who have recently performed a non-interactive sign-in.
    • It then checks if these users have carried out any privileged operations within 60 minutes of that sign-in.
  • Alerting: If such activity is detected, an alert is generated with details about the user, the operation performed, and the time since the last non-interactive sign-in.
  • Severity: The alert is marked as high severity due to the potential risk of unauthorized access.
  • MITRE ATT&CK Techniques: The query is associated with techniques related to valid accounts, account manipulation, and access token manipulation.
  • Incident Management: If an alert is triggered, an incident is created, and similar alerts can be grouped together for easier management.

Overall, this query helps security teams identify and respond to potential security threats involving unauthorized access and privilege escalation in Azure AD.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsAuditLogs

Keywords

UserAzureADRoleManagementAppManagementPolicyChangesDeviceManagementAccountIPAddressOperationNameCategoryTargetResourcesTimeGeneratedResultUserPrincipalName

Operators

letwhereagosummarizemaxinextendtostringisnotemptyjoinonbetweenprojectorder bydesc

Actions