Query Details

Non-Interactive Auth Followed by Privileged Audit Actions

02 NI Auth Privileged Audit Actions

Query

let NonInteractiveUsers =
    AADNonInteractiveUserSignInLogs
    | where TimeGenerated > ago(2h)
    | where ResultType == 0
    | summarize LastNISignIn = max(TimeGenerated) by UserPrincipalName, IPAddress;
AuditLogs
| where TimeGenerated > ago(2h)
| where Category in (
    "RoleManagement", "ApplicationManagement", "GroupManagement",
    "Policy", "DeviceManagement", "UserManagement"
  )
| extend UPN = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(UPN)
| join kind=inner NonInteractiveUsers on $left.UPN == $right.UserPrincipalName
| where (TimeGenerated - LastNISignIn) between (0m .. 60m)
| project
    AuditTime        = TimeGenerated,
    UserPrincipalName = UPN,
    OperationName,
    AuditResult      = Result,
    Category,
    TargetResources,
    LastNISignIn,
    IPAddress,
    TimeSinceNISignIn = (TimeGenerated - LastNISignIn)
| order by AuditTime desc

Explanation

This query is designed to detect potentially suspicious activity in Azure Active Directory (Azure AD). It looks for instances where a user refreshes their authentication token without any user interaction (a non-interactive sign-in) and then performs privileged actions within 60 minutes. These actions could include managing roles, applications, policies, devices, or users. Such a pattern might indicate a session hijack or a compromised account being used for unauthorized administrative activities.

Here's a breakdown of the query's components:

  • Data Sources: The query uses logs from Azure AD, specifically non-interactive user sign-in logs and audit logs.
  • Time Frame: It examines activities within the last 2 hours.
  • Detection Logic:
    • It identifies users who have recently performed a non-interactive sign-in.
    • It then checks if these users have carried out any privileged operations within 60 minutes of that sign-in.
  • Alerting: If such activity is detected, an alert is generated with details about the user, the operation performed, and the time since the last non-interactive sign-in.
  • Severity: The alert is marked as high severity due to the potential risk of unauthorized access.
  • MITRE ATT&CK Techniques: The query is associated with techniques related to valid accounts, account manipulation, and access token manipulation.
  • Incident Management: If an alert is triggered, an incident is created, and similar alerts can be grouped together for easier management.

Overall, this query helps security teams identify and respond to potential security threats involving unauthorized access and privilege escalation in Azure AD.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogsAuditLogs

Keywords

UserAzureADRoleManagementAppPolicyChangesDeviceAccountIPAddressOperationNameCategoryTargetResourcesTimeGeneratedResultPrincipal

Operators

letwhereagosummarizemaxinextendtostringisnotemptyjoinonbetweenprojectorder bydesc

Severity

High

Tactics

PrivilegeEscalationPersistenceDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub