KQL Search

Query Details

03 NI Auth Threat Intelligence Feed

Query

id: c8d4e6f7-a2b3-5c9d-0e1f-2a3b4c5d6e7f
name: Non-Interactive Sign-In from Threat Intelligence IP
version: 1.0.0
kind: Scheduled
description: |
  Detects non-interactive (silent) Azure AD sign-ins originating from IP addresses
  present in the ThreatIntelIndicators table (unified TI - replaces deprecated
  ThreatIntelligenceIndicator). Silent sign-ins from known-malicious IPs indicate
  that an attacker has an active refresh token and is using it from
  attacker-controlled infrastructure.
  MITRE ATT&CK: T1528 (Steal Application Access Token), T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - CommandAndControl
  - InitialAccess
relevantTechniques:
  - T1528
  - T1078
  - T1539
query: |
  let MaliciousIPs =
      ThreatIntelIndicators
      | where TimeGenerated > ago(30d)
      | where IsActive == true
      | where isempty(ValidUntil) or ValidUntil > now()
      | where Pattern has "ipv4-addr:value"
      | extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
      | where isnotempty(NetworkIP)
      | summarize ThreatTags = make_set(Tags) by NetworkIP;
  AADNonInteractiveUserSignInLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
  | project
      TimeGenerated,
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      ThreatTags,
      ConditionalAccessStatus,
      AuthenticationRequirement,
      CorrelationId,
      UniqueTokenIdentifier
  | order by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  ThreatTags: ThreatTags
  AppDisplayName: AppDisplayName
alertDetailsOverride:
  alertDisplayNameFormat: "TI Match - Non-Interactive Sign-In from Malicious IP for {{UserPrincipalName}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} performed a silent token refresh from IP {{IPAddress}} which is flagged in Threat Intelligence as: {{ThreatTags}}."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect non-interactive (silent) sign-ins to Azure Active Directory (Azure AD) that originate from IP addresses flagged as malicious in a threat intelligence database. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies silent sign-ins from IPs known to be malicious, suggesting that an attacker might be using a stolen refresh token from their own infrastructure.

  2. Data Sources:

    • Azure Active Directory Logs: Specifically, logs of non-interactive user sign-ins.
    • Threat Intelligence Indicators: A table containing IP addresses identified as threats.

  3. Detection Logic:

    • The query first extracts active malicious IP addresses from the Threat Intelligence Indicators that have been flagged in the last 30 days.
    • It then checks for any non-interactive sign-ins in the past hour that were successful (ResultType == 0) and originated from these malicious IPs.
    • If such sign-ins are found, it collects details like the time of sign-in, user information, application name, IP address, location, and threat tags.

  4. Alerting:

    • If any matches are found, an alert is generated with details about the user and the malicious IP.
    • The alert includes a custom message indicating that a user performed a silent token refresh from a flagged IP.

  5. Severity and Tactics:

    • The severity of this detection is marked as "High".
    • It relates to tactics like Credential Access, Command and Control, and Initial Access, with specific techniques referenced from the MITRE ATT&CK framework.

  6. Incident Management:

    • An incident is created for each detection, with configuration to group related alerts by user account and IP address.

In summary, this query helps security teams quickly identify and respond to potential unauthorized access attempts from known malicious IPs, enhancing the organization's security posture against credential theft and misuse.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

ThreatIntelIndicatorsAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryThreatIntelligenceAADNonInteractiveUserSignInLogsThreatIntelIndicatorsUserPrincipalNameIPAddressAppDisplayNameLocationConditionalAccessStatusAuthenticationRequirementCorrelationIdUniqueTokenIdentifierAccountIPThreatTags

Operators

letwhereagoisemptynowhasextendextractisnotemptysummarizemake_setbyjoinkindonprojectorder bydesc

Actions