Query Details

Non-Interactive Sign-In from Threat Intelligence IP

03 NI Auth Threat Intelligence Feed

Query

let MaliciousIPs =
    ThreatIntelIndicators
    | where TimeGenerated > ago(30d)
    | where IsActive == true
    | where isempty(ValidUntil) or ValidUntil > now()
    | where Pattern has "ipv4-addr:value"
    | extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
    | where isnotempty(NetworkIP)
    | summarize ThreatTags = make_set(Tags) by NetworkIP;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project
    TimeGenerated,
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    ThreatTags,
    ConditionalAccessStatus,
    AuthenticationRequirement,
    CorrelationId,
    UniqueTokenIdentifier
| order by TimeGenerated desc

Explanation

This query is designed to detect non-interactive (silent) sign-ins to Azure Active Directory (Azure AD) that originate from IP addresses flagged as malicious in a threat intelligence database. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies silent sign-ins from IPs known to be malicious, suggesting that an attacker might be using a stolen refresh token from their own infrastructure.

  2. Data Sources:

    • Azure Active Directory Logs: Specifically, logs of non-interactive user sign-ins.
    • Threat Intelligence Indicators: A table containing IP addresses identified as threats.
  3. Detection Logic:

    • The query first extracts active malicious IP addresses from the Threat Intelligence Indicators that have been flagged in the last 30 days.
    • It then checks for any non-interactive sign-ins in the past hour that were successful (ResultType == 0) and originated from these malicious IPs.
    • If such sign-ins are found, it collects details like the time of sign-in, user information, application name, IP address, location, and threat tags.
  4. Alerting:

    • If any matches are found, an alert is generated with details about the user and the malicious IP.
    • The alert includes a custom message indicating that a user performed a silent token refresh from a flagged IP.
  5. Severity and Tactics:

    • The severity of this detection is marked as "High".
    • It relates to tactics like Credential Access, Command and Control, and Initial Access, with specific techniques referenced from the MITRE ATT&CK framework.
  6. Incident Management:

    • An incident is created for each detection, with configuration to group related alerts by user account and IP address.

In summary, this query helps security teams quickly identify and respond to potential unauthorized access attempts from known malicious IPs, enhancing the organization's security posture against credential theft and misuse.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

ThreatIntelIndicatorsAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryThreatIntelligenceAADNonInteractiveUserSignInLogsThreatIntelIndicatorsUserPrincipalNameIPAddressAppDisplayNameLocationConditionalAccessStatusAuthenticationRequirementCorrelationIdUniqueTokenIdentifierAccountIPThreatTags

Operators

letwhereagoisemptynowhasextendextractisnotemptysummarizemake_setbyjoinkindonprojectorder bydesc

Severity

High

Tactics

CredentialAccessCommandAndControlInitialAccess

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub