Non-Interactive Sign-In from Threat Intelligence IP
03 NI Auth Threat Intelligence Feed
Query
let MaliciousIPs =
ThreatIntelIndicators
| where TimeGenerated > ago(30d)
| where IsActive == true
| where isempty(ValidUntil) or ValidUntil > now()
| where Pattern has "ipv4-addr:value"
| extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
| where isnotempty(NetworkIP)
| summarize ThreatTags = make_set(Tags) by NetworkIP;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
IPAddress,
Location,
ThreatTags,
ConditionalAccessStatus,
AuthenticationRequirement,
CorrelationId,
UniqueTokenIdentifier
| order by TimeGenerated descExplanation
This query is designed to detect non-interactive (silent) sign-ins to Azure Active Directory (Azure AD) that originate from IP addresses flagged as malicious in a threat intelligence database. Here's a simple breakdown of what the query does:
-
Purpose: It identifies silent sign-ins from IPs known to be malicious, suggesting that an attacker might be using a stolen refresh token from their own infrastructure.
-
Data Sources:
- Azure Active Directory Logs: Specifically, logs of non-interactive user sign-ins.
- Threat Intelligence Indicators: A table containing IP addresses identified as threats.
-
Detection Logic:
- The query first extracts active malicious IP addresses from the Threat Intelligence Indicators that have been flagged in the last 30 days.
- It then checks for any non-interactive sign-ins in the past hour that were successful (ResultType == 0) and originated from these malicious IPs.
- If such sign-ins are found, it collects details like the time of sign-in, user information, application name, IP address, location, and threat tags.
-
Alerting:
- If any matches are found, an alert is generated with details about the user and the malicious IP.
- The alert includes a custom message indicating that a user performed a silent token refresh from a flagged IP.
-
Severity and Tactics:
- The severity of this detection is marked as "High".
- It relates to tactics like Credential Access, Command and Control, and Initial Access, with specific techniques referenced from the MITRE ATT&CK framework.
-
Incident Management:
- An incident is created for each detection, with configuration to group related alerts by user account and IP address.
In summary, this query helps security teams quickly identify and respond to potential unauthorized access attempts from known malicious IPs, enhancing the organization's security posture against credential theft and misuse.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h