Query Details
06 ADFS High Risk Country
Query
id: f6a7b8c9-d0e1-4f2a-3b4c-5d6e7f8a9b0c
name: ADFS Sign-In from High-Risk Country
version: 1.0.0
kind: Scheduled
description: |
Detects successful ADFS-federated authentication originating from countries with elevated
APT activity or under international sanctions: North Korea, Iran, Russia, China, Belarus,
Cuba, Syria, Venezuela, Myanmar. ADFS authentication from these regions may indicate
compromised credentials used by state-sponsored threat actors or credential theft campaigns
associated with these geographies.
MITRE ATT&CK: T1078 (Valid Accounts), T1566 (Phishing)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 4h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1566
query: |
let HighRiskCountries = dynamic(["KP", "IR", "RU", "CN", "BY", "CU",
"SY", "VE", "MM"]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where Location in (HighRiskCountries)
| summarize
Count = count(),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, Location
| order by Count desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPs
customDetails:
Location: Location
SignInCount: Count
alertDetailsOverride:
alertDisplayNameFormat: "ADFS High-Risk Country Sign-In - {{UserPrincipalName}} from {{Location}}"
alertDescriptionFormat: "User {{UserPrincipalName}} successfully authenticated via ADFS from high-risk country {{Location}} ({{Count}} sign-ins). Review for possible credential compromise."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect and alert on successful ADFS (Active Directory Federation Services) sign-ins from countries considered high-risk due to elevated APT (Advanced Persistent Threat) activity or international sanctions. These countries include North Korea, Iran, Russia, China, Belarus, Cuba, Syria, Venezuela, and Myanmar.
Here's a simple breakdown of what the query does:
-
Data Source: It uses ADFSSignInLogs from Azure Active Directory to track sign-in attempts.
-
Time Frame: The query looks at sign-ins that occurred in the last day (1 day).
-
Successful Sign-Ins: It filters for successful sign-ins (where
ResultTypeis 0). -
High-Risk Countries: It checks if the sign-in originated from one of the specified high-risk countries.
-
Data Aggregation: For each user and location, it counts the number of sign-ins, lists the applications accessed, and records the IP addresses used. It also notes the first and last time a sign-in was seen.
-
Alerting: If any sign-ins are detected, it triggers an alert. The alert includes details such as the user's name, the country of origin, and the number of sign-ins. The alert is displayed with a specific format and description to indicate a potential credential compromise.
-
Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Initial Access and Credential Access, referencing MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing).
-
Incident Management: The query is set to create an incident if triggered, with specific configurations for grouping related alerts.
Overall, this query helps organizations monitor and respond to potential security threats involving unauthorized access from high-risk regions.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators