Query Details

ADFS Sign-In from High-Risk Country

06 ADFS High Risk Country

Query

let HighRiskCountries = dynamic(["KP", "IR", "RU", "CN", "BY", "CU",
                                   "SY", "VE", "MM"]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where Location in (HighRiskCountries)
| summarize
    Count     = count(),
    Apps      = make_set(AppDisplayName),
    IPs       = make_set(IPAddress),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName, Location
| order by Count desc

Explanation

This query is designed to detect and alert on successful ADFS (Active Directory Federation Services) sign-ins from countries considered high-risk due to elevated APT (Advanced Persistent Threat) activity or international sanctions. These countries include North Korea, Iran, Russia, China, Belarus, Cuba, Syria, Venezuela, and Myanmar.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses ADFSSignInLogs from Azure Active Directory to track sign-in attempts.

  2. Time Frame: The query looks at sign-ins that occurred in the last day (1 day).

  3. Successful Sign-Ins: It filters for successful sign-ins (where ResultType is 0).

  4. High-Risk Countries: It checks if the sign-in originated from one of the specified high-risk countries.

  5. Data Aggregation: For each user and location, it counts the number of sign-ins, lists the applications accessed, and records the IP addresses used. It also notes the first and last time a sign-in was seen.

  6. Alerting: If any sign-ins are detected, it triggers an alert. The alert includes details such as the user's name, the country of origin, and the number of sign-ins. The alert is displayed with a specific format and description to indicate a potential credential compromise.

  7. Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Initial Access and Credential Access, referencing MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing).

  8. Incident Management: The query is set to create an incident if triggered, with specific configurations for grouping related alerts.

Overall, this query helps organizations monitor and respond to potential security threats involving unauthorized access from high-risk regions.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSAPTCountriesCredentialsThreatActorsAuthenticationLogsAccountIPUserLocationTimeGeneratedAppDisplayNameIPAddressUserPrincipalName

Operators

letdynamicinago==summarizecountmake_setminmaxbyorder bydesc

Severity

Medium

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 4h

Period: 1d

Actions

GitHub