Query Details
07 ADFS Impossible Travel
Query
id: a7b8c9d0-e1f2-4a3b-4c5d-6e7f8a9b0c1d
name: ADFS Impossible Travel - 3+ Countries in 1 Hour
version: 1.0.0
kind: Scheduled
description: |
Detects a single user successfully authenticating via ADFS from 3 or more distinct countries
within the same 1-hour window. Legitimate users cannot physically travel between countries
within one hour; this pattern indicates either ADFS-issued token replay from multiple attacker
locations simultaneously, or a compromised account being used by multiple threat actors.
This is a strong indicator of Golden SAML token forging or stolen credential reuse.
MITRE ATT&CK: T1550 (Use Alternate Authentication Material), T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
- InitialAccess
relevantTechniques:
- T1550
- T1078
query: |
ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| summarize
Countries = make_set(Location),
CountryCount = dcount(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where CountryCount >= 3
| order by CountryCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
customDetails:
CountryCount: CountryCount
Countries: Countries
alertDetailsOverride:
alertDisplayNameFormat: "ADFS Impossible Travel - {{UserPrincipalName}} in {{CountryCount}} countries within 1 hour"
alertDescriptionFormat: "User {{UserPrincipalName}} authenticated via ADFS from {{CountryCount}} distinct countries in a single hour. Possible token replay or simultaneous credential abuse."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious login activity through Active Directory Federation Services (ADFS). Specifically, it looks for instances where a single user successfully logs in from three or more different countries within a one-hour period. This is considered suspicious because it's not physically possible for a person to travel between multiple countries in such a short time. Such activity could indicate that an attacker is replaying ADFS-issued tokens from different locations or that a compromised account is being used by multiple attackers. This behavior is associated with techniques like Golden SAML token forging or the reuse of stolen credentials.
The query runs every hour and checks the past two hours of ADFS sign-in logs. It filters for successful logins and groups the data by user and hour, counting the number of distinct countries from which the user logged in. If a user logs in from three or more countries in one hour, an alert is triggered. The alert includes details such as the user's name and the number of countries involved, and it is classified with high severity. The query also maps the user information to an account entity for further analysis and incident management.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators