ADFS Impossible Travel - 3+ Countries in 1 Hour
07 ADFS Impossible Travel
Query
ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| summarize
Countries = make_set(Location),
CountryCount = dcount(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where CountryCount >= 3
| order by CountryCount descExplanation
This query is designed to detect suspicious login activity through Active Directory Federation Services (ADFS). Specifically, it looks for instances where a single user successfully logs in from three or more different countries within a one-hour period. This is considered suspicious because it's not physically possible for a person to travel between multiple countries in such a short time. Such activity could indicate that an attacker is replaying ADFS-issued tokens from different locations or that a compromised account is being used by multiple attackers. This behavior is associated with techniques like Golden SAML token forging or the reuse of stolen credentials.
The query runs every hour and checks the past two hours of ADFS sign-in logs. It filters for successful logins and groups the data by user and hour, counting the number of distinct countries from which the user logged in. If a user logs in from three or more countries in one hour, an alert is triggered. The alert includes details such as the user's name and the number of countries involved, and it is classified with high severity. The query also maps the user information to an account entity for further analysis and incident management.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h