KQL Search

Query Details

07 SIGNIN Nation State IP

Query

id: c7d8e9f0-a1b2-4c3d-4e5f-6a7b8c9d0e1f
name: "SigninLogs — Nation State IP Sign-In Detected"
version: 1.0.0
kind: Scheduled
description: |
  Detects sign-ins where Azure AD Identity Protection tagged the source IP as affiliated with a nation-state threat actor (estsNationStateIP risk event type). Requires Entra ID P2 and Microsoft Defender for Identity. MITRE ATT&CK: T1078 (Valid Accounts).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
queryFrequency: PT6H
queryPeriod: P7D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |

    // ---- Network Allowlist (exclude trusted IPs / CIDR / ranges) --------------
    let _allow = materialize(union isfuzzy=true (print R="" | take 0), (_GetWatchlist('NetworkAllowlist') | project R = tostring(IPOrRange)) | where isnotempty(R));
    let _allowCIDR  = toscalar(_allow | where not(R matches regex @'^\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$') | extend R = iff(R has '/', R, strcat(R, '/32')) | summarize make_list(R));
    let _allowRange = toscalar(_allow | where R matches regex @'^\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$' | summarize make_list(R));
    let _ExcludeAllowlistedIPs = (T:(IPAddress:string)) {
        T
        | extend IPAddress = tostring(IPAddress)
        | where array_length(_allowCIDR) == 0 or isnull(ipv4_is_in_any_range(IPAddress, _allowCIDR)) or not(ipv4_is_in_any_range(IPAddress, _allowCIDR))
        | mv-apply _r = _allowRange to typeof(string) on (
            extend _lo = tostring(split(_r,'-')[0]), _hi = tostring(split(_r,'-')[1])
            | extend _inRange = ipv4_compare(IPAddress, _lo) >= 0 and ipv4_compare(IPAddress, _hi) <= 0
            | summarize _anyInRange = max(toint(_inRange)))
        | where isnull(_anyInRange) or _anyInRange == 0
        | project-away _anyInRange
    };
    // ---------------------------------------------------------------------------
    SigninLogs
    | invoke _ExcludeAllowlistedIPs()
    | where TimeGenerated > ago(7d)
    | extend V2Risk = tostring(RiskEventTypes_V2)
    | where V2Risk contains "estsNationStateIP"
    | project
        TimeGenerated,
        UserPrincipalName, IPAddress,
        Location, AppDisplayName,
        ResultType, ResultDescription,
        RiskLevel = RiskLevelDuringSignIn,
        RiskEventTypes_V2
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  Location: Location
  RiskLevel: RiskLevel
alertDetailsOverride:
  alertDisplayNameFormat: "Nation State IP Sign-In — {{UserPrincipalName}} from {{IPAddress}}"
  alertDescriptionFormat: "Sign-in from {{IPAddress}} flagged as nation-state IP — {{RiskLevel}} risk level."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT1H
    matchingMethod: AllEntities
    groupByEntities:
  - Account
  - IP

Explanation

This query is designed to detect sign-ins to Azure Active Directory (Azure AD) that are flagged as coming from IP addresses associated with nation-state threat actors. Here's a simple breakdown of what the query does:

  1. Purpose: The query identifies sign-in attempts where the source IP address is tagged by Azure AD Identity Protection as being linked to a nation-state threat actor. This requires specific security tools like Entra ID P2 and Microsoft Defender for Identity.

  2. Severity: The alert generated by this query is considered high severity, indicating a significant potential threat.

  3. Data Source: It uses data from Azure Active Directory's SigninLogs.

  4. Frequency and Period: The query runs every 6 hours and checks data from the past 7 days.

  5. Exclusions: It excludes IP addresses that are on a predefined allowlist, which includes trusted IPs or ranges.

  6. Detection Logic:

    • It filters out sign-ins from allowlisted IPs.
    • It looks for sign-ins that occurred in the last 7 days.
    • It specifically searches for risk events tagged as "estsNationStateIP".

  7. Output: The query outputs details such as the time of the sign-in, the user's principal name, IP address, location, application name, result type, result description, risk level, and risk event types.

  8. Alert and Incident Configuration:

    • Alerts are generated with a specific format, highlighting the user and IP address involved.
    • If an alert is triggered, an incident is created, and similar incidents are grouped together based on the account and IP address involved.

Overall, this query helps organizations monitor and respond to potentially malicious sign-in attempts from IP addresses associated with nation-state actors, enhancing their security posture.

Details

David Alonso profile picture

David Alonso

Released: April 20, 2026

Tables

SigninLogs

Keywords

SigninLogsAzureActiveDirectoryIPAddressUserPrincipalNameLocationAppDisplayNameResultTypeResultDescriptionRiskLevelRiskEventTypesNationStateIPNetworkAllowlist

Operators

letmaterializeunionisfuzzyprinttakeprojectwhereisnotemptytoscalarmatchesregexextendiffstrcatsummarizemake_listnotipv4_is_in_any_rangemv-applytotypeofsplitipv4_comparemaxtointproject-awayinvokecontainsago

Actions