SigninLogs — Nation State IP Sign-In Detected
07 SIGNIN Nation State IP
Query
// ---- Network Allowlist (exclude trusted IPs / CIDR / ranges) --------------
let _allow = materialize(union isfuzzy=true (print R="" | take 0), (_GetWatchlist('NetworkAllowlist') | project R = tostring(IPOrRange)) | where isnotempty(R));
let _allowCIDR = toscalar(_allow | where not(R matches regex @'^\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$') | extend R = iff(R has '/', R, strcat(R, '/32')) | summarize make_list(R));
let _allowRange = toscalar(_allow | where R matches regex @'^\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$' | summarize make_list(R));
let _ExcludeAllowlistedIPs = (T:(IPAddress:string)) {
T
| extend IPAddress = tostring(IPAddress)
| where array_length(_allowCIDR) == 0 or isnull(ipv4_is_in_any_range(IPAddress, _allowCIDR)) or not(ipv4_is_in_any_range(IPAddress, _allowCIDR))
| mv-apply _r = _allowRange to typeof(string) on (
extend _lo = tostring(split(_r,'-')[0]), _hi = tostring(split(_r,'-')[1])
| extend _inRange = ipv4_compare(IPAddress, _lo) >= 0 and ipv4_compare(IPAddress, _hi) <= 0
| summarize _anyInRange = max(toint(_inRange)))
| where isnull(_anyInRange) or _anyInRange == 0
| project-away _anyInRange
};
// ---------------------------------------------------------------------------
SigninLogs
| invoke _ExcludeAllowlistedIPs()
| where TimeGenerated > ago(7d)
| extend V2Risk = tostring(RiskEventTypes_V2)
| where V2Risk contains "estsNationStateIP"
| project
TimeGenerated,
UserPrincipalName, IPAddress,
Location, AppDisplayName,
ResultType, ResultDescription,
RiskLevel = RiskLevelDuringSignIn,
RiskEventTypes_V2Explanation
This query is designed to detect sign-ins to Azure Active Directory (Azure AD) that are flagged as coming from IP addresses associated with nation-state threat actors. Here's a simple breakdown of what the query does:
-
Purpose: The query identifies sign-in attempts where the source IP address is tagged by Azure AD Identity Protection as being linked to a nation-state threat actor. This requires specific security tools like Entra ID P2 and Microsoft Defender for Identity.
-
Severity: The alert generated by this query is considered high severity, indicating a significant potential threat.
-
Data Source: It uses data from Azure Active Directory's SigninLogs.
-
Frequency and Period: The query runs every 6 hours and checks data from the past 7 days.
-
Exclusions: It excludes IP addresses that are on a predefined allowlist, which includes trusted IPs or ranges.
-
Detection Logic:
- It filters out sign-ins from allowlisted IPs.
- It looks for sign-ins that occurred in the last 7 days.
- It specifically searches for risk events tagged as "estsNationStateIP".
-
Output: The query outputs details such as the time of the sign-in, the user's principal name, IP address, location, application name, result type, result description, risk level, and risk event types.
-
Alert and Incident Configuration:
- Alerts are generated with a specific format, highlighting the user and IP address involved.
- If an alert is triggered, an incident is created, and similar incidents are grouped together based on the account and IP address involved.
Overall, this query helps organizations monitor and respond to potentially malicious sign-in attempts from IP addresses associated with nation-state actors, enhancing their security posture.
Details

David Alonso
Released: April 20, 2026
Tables
Keywords
Operators
MITRE Techniques