KQL Search

Query Details

07 TOR Proxy Detection

Query

id: a2b8c0d1-e6f7-9a3b-4c5d-6e7f8a9b0c1d
name: Non-Interactive Sign-In via TOR or Anonymous Proxy
version: 1.0.0
kind: Scheduled
description: |
  Detects non-interactive Azure AD sign-ins from IP addresses tagged as TOR exit nodes,
  anonymous proxies, or VPN anonymizers in the ThreatIntelIndicators table (unified TI -
  replaces deprecated ThreatIntelligenceIndicator). Attackers use anonymization
  infrastructure to hide their true location when replaying stolen refresh tokens. Even if
  the underlying credential is legitimate, sign-ins from TOR or proxies represent
  significant risk in enterprise environments.
  MITRE ATT&CK: T1090 (Proxy), T1090.003 (Multi-hop Proxy), T1528
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
  - CredentialAccess
  - CommandAndControl
relevantTechniques:
  - T1090
  - T1528
query: |
  let TorExitIPs =
      ThreatIntelIndicators
      | where TimeGenerated > ago(30d)
      | where IsActive == true
      | where isempty(ValidUntil) or ValidUntil > now()
      | where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
      | where Pattern has "ipv4-addr:value"
      | extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
      | where isnotempty(NetworkIP)
      | summarize AnonymizationType = make_set(Tags) by NetworkIP;
  AADNonInteractiveUserSignInLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
  | project
      TimeGenerated,
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      AnonymizationType,
      ConditionalAccessStatus,
      AuthenticationRequirement,
      CorrelationId,
      UniqueTokenIdentifier
  | order by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  AnonymizationType: AnonymizationType
  AppDisplayName: AppDisplayName
  ConditionalAccessStatus: ConditionalAccessStatus
alertDetailsOverride:
  alertDisplayNameFormat: "TOR/Proxy Sign-In - {{UserPrincipalName}} from anonymized IP {{IPAddress}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} authenticated non-interactively from anonymized IP {{IPAddress}} (TOR/proxy). Possible stolen token replayed from attacker infrastructure."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect non-interactive sign-ins to Azure Active Directory (Azure AD) from IP addresses associated with TOR exit nodes, anonymous proxies, or VPN anonymizers. These types of sign-ins can indicate potential security threats, as attackers often use anonymization tools to conceal their true location when using stolen credentials.

Here's a breakdown of the query:

  1. Purpose: The query aims to identify non-interactive sign-ins from anonymized IP addresses, which could suggest unauthorized access attempts using stolen tokens.

  2. Data Sources: It uses data from two main sources:

    • AzureActiveDirectory: Specifically, the AADNonInteractiveUserSignInLogs data type, which logs non-interactive user sign-ins.
    • ThreatIntelligence: Specifically, the ThreatIntelIndicators data type, which contains information about IP addresses tagged as TOR, proxy, anonymizer, or VPN.

  3. Detection Logic:

    • The query first extracts IP addresses from the ThreatIntelIndicators table that are active and tagged with terms like "tor", "proxy", "anonymizer", etc.
    • It then checks for any non-interactive sign-ins in the past hour from these IP addresses.
    • If such sign-ins are found, it lists details like the time of sign-in, user principal name, application name, IP address, location, and the type of anonymization used.

  4. Alert Configuration:

    • If any such sign-ins are detected, an alert is generated with a high severity level.
    • The alert includes details such as the user principal name and the anonymized IP address used.
    • An incident is created for each alert, and similar alerts are grouped together based on the account and IP address.

  5. Security Context:

    • The query is aligned with MITRE ATT&CK techniques related to proxy use and credential access, indicating its relevance in detecting sophisticated attack tactics.

Overall, this query helps organizations monitor and respond to potential security threats involving anonymized sign-ins, which could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

ThreatIntelIndicatorsAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryThreatIntelligenceAADNonInteractiveUserSignInLogsThreatIntelIndicatorsUserPrincipalNameAppDisplayNameIPAddressLocationAnonymizationTypeConditionalAccessStatusAuthenticationRequirementCorrelationIdUniqueTokenIdentifierAccountIP

Operators

letwhereagoisemptyhas_anyextendextractisnotemptysummarizemake_setjoinonprojectorder bydesc

Actions