Non-Interactive Sign-In via TOR or Anonymous Proxy
07 TOR Proxy Detection
Query
let TorExitIPs =
ThreatIntelIndicators
| where TimeGenerated > ago(30d)
| where IsActive == true
| where isempty(ValidUntil) or ValidUntil > now()
| where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
| where Pattern has "ipv4-addr:value"
| extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
| where isnotempty(NetworkIP)
| summarize AnonymizationType = make_set(Tags) by NetworkIP;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
IPAddress,
Location,
AnonymizationType,
ConditionalAccessStatus,
AuthenticationRequirement,
CorrelationId,
UniqueTokenIdentifier
| order by TimeGenerated descExplanation
This query is designed to detect non-interactive sign-ins to Azure Active Directory (Azure AD) from IP addresses associated with TOR exit nodes, anonymous proxies, or VPN anonymizers. These types of sign-ins can indicate potential security threats, as attackers often use anonymization tools to conceal their true location when using stolen credentials.
Here's a breakdown of the query:
-
Purpose: The query aims to identify non-interactive sign-ins from anonymized IP addresses, which could suggest unauthorized access attempts using stolen tokens.
-
Data Sources: It uses data from two main sources:
- AzureActiveDirectory: Specifically, the
AADNonInteractiveUserSignInLogsdata type, which logs non-interactive user sign-ins. - ThreatIntelligence: Specifically, the
ThreatIntelIndicatorsdata type, which contains information about IP addresses tagged as TOR, proxy, anonymizer, or VPN.
- AzureActiveDirectory: Specifically, the
-
Detection Logic:
- The query first extracts IP addresses from the
ThreatIntelIndicatorstable that are active and tagged with terms like "tor", "proxy", "anonymizer", etc. - It then checks for any non-interactive sign-ins in the past hour from these IP addresses.
- If such sign-ins are found, it lists details like the time of sign-in, user principal name, application name, IP address, location, and the type of anonymization used.
- The query first extracts IP addresses from the
-
Alert Configuration:
- If any such sign-ins are detected, an alert is generated with a high severity level.
- The alert includes details such as the user principal name and the anonymized IP address used.
- An incident is created for each alert, and similar alerts are grouped together based on the account and IP address.
-
Security Context:
- The query is aligned with MITRE ATT&CK techniques related to proxy use and credential access, indicating its relevance in detecting sophisticated attack tactics.
Overall, this query helps organizations monitor and respond to potential security threats involving anonymized sign-ins, which could indicate malicious activity.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h