Query Details

Non-Interactive Sign-In via TOR or Anonymous Proxy

07 TOR Proxy Detection

Query

let TorExitIPs =
    ThreatIntelIndicators
    | where TimeGenerated > ago(30d)
    | where IsActive == true
    | where isempty(ValidUntil) or ValidUntil > now()
    | where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
    | where Pattern has "ipv4-addr:value"
    | extend NetworkIP = extract(@"ipv4-addr:value = '([^']+)'", 1, Pattern)
    | where isnotempty(NetworkIP)
    | summarize AnonymizationType = make_set(Tags) by NetworkIP;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
| project
    TimeGenerated,
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    AnonymizationType,
    ConditionalAccessStatus,
    AuthenticationRequirement,
    CorrelationId,
    UniqueTokenIdentifier
| order by TimeGenerated desc

Explanation

This query is designed to detect non-interactive sign-ins to Azure Active Directory (Azure AD) from IP addresses associated with TOR exit nodes, anonymous proxies, or VPN anonymizers. These types of sign-ins can indicate potential security threats, as attackers often use anonymization tools to conceal their true location when using stolen credentials.

Here's a breakdown of the query:

  1. Purpose: The query aims to identify non-interactive sign-ins from anonymized IP addresses, which could suggest unauthorized access attempts using stolen tokens.

  2. Data Sources: It uses data from two main sources:

    • AzureActiveDirectory: Specifically, the AADNonInteractiveUserSignInLogs data type, which logs non-interactive user sign-ins.
    • ThreatIntelligence: Specifically, the ThreatIntelIndicators data type, which contains information about IP addresses tagged as TOR, proxy, anonymizer, or VPN.
  3. Detection Logic:

    • The query first extracts IP addresses from the ThreatIntelIndicators table that are active and tagged with terms like "tor", "proxy", "anonymizer", etc.
    • It then checks for any non-interactive sign-ins in the past hour from these IP addresses.
    • If such sign-ins are found, it lists details like the time of sign-in, user principal name, application name, IP address, location, and the type of anonymization used.
  4. Alert Configuration:

    • If any such sign-ins are detected, an alert is generated with a high severity level.
    • The alert includes details such as the user principal name and the anonymized IP address used.
    • An incident is created for each alert, and similar alerts are grouped together based on the account and IP address.
  5. Security Context:

    • The query is aligned with MITRE ATT&CK techniques related to proxy use and credential access, indicating its relevance in detecting sophisticated attack tactics.

Overall, this query helps organizations monitor and respond to potential security threats involving anonymized sign-ins, which could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

ThreatIntelIndicatorsAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryThreatIntelligenceAADNonInteractiveUserSignInLogsThreatIntelIndicatorsUserPrincipalNameAppDisplayNameIPAddressLocationAnonymizationTypeConditionalAccessStatusAuthenticationRequirementCorrelationIdUniqueTokenIdentifierAccountIP

Operators

letwhereagoisemptyhas_anyextendextractisnotemptysummarizemake_setjoinonprojectorder bydesc

Severity

High

Tactics

DefenseEvasionCredentialAccessCommandAndControl

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub