KQL Search

Query Details

08 ADFS TOR Anonymous Proxy

Query

id: b8c9d0e1-f2a3-4b4c-5d6e-7f8a9b0c1d2e
name: ADFS Sign-In from TOR or Anonymous Proxy (TI-Tagged)
version: 1.0.0
kind: Scheduled
description: |
  Detects successful ADFS-federated sign-ins originating from IP addresses tagged as TOR exit
  nodes, anonymous proxies, VPNs, or anonymizers in the ThreatIntelIndicators table.
  Attackers commonly route stolen ADFS-issued tokens or replayed credentials through anonymizing
  infrastructure to hide their true geolocation. Success from these IPs indicates active use of
  compromised ADFS credentials through anonymized infrastructure.
  MITRE ATT&CK: T1090 (Proxy), T1078 (Valid Accounts), T1550 (Use Alternate Authentication Material)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
  - InitialAccess
  - DefenseEvasion
relevantTechniques:
  - T1090
  - T1078
  - T1550
query: |
  let TorExitIPs =
      ThreatIntelIndicators
      | where Pattern has "ipv4-addr:value"
      | where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
      | extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
      | where isnotempty(NetworkIP)
      | summarize AnonymizationType = make_set(Tags) by NetworkIP;
  ADFSSignInLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
  | project
      TimeGenerated,
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      AnonymizationType,
      AuthenticationRequirement,
      TokenIssuerName,
      CorrelationId,
      UniqueTokenIdentifier
  | order by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  AppDisplayName: AppDisplayName
  TokenIssuerName: TokenIssuerName
alertDetailsOverride:
  alertDisplayNameFormat: "ADFS Sign-In from Anonymizer - {{UserPrincipalName}} via {{IPAddress}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} successfully authenticated via ADFS from TOR/proxy IP {{IPAddress}}. This IP is tagged in threat intelligence as an anonymizing service."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) that originate from IP addresses associated with anonymizing services like TOR, proxies, VPNs, or other anonymizers. Here's a simple breakdown of what the query does:

  1. Purpose: It aims to identify potential security threats by flagging successful ADFS sign-ins from IPs known to be used for anonymizing purposes. This is important because attackers often use such services to hide their true location when using stolen credentials.

  2. Data Sources:

    • ADFSSignInLogs: Logs of sign-ins to ADFS.
    • ThreatIntelIndicators: A table containing threat intelligence data, including IPs tagged as anonymizers.

  3. Process:

    • The query first extracts IP addresses from the ThreatIntelIndicators table that are tagged with terms like "tor", "proxy", "anonymizer", "vpn", or "anonymity".
    • It then checks the ADFSSignInLogs for successful sign-ins (where ResultType == 0) within the last hour.
    • These logs are joined with the list of anonymizer IPs to find matches.

  4. Output:

    • The query outputs details of the sign-in events, including the time, user, application, IP address, location, type of anonymization, and other relevant authentication details.
    • Results are ordered by the time of the event, with the most recent first.

  5. Alerting:

    • If any such sign-ins are detected, an alert is generated with a high severity level.
    • The alert includes details like the user and IP address involved, formatted in a specific way for clarity.

  6. Incident Management:

    • The system is configured to create incidents based on these alerts, grouping them by user account and IP address to manage related events efficiently.

Overall, this query helps security teams monitor and respond to potentially suspicious sign-in activities that could indicate compromised credentials being used through anonymizing networks.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsThreatIntelIndicators

Keywords

ADFSADFSSignInLogsThreatIntelIndicatorsIPAddressUserPrincipalNameAppDisplayNameLocationAnonymizationTypeAuthenticationRequirementTokenIssuerNameCorrelationIdUniqueTokenIdentifierAccountIPFullNameAddress

Operators

lethashas_anyextendextractisnotemptysummarizemake_setbywhereago==joinonprojectorder bydesc

Actions