ADFS Sign-In from TOR or Anonymous Proxy (TI-Tagged)
08 ADFS TOR Anonymous Proxy
Query
let TorExitIPs =
ThreatIntelIndicators
| where Pattern has "ipv4-addr:value"
| where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
| extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
| where isnotempty(NetworkIP)
| summarize AnonymizationType = make_set(Tags) by NetworkIP;
ADFSSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
IPAddress,
Location,
AnonymizationType,
AuthenticationRequirement,
TokenIssuerName,
CorrelationId,
UniqueTokenIdentifier
| order by TimeGenerated descExplanation
This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) that originate from IP addresses associated with anonymizing services like TOR, proxies, VPNs, or other anonymizers. Here's a simple breakdown of what the query does:
-
Purpose: It aims to identify potential security threats by flagging successful ADFS sign-ins from IPs known to be used for anonymizing purposes. This is important because attackers often use such services to hide their true location when using stolen credentials.
-
Data Sources:
- ADFSSignInLogs: Logs of sign-ins to ADFS.
- ThreatIntelIndicators: A table containing threat intelligence data, including IPs tagged as anonymizers.
-
Process:
- The query first extracts IP addresses from the ThreatIntelIndicators table that are tagged with terms like "tor", "proxy", "anonymizer", "vpn", or "anonymity".
- It then checks the ADFSSignInLogs for successful sign-ins (where
ResultType == 0) within the last hour. - These logs are joined with the list of anonymizer IPs to find matches.
-
Output:
- The query outputs details of the sign-in events, including the time, user, application, IP address, location, type of anonymization, and other relevant authentication details.
- Results are ordered by the time of the event, with the most recent first.
-
Alerting:
- If any such sign-ins are detected, an alert is generated with a high severity level.
- The alert includes details like the user and IP address involved, formatted in a specific way for clarity.
-
Incident Management:
- The system is configured to create incidents based on these alerts, grouping them by user account and IP address to manage related events efficiently.
Overall, this query helps security teams monitor and respond to potentially suspicious sign-in activities that could indicate compromised credentials being used through anonymizing networks.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h