Query Details

ADFS Sign-In from TOR or Anonymous Proxy (TI-Tagged)

08 ADFS TOR Anonymous Proxy

Query

let TorExitIPs =
    ThreatIntelIndicators
    | where Pattern has "ipv4-addr:value"
    | where Tags has_any ("tor", "proxy", "anonymizer", "vpn", "anonymity")
    | extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
    | where isnotempty(NetworkIP)
    | summarize AnonymizationType = make_set(Tags) by NetworkIP;
ADFSSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner TorExitIPs on $left.IPAddress == $right.NetworkIP
| project
    TimeGenerated,
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    AnonymizationType,
    AuthenticationRequirement,
    TokenIssuerName,
    CorrelationId,
    UniqueTokenIdentifier
| order by TimeGenerated desc

Explanation

This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) that originate from IP addresses associated with anonymizing services like TOR, proxies, VPNs, or other anonymizers. Here's a simple breakdown of what the query does:

  1. Purpose: It aims to identify potential security threats by flagging successful ADFS sign-ins from IPs known to be used for anonymizing purposes. This is important because attackers often use such services to hide their true location when using stolen credentials.

  2. Data Sources:

    • ADFSSignInLogs: Logs of sign-ins to ADFS.
    • ThreatIntelIndicators: A table containing threat intelligence data, including IPs tagged as anonymizers.
  3. Process:

    • The query first extracts IP addresses from the ThreatIntelIndicators table that are tagged with terms like "tor", "proxy", "anonymizer", "vpn", or "anonymity".
    • It then checks the ADFSSignInLogs for successful sign-ins (where ResultType == 0) within the last hour.
    • These logs are joined with the list of anonymizer IPs to find matches.
  4. Output:

    • The query outputs details of the sign-in events, including the time, user, application, IP address, location, type of anonymization, and other relevant authentication details.
    • Results are ordered by the time of the event, with the most recent first.
  5. Alerting:

    • If any such sign-ins are detected, an alert is generated with a high severity level.
    • The alert includes details like the user and IP address involved, formatted in a specific way for clarity.
  6. Incident Management:

    • The system is configured to create incidents based on these alerts, grouping them by user account and IP address to manage related events efficiently.

Overall, this query helps security teams monitor and respond to potentially suspicious sign-in activities that could indicate compromised credentials being used through anonymizing networks.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsThreatIntelIndicators

Keywords

ADFSADFSSignInLogsThreatIntelIndicatorsIPAddressUserPrincipalNameAppDisplayNameLocationAnonymizationTypeAuthenticationRequirementTokenIssuerNameCorrelationIdUniqueTokenIdentifierAccountIPFullNameAddress

Operators

lethashas_anyextendextractisnotemptysummarizemake_setbywhereago==joinonprojectorder bydesc

Severity

High

Tactics

CommandAndControlInitialAccessDefenseEvasion

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub