ADFS Sign-In from Threat Intelligence Malicious IP
09 ADFS Threat Intelligence Malicious IP
Query
let MaliciousIPs =
ThreatIntelIndicators
| where Pattern has "ipv4-addr:value"
| extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
| where isnotempty(NetworkIP)
| summarize ThreatTags = make_set(Tags)
by NetworkIP;
ADFSSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
IPAddress,
Location,
ThreatTags,
AuthenticationRequirement,
TokenIssuerName,
ConditionalAccessStatus
| order by TimeGenerated descExplanation
This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) from IP addresses that are flagged as malicious in a threat intelligence database. Here's a simplified breakdown:
-
Purpose: The query identifies successful ADFS logins from IP addresses known to be associated with malicious activity. This suggests that an attacker may have valid ADFS credentials, potentially obtained through theft, phishing, or brute force.
-
Data Sources: It uses data from two sources:
- ADFS Sign-In Logs: Logs of sign-in attempts to ADFS.
- Threat Intelligence Indicators: A database of IP addresses tagged with threat indicators.
-
Detection Logic:
- It extracts IP addresses from the threat intelligence data that are marked as malicious.
- It checks ADFS sign-in logs from the past hour for successful logins (ResultType == 0) from these malicious IP addresses.
- If a match is found, it records details such as the time, user, application, IP address, location, and threat tags.
-
Alerting:
- If any such sign-in is detected, an alert is generated with high severity.
- The alert includes details like the user who signed in, the IP address used, and any threat tags associated with that IP.
-
Incident Management:
- The system creates an incident for each alert and groups related alerts by user account and IP address to manage them efficiently.
-
Frequency: The query runs every 15 minutes, analyzing data from the past hour.
-
MITRE ATT&CK Techniques: The query is associated with techniques T1078 (Valid Accounts) and T1528 (Steal Application Access Token), indicating the tactics of initial access and credential access.
Overall, this query helps security teams quickly identify and respond to potential security breaches involving compromised ADFS credentials used from known malicious IP addresses.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1h