KQL Search

Query Details

09 ADFS Threat Intelligence Malicious IP

Query

id: c9d0e1f2-a3b4-4c5d-6e7f-8a9b0c1d2e3f
name: ADFS Sign-In from Threat Intelligence Malicious IP
version: 1.0.0
kind: Scheduled
description: |
  Detects successful ADFS-federated authentication from IP addresses present in the
  ThreatIntelIndicators table with any active threat tag. Any successful ADFS
  authentication from a known-malicious IP is a high-confidence indicator that an attacker
  holds valid ADFS credentials (stolen, phished, or brute-forced) and is actively using them.
  The ADFS federation path may bypass cloud-based Conditional Access policies depending on
  the federation configuration.
  MITRE ATT&CK: T1078 (Valid Accounts), T1528 (Steal Application Access Token)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
  - connectorId: ThreatIntelligence
    dataTypes:
      - ThreatIntelIndicators
queryFrequency: 15m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
  - T1528
query: |
  let MaliciousIPs =
      ThreatIntelIndicators
      | where Pattern has "ipv4-addr:value"
      | extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
      | where isnotempty(NetworkIP)
      | summarize ThreatTags = make_set(Tags)
        by NetworkIP;
  ADFSSignInLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
  | project
      TimeGenerated,
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      ThreatTags,
      AuthenticationRequirement,
      TokenIssuerName,
      ConditionalAccessStatus
  | order by TimeGenerated desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  ThreatTags: ThreatTags
  AppDisplayName: AppDisplayName
alertDetailsOverride:
  alertDisplayNameFormat: "ADFS Sign-In from Malicious IP - {{UserPrincipalName}} via {{IPAddress}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} authenticated via ADFS from threat-intelligence-tagged IP {{IPAddress}}. ThreatTags: {{ThreatTags}}."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) from IP addresses that are flagged as malicious in a threat intelligence database. Here's a simplified breakdown:

  1. Purpose: The query identifies successful ADFS logins from IP addresses known to be associated with malicious activity. This suggests that an attacker may have valid ADFS credentials, potentially obtained through theft, phishing, or brute force.

  2. Data Sources: It uses data from two sources:

    • ADFS Sign-In Logs: Logs of sign-in attempts to ADFS.
    • Threat Intelligence Indicators: A database of IP addresses tagged with threat indicators.

  3. Detection Logic:

    • It extracts IP addresses from the threat intelligence data that are marked as malicious.
    • It checks ADFS sign-in logs from the past hour for successful logins (ResultType == 0) from these malicious IP addresses.
    • If a match is found, it records details such as the time, user, application, IP address, location, and threat tags.

  4. Alerting:

    • If any such sign-in is detected, an alert is generated with high severity.
    • The alert includes details like the user who signed in, the IP address used, and any threat tags associated with that IP.

  5. Incident Management:

    • The system creates an incident for each alert and groups related alerts by user account and IP address to manage them efficiently.

  6. Frequency: The query runs every 15 minutes, analyzing data from the past hour.

  7. MITRE ATT&CK Techniques: The query is associated with techniques T1078 (Valid Accounts) and T1528 (Steal Application Access Token), indicating the tactics of initial access and credential access.

Overall, this query helps security teams quickly identify and respond to potential security breaches involving compromised ADFS credentials used from known malicious IP addresses.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsThreatIntelIndicators

Keywords

ADFSThreatIntelligenceIPAddressUserAccountLocationAuthenticationTokenConditionalAccess

Operators

lethasextendextractisnotemptysummarizemake_setbywhere>ago==joinonprojectorder bydesc

Actions