Query Details

ADFS Sign-In from Threat Intelligence Malicious IP

09 ADFS Threat Intelligence Malicious IP

Query

let MaliciousIPs =
    ThreatIntelIndicators
    | where Pattern has "ipv4-addr:value"
    | extend NetworkIP = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, Pattern)
    | where isnotempty(NetworkIP)
    | summarize ThreatTags = make_set(Tags)
      by NetworkIP;
ADFSSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| join kind=inner MaliciousIPs on $left.IPAddress == $right.NetworkIP
| project
    TimeGenerated,
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    ThreatTags,
    AuthenticationRequirement,
    TokenIssuerName,
    ConditionalAccessStatus
| order by TimeGenerated desc

Explanation

This query is designed to detect successful sign-ins to Active Directory Federation Services (ADFS) from IP addresses that are flagged as malicious in a threat intelligence database. Here's a simplified breakdown:

  1. Purpose: The query identifies successful ADFS logins from IP addresses known to be associated with malicious activity. This suggests that an attacker may have valid ADFS credentials, potentially obtained through theft, phishing, or brute force.

  2. Data Sources: It uses data from two sources:

    • ADFS Sign-In Logs: Logs of sign-in attempts to ADFS.
    • Threat Intelligence Indicators: A database of IP addresses tagged with threat indicators.
  3. Detection Logic:

    • It extracts IP addresses from the threat intelligence data that are marked as malicious.
    • It checks ADFS sign-in logs from the past hour for successful logins (ResultType == 0) from these malicious IP addresses.
    • If a match is found, it records details such as the time, user, application, IP address, location, and threat tags.
  4. Alerting:

    • If any such sign-in is detected, an alert is generated with high severity.
    • The alert includes details like the user who signed in, the IP address used, and any threat tags associated with that IP.
  5. Incident Management:

    • The system creates an incident for each alert and groups related alerts by user account and IP address to manage them efficiently.
  6. Frequency: The query runs every 15 minutes, analyzing data from the past hour.

  7. MITRE ATT&CK Techniques: The query is associated with techniques T1078 (Valid Accounts) and T1528 (Steal Application Access Token), indicating the tactics of initial access and credential access.

Overall, this query helps security teams quickly identify and respond to potential security breaches involving compromised ADFS credentials used from known malicious IP addresses.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsThreatIntelIndicators

Keywords

ADFSThreatIntelligenceIPAddressUserAccountLocationAuthenticationTokenConditionalAccess

Operators

lethasextendextractisnotemptysummarizemake_setbywhere>ago==joinonprojectorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 15m

Period: 1h

Actions

GitHub