Query Details

ADFS Golden SAML - Unexpected Token Issuer Detected

10 ADFS Golden SAML Unknown Issuer

Query

// IMPORTANT: Replace placeholder values with your actual ADFS federation service names
let KnownADFSIssuers = dynamic([
    "YOUR_ADFS_FEDERATION_SERVICE_NAME",   // e.g. "adfs.contoso.com"
    "urn:federation:MicrosoftOnline"
]);
ADFSSignInLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| where TokenIssuerType == "ADFederationServices"
| where TokenIssuerName !in (KnownADFSIssuers)
   and  isnotempty(TokenIssuerName)
| summarize
    Count     = count(),
    Users     = make_set(UserPrincipalName),
    Apps      = make_set(AppDisplayName),
    IPs       = make_set(IPAddress),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by TokenIssuerName
| order by Count desc

Explanation

This query is designed to detect potential security threats related to ADFS (Active Directory Federation Services) sign-ins. Specifically, it looks for instances where the TokenIssuerName, which identifies the source of a security token, is not recognized as a legitimate federation service endpoint for the organization. This can indicate a "Golden SAML" attack, where attackers forge SAML assertions using an unauthorized issuer name.

Here's a simplified breakdown of the query:

  1. Purpose: To identify suspicious ADFS sign-ins that may indicate a Golden SAML attack by checking for unrecognized token issuers.

  2. Severity: High, as this is considered a critical security event.

  3. Data Source: The query uses data from Azure Active Directory's ADFSSignInLogs.

  4. Frequency: The query runs every 15 minutes and looks at data from the past 4 hours.

  5. Logic:

    • It filters sign-in logs to find successful sign-ins (ResultType == 0) where the TokenIssuerType is "ADFederationServices".
    • It checks if the TokenIssuerName is not in the list of known and legitimate ADFS issuers.
    • If an unknown issuer is detected, it summarizes the data, including the number of occurrences, users involved, applications accessed, IP addresses used, and the time range of the activity.
  6. Output: The query orders the results by the number of occurrences and generates alerts with details about the suspicious activity, including the unknown issuer name and the number of tokens issued.

  7. Action: If such an event is detected, an incident is created to alert security teams, and the details are grouped by the unknown TokenIssuerName for further investigation.

Before deploying this query, it's crucial to configure the list of known ADFS issuers to match the organization's environment to avoid false positives.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSADFSSignInLogsTokenIssuerNameTokenIssuerTypeUserPrincipalNameAppDisplayNameIPAddressTimeGeneratedAzureActiveDirectory

Operators

letdynamicinago==!inandisnotemptysummarizecountmake_setminmaxbyorder bydesc

Severity

High

Tactics

CredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 15m

Period: 4h

Actions

GitHub