KQL Search

Query Details

10 ADFS Golden SAML Unknown Issuer

Query

id: d0e1f2a3-b4c5-4d6e-7f8a-9b0c1d2e3f4a
name: ADFS Golden SAML - Unexpected Token Issuer Detected
version: 1.0.0
kind: Scheduled
description: |
  Detects ADFS sign-ins where the TokenIssuerName is not a recognized federation service
  endpoint for your organization. In Golden SAML attacks, adversaries extract the ADFS token
  signing certificate and forge SAML assertions using an unrecognized issuer name. Any
  TokenIssuerType of "ADFederationServices" combined with an unknown TokenIssuerName should
  be treated as a critical security event.
  IMPORTANT: Configure the KnownADFSIssuers list to match your environment before deploying.
  MITRE ATT&CK: T1606 (Forge Web Credentials - SAML Tokens), T1550 (Use Alternate Authentication Material)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
queryFrequency: 15m
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - DefenseEvasion
relevantTechniques:
  - T1606
  - T1550
query: |
  // IMPORTANT: Replace placeholder values with your actual ADFS federation service names
  let KnownADFSIssuers = dynamic([
      "YOUR_ADFS_FEDERATION_SERVICE_NAME",   // e.g. "adfs.contoso.com"
      "urn:federation:MicrosoftOnline"
  ]);
  ADFSSignInLogs
  | where TimeGenerated > ago(4h)
  | where ResultType == 0
  | where TokenIssuerType == "ADFederationServices"
  | where TokenIssuerName !in (KnownADFSIssuers)
     and  isnotempty(TokenIssuerName)
  | summarize
      Count     = count(),
      Users     = make_set(UserPrincipalName),
      Apps      = make_set(AppDisplayName),
      IPs       = make_set(IPAddress),
      FirstSeen = min(TimeGenerated),
      LastSeen  = max(TimeGenerated)
    by TokenIssuerName
  | order by Count desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Users
customDetails:
  TokenIssuerName: TokenIssuerName
  SignInCount: Count
alertDetailsOverride:
  alertDisplayNameFormat: "ADFS Golden SAML Alert - Unknown Issuer: {{TokenIssuerName}}"
  alertDescriptionFormat: "ADFS tokens were issued by an unrecognized TokenIssuerName: {{TokenIssuerName}} ({{Count}} tokens). This may indicate a Golden SAML forged token attack."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - TokenIssuerName

Explanation

This query is designed to detect potential security threats related to ADFS (Active Directory Federation Services) sign-ins. Specifically, it looks for instances where the TokenIssuerName, which identifies the source of a security token, is not recognized as a legitimate federation service endpoint for the organization. This can indicate a "Golden SAML" attack, where attackers forge SAML assertions using an unauthorized issuer name.

Here's a simplified breakdown of the query:

  1. Purpose: To identify suspicious ADFS sign-ins that may indicate a Golden SAML attack by checking for unrecognized token issuers.

  2. Severity: High, as this is considered a critical security event.

  3. Data Source: The query uses data from Azure Active Directory's ADFSSignInLogs.

  4. Frequency: The query runs every 15 minutes and looks at data from the past 4 hours.

  5. Logic:

    • It filters sign-in logs to find successful sign-ins (ResultType == 0) where the TokenIssuerType is "ADFederationServices".
    • It checks if the TokenIssuerName is not in the list of known and legitimate ADFS issuers.
    • If an unknown issuer is detected, it summarizes the data, including the number of occurrences, users involved, applications accessed, IP addresses used, and the time range of the activity.

  6. Output: The query orders the results by the number of occurrences and generates alerts with details about the suspicious activity, including the unknown issuer name and the number of tokens issued.

  7. Action: If such an event is detected, an incident is created to alert security teams, and the details are grouped by the unknown TokenIssuerName for further investigation.

Before deploying this query, it's crucial to configure the list of known ADFS issuers to match the organization's environment to avoid false positives.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSADFSSignInLogsTokenIssuerNameTokenIssuerTypeUserPrincipalNameAppDisplayNameIPAddressTimeGeneratedAzureActiveDirectory

Operators

letdynamicinago==!inandisnotemptysummarizecountmake_setminmaxbyorder bydesc

Actions