Query Details
12 ADFS High SAML Volume Token Farming
Query
id: f2a3b4c5-d6e7-4f8a-9b0c-1d2e3f4a5b6c
name: ADFS High SAML Token Volume - Automated Token Farming
version: 1.0.0
kind: Scheduled
description: |
Detects a user generating more than 50 ADFS SAML tokens in a single hour from the same IP
address. Legitimate interactive users do not generate hundreds of SAML assertions per hour;
this volume indicates automated credential stuffing, token farming for downstream replay,
or a compromised account being actively used by a script or bot. High-volume SAML issuance
from one IP is a precursor to large-scale token replay attacks.
MITRE ATT&CK: T1550 (Use Alternate Authentication Material), T1606 (Forge Web Credentials)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- LateralMovement
relevantTechniques:
- T1550
- T1606
query: |
ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| where TokenIssuerType == "ADFederationServices"
| summarize
TokenCount = count(),
UniqueApps = dcount(AppDisplayName),
Apps = make_set(AppDisplayName)
by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where TokenCount > 50
| order by TokenCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
TokenCount: TokenCount
UniqueApps: UniqueApps
alertDetailsOverride:
alertDisplayNameFormat: "ADFS Token Volume Spike - {{UserPrincipalName}} generated {{TokenCount}} tokens in 1h"
alertDescriptionFormat: "User {{UserPrincipalName}} from IP {{IPAddress}} generated {{TokenCount}} ADFS SAML tokens in one hour. Possible automated token farming or credential stuffing."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious activity related to the generation of ADFS SAML tokens. Here's a simple breakdown of what it does:
-
Purpose: The query identifies users who generate more than 50 ADFS SAML tokens from the same IP address within a single hour. This is unusual because legitimate users typically don't generate such a high number of tokens in a short period.
-
Why It Matters: A high volume of token generation can indicate malicious activities such as automated credential stuffing, token farming for replay attacks, or the use of a compromised account by a script or bot. This behavior is a potential precursor to large-scale token replay attacks.
-
Data Source: The query uses data from Azure Active Directory, specifically the ADFSSignInLogs.
-
How It Works:
- It looks at logs from the past two hours.
- Filters for successful sign-ins (ResultType == 0) where the tokens are issued by ADFS.
- Groups the data by user and IP address, counting the number of tokens generated and the number of unique applications accessed.
- Flags any user-IP combination generating more than 50 tokens in an hour.
-
Alerting: If the query finds any such activity, it triggers an alert. The alert includes details like the user's name, IP address, and the number of tokens generated. It also creates an incident for further investigation.
-
Severity and Techniques: The alert is marked with medium severity and is associated with MITRE ATT&CK techniques related to credential access and lateral movement.
-
Incident Management: The system is set to create incidents for these alerts and can group related alerts by user account and IP address for easier management.
Overall, this query helps security teams identify and respond to potential security threats involving unauthorized or excessive token generation.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators