Query Details

ADFS High SAML Token Volume - Automated Token Farming

12 ADFS High SAML Volume Token Farming

Query

ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| where TokenIssuerType == "ADFederationServices"
| summarize
    TokenCount = count(),
    UniqueApps = dcount(AppDisplayName),
    Apps       = make_set(AppDisplayName)
  by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where TokenCount > 50
| order by TokenCount desc

Explanation

This query is designed to detect suspicious activity related to the generation of ADFS SAML tokens. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies users who generate more than 50 ADFS SAML tokens from the same IP address within a single hour. This is unusual because legitimate users typically don't generate such a high number of tokens in a short period.

  2. Why It Matters: A high volume of token generation can indicate malicious activities such as automated credential stuffing, token farming for replay attacks, or the use of a compromised account by a script or bot. This behavior is a potential precursor to large-scale token replay attacks.

  3. Data Source: The query uses data from Azure Active Directory, specifically the ADFSSignInLogs.

  4. How It Works:

    • It looks at logs from the past two hours.
    • Filters for successful sign-ins (ResultType == 0) where the tokens are issued by ADFS.
    • Groups the data by user and IP address, counting the number of tokens generated and the number of unique applications accessed.
    • Flags any user-IP combination generating more than 50 tokens in an hour.
  5. Alerting: If the query finds any such activity, it triggers an alert. The alert includes details like the user's name, IP address, and the number of tokens generated. It also creates an incident for further investigation.

  6. Severity and Techniques: The alert is marked with medium severity and is associated with MITRE ATT&CK techniques related to credential access and lateral movement.

  7. Incident Management: The system is set to create incidents for these alerts and can group related alerts by user account and IP address for easier management.

Overall, this query helps security teams identify and respond to potential security threats involving unauthorized or excessive token generation.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSSignInLogsTimeGeneratedResultTypeTokenIssuerTypeUserPrincipalNameIPAddressAppDisplayNameTokenCountUniqueAppsAppsAccountIP

Operators

ago()count()dcount()make_set()summarizebin()order bydescwhere

Severity

Medium

Tactics

CredentialAccessLateralMovement

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub