KQL Search

Query Details

16 ADFS Auth Privileged Action

Query

id: d6e7f8a9-b0c1-4d2e-3f4a-5b6c7d8e9f0a
name: ADFS Auth Followed by Privileged Azure AD Action
version: 1.0.0
kind: Scheduled
description: |
  Detects when a user authenticates via ADFS and then performs a privileged Azure AD audit
  operation (role management, application management, group management, policy changes, device
  management, or user management) within 60 minutes. This correlation indicates that a stolen
  ADFS-issued token is being used to perform administrative actions in the cloud, a technique
  used in sophisticated federated identity attacks and post-compromise privilege escalation.
  MITRE ATT&CK: T1078 (Valid Accounts), T1098 (Account Manipulation), T1550 (Use Alternate Authentication Material)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1098
  - T1550
query: |
  let ADFSUsers =
      ADFSSignInLogs
      | where TimeGenerated > ago(2h)
      | where ResultType == 0
      | summarize LastADFSSignIn = max(TimeGenerated), ADFSIPs = make_set(IPAddress)
        by UserPrincipalName;
  AuditLogs
  | where TimeGenerated > ago(2h)
  | where Category in (
      "RoleManagement", "ApplicationManagement", "GroupManagement",
      "Policy", "DeviceManagement", "UserManagement"
    )
  | extend UPN = tostring(InitiatedBy.user.userPrincipalName)
  | where isnotempty(UPN)
  | join kind=inner ADFSUsers on $left.UPN == $right.UserPrincipalName
  | where (TimeGenerated - LastADFSSignIn) between (0m .. 60m)
  | project
      AuditTime         = TimeGenerated,
      UserPrincipalName = UPN,
      OperationName,
      AuditResult       = Result,
      Category,
      TargetResources,
      LastADFSSignIn,
      ADFSIPs,
      TimeSinceADFSAuth = (TimeGenerated - LastADFSSignIn)
  | order by AuditTime desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
customDetails:
  OperationName: OperationName
  Category: Category
alertDetailsOverride:
  alertDisplayNameFormat: "ADFS Token→Privileged Action - {{UserPrincipalName}} performed {{OperationName}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} authenticated via ADFS and then performed privileged action '{{OperationName}}' ({{Category}}) within 60 minutes. Possible stolen token abuse."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential security threats involving the misuse of authentication tokens. Here's a simplified explanation:

  1. Purpose: The query identifies when a user logs in through Active Directory Federation Services (ADFS) and then performs a privileged action in Azure Active Directory within 60 minutes. This pattern may indicate that a stolen ADFS-issued token is being used for unauthorized administrative actions.

  2. Data Sources: It uses logs from two data sources:

    • ADFSSignInLogs: To track user sign-ins via ADFS.
    • AuditLogs: To monitor privileged actions in Azure AD, such as role management, application management, group management, policy changes, device management, and user management.

  3. Process:

    • It first identifies users who have successfully signed in via ADFS in the last 2 hours.
    • Then, it checks if these users performed any privileged actions in Azure AD within 60 minutes of their ADFS sign-in.
    • If such actions are detected, it suggests a potential security threat, possibly involving a stolen token.

  4. Alerting:

    • If the query finds any matches, it generates an alert with a high severity level.
    • The alert includes details like the user's name, the operation performed, and the time since the ADFS authentication.

  5. Security Context:

    • The query is associated with tactics like Privilege Escalation, Persistence, and Defense Evasion, which are part of the MITRE ATT&CK framework.
    • Relevant techniques include using valid accounts, account manipulation, and using alternate authentication material.

  6. Incident Management:

    • The query is configured to create incidents for detected threats, with options for grouping related alerts into a single incident for easier management.

Overall, this query helps security teams identify and respond to potential misuse of authentication tokens, which could indicate a sophisticated attack on their identity infrastructure.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsAuditLogs

Keywords

ADFSAzureADUserRoleManagementApplicationManagementGroupManagementPolicyChangesDeviceManagementUserManagementAccount

Operators

letwhereagosummarizemaxmake_setbyinextendtostringisnotemptyjoinonbetweenprojectorder bydesc

Actions