Query Details

ADFS Auth Followed by Privileged Azure AD Action

16 ADFS Auth Privileged Action

Query

let ADFSUsers =
    ADFSSignInLogs
    | where TimeGenerated > ago(2h)
    | where ResultType == 0
    | summarize LastADFSSignIn = max(TimeGenerated), ADFSIPs = make_set(IPAddress)
      by UserPrincipalName;
AuditLogs
| where TimeGenerated > ago(2h)
| where Category in (
    "RoleManagement", "ApplicationManagement", "GroupManagement",
    "Policy", "DeviceManagement", "UserManagement"
  )
| extend UPN = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(UPN)
| join kind=inner ADFSUsers on $left.UPN == $right.UserPrincipalName
| where (TimeGenerated - LastADFSSignIn) between (0m .. 60m)
| project
    AuditTime         = TimeGenerated,
    UserPrincipalName = UPN,
    OperationName,
    AuditResult       = Result,
    Category,
    TargetResources,
    LastADFSSignIn,
    ADFSIPs,
    TimeSinceADFSAuth = (TimeGenerated - LastADFSSignIn)
| order by AuditTime desc

Explanation

This query is designed to detect potential security threats involving the misuse of authentication tokens. Here's a simplified explanation:

  1. Purpose: The query identifies when a user logs in through Active Directory Federation Services (ADFS) and then performs a privileged action in Azure Active Directory within 60 minutes. This pattern may indicate that a stolen ADFS-issued token is being used for unauthorized administrative actions.

  2. Data Sources: It uses logs from two data sources:

    • ADFSSignInLogs: To track user sign-ins via ADFS.
    • AuditLogs: To monitor privileged actions in Azure AD, such as role management, application management, group management, policy changes, device management, and user management.
  3. Process:

    • It first identifies users who have successfully signed in via ADFS in the last 2 hours.
    • Then, it checks if these users performed any privileged actions in Azure AD within 60 minutes of their ADFS sign-in.
    • If such actions are detected, it suggests a potential security threat, possibly involving a stolen token.
  4. Alerting:

    • If the query finds any matches, it generates an alert with a high severity level.
    • The alert includes details like the user's name, the operation performed, and the time since the ADFS authentication.
  5. Security Context:

    • The query is associated with tactics like Privilege Escalation, Persistence, and Defense Evasion, which are part of the MITRE ATT&CK framework.
    • Relevant techniques include using valid accounts, account manipulation, and using alternate authentication material.
  6. Incident Management:

    • The query is configured to create incidents for detected threats, with options for grouping related alerts into a single incident for easier management.

Overall, this query helps security teams identify and respond to potential misuse of authentication tokens, which could indicate a sophisticated attack on their identity infrastructure.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsAuditLogs

Keywords

ADFSAzureADUserRoleManagementApplicationGroupPolicyChangesDeviceAccount

Operators

letwhereagosummarizemaxmake_setbyinextendtostringisnotemptyjoinonbetweenprojectorder bydesc

Severity

High

Tactics

PrivilegeEscalationPersistenceDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub