Query Details
17 Impossible Travel Multiple Countries
Query
id: e2f8a0b1-c6d7-9e3f-4a5b-6c7d8e9f0a1b
name: Impossible Travel - Non-Interactive Sign-Ins from Multiple Countries
version: 1.0.0
kind: Scheduled
description: |
Detects users who successfully authenticate via non-interactive sign-ins from 3 or more
distinct countries within a 1-hour window. While single-country legitimate travel can
explain 2 countries, 3+ countries in 1 hour is physically impossible and strongly
indicates refresh token theft being replayed from multiple attacker-controlled locations.
MITRE ATT&CK: T1078 (Valid Accounts)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- DefenseEvasion
relevantTechniques:
- T1078
- T1539
query: |
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
Countries = make_set(Location),
CountryCount = dcount(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where CountryCount >= 3
| extend IPAddress = tostring(IPs[0])
| order by CountryCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
CountriesCount: CountryCount
Countries: Countries
Apps: Apps
alertDetailsOverride:
alertDisplayNameFormat: "Impossible Travel - {{UserPrincipalName}} authenticated from {{CountryCount}} countries in 1 hour"
alertDescriptionFormat: "User {{UserPrincipalName}} performed non-interactive sign-ins from {{CountryCount}} different countries ({{Countries}}) within 1 hour. This is physically impossible and indicates token theft/replay from multiple locations."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious activity related to user sign-ins. Specifically, it looks for instances where a user successfully signs in from three or more different countries within a one-hour period using non-interactive sign-ins. This is considered highly unusual and likely indicates that the user's authentication tokens have been stolen and are being used by attackers from multiple locations.
Here's a simple breakdown of the query:
-
Data Source: It uses logs from Azure Active Directory, focusing on non-interactive user sign-ins.
-
Time Frame: The query examines sign-in data from the past hour.
-
Criteria: It filters for successful sign-ins (where
ResultTypeis 0). -
Analysis: It groups the data by user and counts the number of distinct countries from which each user has signed in. It also collects the IP addresses and applications involved.
-
Alert Condition: If a user has signed in from three or more different countries within the hour, an alert is triggered.
-
Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Credential Access and Defense Evasion, referencing MITRE ATT&CK techniques T1078 (Valid Accounts) and T1539.
-
Alert Details: The alert provides details such as the user's name, the number of countries, and the list of countries involved.
-
Incident Management: If such an event is detected, an incident is created to investigate further, with specific configurations for grouping and handling alerts.
Overall, this query helps identify potential security breaches where attackers might be using stolen credentials to access accounts from various global locations, which is not possible for a legitimate user in such a short time frame.
Details
David Alonso
Released: May 29, 2026
Tables
Keywords
Operators