Impossible Travel - Non-Interactive Sign-Ins from Multiple Countries
17 Impossible Travel Multiple Countries
Query
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
Countries = make_set(Location),
CountryCount = dcount(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where CountryCount >= 3
| extend IPAddress = tostring(IPs[0])
| order by CountryCount descExplanation
This query is designed to detect suspicious activity related to user sign-ins. Specifically, it looks for instances where a user successfully signs in from three or more different countries within a one-hour period using non-interactive sign-ins. This is considered highly unusual and likely indicates that the user's authentication tokens have been stolen and are being used by attackers from multiple locations.
Here's a simple breakdown of the query:
-
Data Source: It uses logs from Azure Active Directory, focusing on non-interactive user sign-ins.
-
Time Frame: The query examines sign-in data from the past hour.
-
Criteria: It filters for successful sign-ins (where
ResultTypeis 0). -
Analysis: It groups the data by user and counts the number of distinct countries from which each user has signed in. It also collects the IP addresses and applications involved.
-
Alert Condition: If a user has signed in from three or more different countries within the hour, an alert is triggered.
-
Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Credential Access and Defense Evasion, referencing MITRE ATT&CK techniques T1078 (Valid Accounts) and T1539.
-
Alert Details: The alert provides details such as the user's name, the number of countries, and the list of countries involved.
-
Incident Management: If such an event is detected, an incident is created to investigate further, with specific configurations for grouping and handling alerts.
Overall, this query helps identify potential security breaches where attackers might be using stolen credentials to access accounts from various global locations, which is not possible for a legitimate user in such a short time frame.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h