Query Details

Impossible Travel - Non-Interactive Sign-Ins from Multiple Countries

17 Impossible Travel Multiple Countries

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
    Countries    = make_set(Location),
    CountryCount = dcount(Location),
    IPs          = make_set(IPAddress),
    Apps         = make_set(AppDisplayName),
    FirstSeen    = min(TimeGenerated),
    LastSeen     = max(TimeGenerated)
  by UserPrincipalName
| where CountryCount >= 3
| extend IPAddress = tostring(IPs[0])
| order by CountryCount desc

Explanation

This query is designed to detect suspicious activity related to user sign-ins. Specifically, it looks for instances where a user successfully signs in from three or more different countries within a one-hour period using non-interactive sign-ins. This is considered highly unusual and likely indicates that the user's authentication tokens have been stolen and are being used by attackers from multiple locations.

Here's a simple breakdown of the query:

  1. Data Source: It uses logs from Azure Active Directory, focusing on non-interactive user sign-ins.

  2. Time Frame: The query examines sign-in data from the past hour.

  3. Criteria: It filters for successful sign-ins (where ResultType is 0).

  4. Analysis: It groups the data by user and counts the number of distinct countries from which each user has signed in. It also collects the IP addresses and applications involved.

  5. Alert Condition: If a user has signed in from three or more different countries within the hour, an alert is triggered.

  6. Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Credential Access and Defense Evasion, referencing MITRE ATT&CK techniques T1078 (Valid Accounts) and T1539.

  7. Alert Details: The alert provides details such as the user's name, the number of countries, and the list of countries involved.

  8. Incident Management: If such an event is detected, an incident is created to investigate further, with specific configurations for grouping and handling alerts.

Overall, this query helps identify potential security breaches where attackers might be using stolen credentials to access accounts from various global locations, which is not possible for a legitimate user in such a short time frame.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressLocationAppDisplayNameTimeGenerated

Operators

ago()==summarizemake_set()dcount()min()max()by>=extendtostring()order bydesc

Severity

Medium

Tactics

CredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub