Query Details

High-Frequency Token Refresh - Possible Session Hijack or Automated Abuse

19 High Frequency Token Refresh

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
    RefreshCount = count(),
    Apps         = make_set(AppDisplayName),
    Countries    = make_set(Location)
  by UserPrincipalName, IPAddress
| where RefreshCount > 50
| order by RefreshCount desc

Explanation

This query is designed to detect unusual activity related to token refreshes in Azure Active Directory. Here's a simple breakdown:

  • Purpose: It identifies users or IP addresses that perform more than 50 successful non-interactive token refreshes within a single hour. Such high refresh rates could indicate potential security issues like session hijacking, automated abuse, or malware activity.

  • Data Source: The query uses data from Azure Active Directory's non-interactive user sign-in logs.

  • Frequency: The query runs every hour and looks at data from the past hour.

  • Logic:

    • It filters the logs to include only successful sign-ins (ResultType == 0) from the last hour.
    • It counts the number of token refreshes for each user and IP address.
    • It also collects information about the applications used and the countries from which the sign-ins originated.
    • It flags any user or IP with more than 50 refreshes in an hour.
  • Alerting:

    • If the threshold is exceeded, an alert is generated with details about the user, IP address, number of refreshes, applications involved, and countries.
    • The alert is named "High-Frequency Token Refresh" and includes specific details about the user and IP address involved.
  • Severity and Tactics: The alert is considered medium severity and relates to tactics like Credential Access and Persistence, referencing MITRE ATT&CK techniques T1528 and T1078.

  • Incident Management:

    • If an alert is triggered, an incident is created.
    • Incidents can be grouped by user account and IP address to manage related alerts together.

Overall, this query helps security teams monitor and respond to potential unauthorized access or misuse of tokens in their environment.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserIPAddressTokenRefreshAppsCountriesAccountIP

Operators

ago()count()make_set()summarizewhereorder by

Severity

Medium

Tactics

CredentialAccessPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub