High-Frequency Token Refresh - Possible Session Hijack or Automated Abuse
19 High Frequency Token Refresh
Query
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
RefreshCount = count(),
Apps = make_set(AppDisplayName),
Countries = make_set(Location)
by UserPrincipalName, IPAddress
| where RefreshCount > 50
| order by RefreshCount descExplanation
This query is designed to detect unusual activity related to token refreshes in Azure Active Directory. Here's a simple breakdown:
-
Purpose: It identifies users or IP addresses that perform more than 50 successful non-interactive token refreshes within a single hour. Such high refresh rates could indicate potential security issues like session hijacking, automated abuse, or malware activity.
-
Data Source: The query uses data from Azure Active Directory's non-interactive user sign-in logs.
-
Frequency: The query runs every hour and looks at data from the past hour.
-
Logic:
- It filters the logs to include only successful sign-ins (ResultType == 0) from the last hour.
- It counts the number of token refreshes for each user and IP address.
- It also collects information about the applications used and the countries from which the sign-ins originated.
- It flags any user or IP with more than 50 refreshes in an hour.
-
Alerting:
- If the threshold is exceeded, an alert is generated with details about the user, IP address, number of refreshes, applications involved, and countries.
- The alert is named "High-Frequency Token Refresh" and includes specific details about the user and IP address involved.
-
Severity and Tactics: The alert is considered medium severity and relates to tactics like Credential Access and Persistence, referencing MITRE ATT&CK techniques T1528 and T1078.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents can be grouped by user account and IP address to manage related alerts together.
Overall, this query helps security teams monitor and respond to potential unauthorized access or misuse of tokens in their environment.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h