Query Details
19 High Frequency Token Refresh
Query
id: a4b0c2d3-e8f9-1a5b-6c7d-8e9f0a1b2c3d
name: High-Frequency Token Refresh - Possible Session Hijack or Automated Abuse
version: 1.0.0
kind: Scheduled
description: |
Detects users or IPs generating more than 50 successful non-interactive token refreshes
within a single hour. Legitimate applications refresh tokens at reasonable intervals.
Extremely high refresh rates indicate automated token replay (session hijack), malware
maintaining persistent access, or a compromised automated pipeline.
MITRE ATT&CK: T1528 (Steal Application Access Token), T1078
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- Persistence
relevantTechniques:
- T1528
- T1078
query: |
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
RefreshCount = count(),
Apps = make_set(AppDisplayName),
Countries = make_set(Location)
by UserPrincipalName, IPAddress
| where RefreshCount > 50
| order by RefreshCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
TokenRefreshCount: RefreshCount
Apps: Apps
Countries: Countries
alertDetailsOverride:
alertDisplayNameFormat: "High-Frequency Token Refresh - {{UserPrincipalName}} from {{IPAddress}} ({{RefreshCount}} refreshes/hr)"
alertDescriptionFormat: "User {{UserPrincipalName}} performed {{RefreshCount}} non-interactive token refreshes in 1 hour from {{IPAddress}}. This rate suggests automated token replay or session hijack."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect unusual activity related to token refreshes in Azure Active Directory. Here's a simple breakdown:
-
Purpose: It identifies users or IP addresses that perform more than 50 successful non-interactive token refreshes within a single hour. Such high refresh rates could indicate potential security issues like session hijacking, automated abuse, or malware activity.
-
Data Source: The query uses data from Azure Active Directory's non-interactive user sign-in logs.
-
Frequency: The query runs every hour and looks at data from the past hour.
-
Logic:
- It filters the logs to include only successful sign-ins (ResultType == 0) from the last hour.
- It counts the number of token refreshes for each user and IP address.
- It also collects information about the applications used and the countries from which the sign-ins originated.
- It flags any user or IP with more than 50 refreshes in an hour.
-
Alerting:
- If the threshold is exceeded, an alert is generated with details about the user, IP address, number of refreshes, applications involved, and countries.
- The alert is named "High-Frequency Token Refresh" and includes specific details about the user and IP address involved.
-
Severity and Tactics: The alert is considered medium severity and relates to tactics like Credential Access and Persistence, referencing MITRE ATT&CK techniques T1528 and T1078.
-
Incident Management:
- If an alert is triggered, an incident is created.
- Incidents can be grouped by user account and IP address to manage related alerts together.
Overall, this query helps security teams monitor and respond to potential unauthorized access or misuse of tokens in their environment.
Details
David Alonso
Released: May 29, 2026
Tables
Keywords
Operators