Query Details
22 High Risk Country Sign In
Query
id: d7e3f5a6-b1c2-4d8e-9f0a-1b2c3d4e5f6a
name: Non-Interactive Sign-In from High-Risk Country
version: 1.0.0
kind: Scheduled
description: |
Detects successful non-interactive sign-ins originating from countries designated as
high-risk by organizational policy (e.g., sanctioned nations, high APT origination
countries). Silent authentication from these regions is especially concerning because
it may indicate stolen token use from attacker infrastructure in high-risk geographies.
Customize the HighRiskCountries list to match your organization's risk policy.
MITRE ATT&CK: T1078 (Valid Accounts)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1539
query: |
// Customize this list to your organization's risk policy
// ISO 3166-1 alpha-2 country codes
let HighRiskCountries = dynamic([
"KP", // North Korea
"IR", // Iran
"RU", // Russia
"CN", // China
"BY", // Belarus
"CU", // Cuba
"SY", // Syria
"VE", // Venezuela
"MM" // Myanmar
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where Location in (HighRiskCountries)
| summarize
Count = count(),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, Location
| extend IPAddress = tostring(IPs[0])
| order by Count desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
Country: Location
SignInCount: Count
Apps: Apps
alertDetailsOverride:
alertDisplayNameFormat: "High-Risk Country Sign-In - {{UserPrincipalName}} from {{Location}}"
alertDescriptionFormat: "User {{UserPrincipalName}} performed {{Count}} non-interactive sign-ins from high-risk country {{Location}}. Investigate for potential token theft from attacker infrastructure."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect and alert on successful non-interactive sign-ins from countries considered high-risk by an organization. Here's a simplified breakdown:
-
Purpose: The query identifies non-interactive sign-ins (logins that don't require user interaction, like token-based authentication) from countries that are flagged as high-risk. These countries might be associated with higher chances of cyber threats or are under sanctions.
-
High-Risk Countries: The query uses a predefined list of countries (e.g., North Korea, Iran, Russia, China, etc.) that are considered high-risk. Organizations can customize this list based on their own risk assessments.
-
Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
-
Time Frame: The query checks for sign-ins that occurred in the past hour.
-
Conditions: It filters for successful sign-ins (where
ResultTypeis 0) from the specified high-risk countries. -
Output: The query summarizes the data by counting the number of sign-ins, listing the applications accessed, and noting the IP addresses used. It also records the first and last time these sign-ins were observed.
-
Alerting: If any such sign-ins are detected, an alert is generated. The alert includes details like the user's name, the country of origin, and the number of sign-ins. The alert is formatted to highlight the potential risk of token theft.
-
Incident Management: The query is set to create an incident if such sign-ins are detected, with configurations to group incidents by user account and to avoid reopening closed incidents.
Overall, this query helps organizations monitor for potentially unauthorized access attempts from regions that pose a higher security risk, allowing for timely investigation and response.
Details
David Alonso
Released: May 29, 2026
Tables
Keywords
Operators