Non-Interactive Sign-In from High-Risk Country
22 High Risk Country Sign In
Query
// Customize this list to your organization's risk policy
// ISO 3166-1 alpha-2 country codes
let HighRiskCountries = dynamic([
"KP", // North Korea
"IR", // Iran
"RU", // Russia
"CN", // China
"BY", // Belarus
"CU", // Cuba
"SY", // Syria
"VE", // Venezuela
"MM" // Myanmar
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where Location in (HighRiskCountries)
| summarize
Count = count(),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, Location
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect and alert on successful non-interactive sign-ins from countries considered high-risk by an organization. Here's a simplified breakdown:
-
Purpose: The query identifies non-interactive sign-ins (logins that don't require user interaction, like token-based authentication) from countries that are flagged as high-risk. These countries might be associated with higher chances of cyber threats or are under sanctions.
-
High-Risk Countries: The query uses a predefined list of countries (e.g., North Korea, Iran, Russia, China, etc.) that are considered high-risk. Organizations can customize this list based on their own risk assessments.
-
Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
-
Time Frame: The query checks for sign-ins that occurred in the past hour.
-
Conditions: It filters for successful sign-ins (where
ResultTypeis 0) from the specified high-risk countries. -
Output: The query summarizes the data by counting the number of sign-ins, listing the applications accessed, and noting the IP addresses used. It also records the first and last time these sign-ins were observed.
-
Alerting: If any such sign-ins are detected, an alert is generated. The alert includes details like the user's name, the country of origin, and the number of sign-ins. The alert is formatted to highlight the potential risk of token theft.
-
Incident Management: The query is set to create an incident if such sign-ins are detected, with configurations to group incidents by user account and to avoid reopening closed incidents.
Overall, this query helps organizations monitor for potentially unauthorized access attempts from regions that pose a higher security risk, allowing for timely investigation and response.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h