ROPC Sign-In from New Country or ASN for User
26 ROPC New Country Or ASN
Query
let LegitRopcApps = dynamic([
"Microsoft Authentication Broker",
"Microsoft Intune Company Portal",
"Azure AD Connect",
"Microsoft Office",
"Microsoft Office Authentication Broker"
]);
let Lookback = 30d;
let Window = 1h;
let Baseline =
union isfuzzy=true
(SigninLogs
| where TimeGenerated between (ago(Lookback) .. ago(Window))),
(AADNonInteractiveUserSignInLogs
| where TimeGenerated between (ago(Lookback) .. ago(Window)))
| where ResultType == 0
| extend Upn = tolower(UserPrincipalName),
Pair = strcat(Location, "|", tostring(AutonomousSystemNumber))
| summarize KnownPairs = make_set(Pair) by Upn;
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(Window)
| where AuthenticationProtocol =~ "ropc"
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| extend Upn = tolower(UserPrincipalName),
Pair = strcat(Location, "|", tostring(AutonomousSystemNumber))
| join kind=leftouter Baseline on Upn
| where isnull(KnownPairs) or not(set_has_element(KnownPairs, Pair))
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
ASNs = make_set(AutonomousSystemNumber),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect potentially suspicious sign-in activities in an organization's Azure Active Directory. Here's a simplified explanation:
-
Purpose: The query identifies successful sign-ins using the Resource Owner Password Credentials (ROPC) method from a new country or Autonomous System Number (ASN) for a user. ROPC is a method that bypasses Multi-Factor Authentication (MFA), making it a potential security risk if credentials are stolen and used from a new location.
-
How it Works:
- It checks sign-in logs from the past 30 days to see if the combination of user, country, and ASN has been seen before.
- If a new combination is detected, it raises an alert, as this could indicate that a user's credentials are being used from a new, potentially unauthorized location.
-
Exclusions and Filters:
- Known legitimate ROPC applications are excluded to reduce false positives.
- IP addresses on an allowlist are also excluded.
- The query focuses on successful sign-ins (ResultType == 0).
-
Alert Details:
- If a new combination is found, it summarizes the number of occurrences, the IP addresses, countries, ASNs, and applications involved.
- It also notes the first and last time this activity was seen.
-
Severity and Response:
- The severity of the alert is set to "Medium."
- An incident is created for further investigation, and alerts are grouped by user account to manage related activities together.
-
MITRE ATT&CK Techniques:
- The query is associated with techniques T1078 (Valid Accounts) and T1550 (Use Alternate Authentication Material), indicating it relates to credential access and misuse.
In essence, this query helps security teams monitor for unusual sign-in patterns that could suggest compromised credentials being used from new locations, allowing them to take action to secure the affected accounts.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 30d