KQL Search

Query Details

HomeAI ToolsDevice Query

HQ 007 Bulk Refresh Token Revocation

Query

// =========================================================================
// HQ-007: Bulk Refresh Token Revocations (Post-Compromise or Evasion)
// =========================================================================
// Description : "Update StsRefreshTokenValidFrom Timestamp" is produced
//               when a user's refresh tokens are revoked (e.g., via
//               Revoke-AzureADUserAllRefreshToken, MCAS response, or an
//               attacker using AADInternals to invalidate sessions after
//               extracting tokens). Three or more revocations in a day by
//               the same actor warrants investigation — it may be IR
//               activity or an attacker covering tracks.
// MITRE ATT&CK: TA0005 Defense Evasion
//               T1070 – Indicator Removal
//               T1531 – Account Access Removal
// Tools       : AADInternals, MCAS/MDCA automated response, IR scripts
// Severity    : Medium
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================

AuditLogs
| where TimeGenerated > ago(1d)
| where ActivityDisplayName == "Update StsRefreshTokenValidFrom Timestamp"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser     = tostring(TargetResources[0].displayName)
| extend TargetUPN      = tostring(TargetResources[0].userPrincipalName)
| summarize
    RevocationCount = count(),
    TargetUsers     = make_set(TargetUser, 20),
    TargetUPNs      = make_set(TargetUPN, 20),
    FirstEvent      = min(TimeGenerated),
    LastEvent       = max(TimeGenerated),
    CorrelationIds  = make_set(CorrelationId, 5)
    by Actor
| where RevocationCount >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)
| order by RevocationCount desc

Explanation

This query is designed to identify potential security incidents involving the revocation of refresh tokens in Azure Active Directory. Here's a simplified explanation:

  1. Purpose: The query looks for instances where a user's refresh tokens have been revoked multiple times within a single day. This could indicate a security investigation or an attacker trying to hide their tracks.

  2. Data Source: It uses the AuditLogs from Azure Active Directory to find relevant events.

  3. Time Frame: It examines logs from the last 24 hours.

  4. Event Type: Specifically, it searches for the event named "Update StsRefreshTokenValidFrom Timestamp," which signifies a refresh token revocation.

  5. Actor Identification: It identifies who initiated the revocation, whether it was a user or an application.

  6. Target Information: It collects information about the users whose tokens were revoked.

  7. Summary: For each actor (the person or app initiating the revocations), it counts how many revocations they performed, lists the affected users, and notes the time range of these events.

  8. Alert Criteria: It flags cases where an actor has revoked tokens three or more times in a day, as this could suggest malicious activity or an internal investigation.

  9. Output: The results are sorted by the number of revocations, highlighting the most active actors.

Overall, the query helps identify unusual patterns of token revocation that may require further investigation.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryUserActorTargetUserTargetUPNCorrelationId

Operators

AuditLogswhereago==extendtostringiffisnotemptysummarizecountmake_setminmaxby>=datetime_difforder bydesc

Actions