KQL Search

Query Details

HUNT 06 ADFS Legacy Auth Protocols 30d

Query

id: a1f00006-0006-4006-9006-adfs00000006
name: HUNT-06 ADFS Legacy / Basic Auth Protocols (30d)
description: |
  ADFS sign-ins via legacy authentication clients (POP, IMAP, SMTP, MAPI,
  Other clients) that bypass MFA. Useful for governance and to find users
  still using deprecated auth flows that should be migrated to modern auth.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
tactics:
  - DefenseEvasion
  - InitialAccess
relevantTechniques:
  - T1078
  - T1556
query: |
  let LegacyProtocols = dynamic([
      "Other clients", "POP", "IMAP", "SMTP", "MAPI", "Exchange ActiveSync",
      "Authenticated SMTP", "Exchange Web Services"
  ]);
  ADFSSignInLogs
  | invoke ExcludeAllowlistedIPs()
  | where TimeGenerated > ago(30d)
  | where isnotempty(ClientAppUsed)
  | where ClientAppUsed in (LegacyProtocols)
       or ClientAppUsed startswith "Other"
  | summarize
      Attempts       = count(),
      SuccessfulAuth = countif(ResultType == 0),
      UniqueIPs      = dcount(IPAddress),
      IPs            = make_set(IPAddress, 25),
      Protocols      = make_set(ClientAppUsed, 10),
      Countries      = make_set(Location, 10),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by UserPrincipalName
  | order by SuccessfulAuth desc, Attempts desc

Explanation

This query is designed to identify and analyze ADFS (Active Directory Federation Services) sign-ins that use legacy authentication protocols, which bypass Multi-Factor Authentication (MFA). These protocols include POP, IMAP, SMTP, MAPI, and others. The purpose is to help with governance and identify users who are still using outdated authentication methods that should be updated to modern ones.

Here's a breakdown of what the query does:

  1. Define Legacy Protocols: It starts by listing legacy authentication protocols that are considered outdated.

  2. Filter ADFS Sign-In Logs: It retrieves sign-in logs from the last 30 days, excluding any IPs that are on an allowlist.

  3. Identify Legacy Protocol Usage: It filters the logs to find entries where the client application used for sign-in matches one of the legacy protocols.

  4. Summarize Data: For each user, it summarizes the data by counting the total number of sign-in attempts, successful authentications, unique IP addresses used, and lists of IPs, protocols, and countries involved. It also records the first and last time these sign-ins were seen.

  5. Order Results: Finally, it orders the results by the number of successful authentications and total attempts in descending order.

This query is useful for detecting potential security risks associated with legacy authentication methods and helps organizations transition to more secure, modern authentication protocols.

Details

David Alonso profile picture

David Alonso

Released: May 13, 2026

Tables

ADFSSignInLogs

Keywords

AdfsSigninsUsersAuthenticationClientsMfaGovernanceAuthFlowsAzureActiveDirectoryLogsIpsProtocolsCountriesLocations

Operators

letdynamicinvokeExcludeAllowlistedIPswhereagoisnotemptyinstartswithsummarizecountcountifdcountmake_setminmaxbyorder bydesc

Actions