Query Details
HUNT 08 ADFS Auth To Privileged Action 30d
Query
id: a1f00008-0008-4008-9008-adfs00000008
name: HUNT-08 ADFS Sign-in to Privileged Azure AD Action Correlation (30d)
description: |
Correlates successful ADFS sign-ins with subsequent privileged directory
actions in AuditLogs (within 1 hour). Useful for reconstructing the post-
authentication blast radius of suspected federated-account compromise.
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
- AuditLogs
tactics:
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1098
- T1078
query: |
let PrivOps = dynamic([
"Add member to role", "Add app role assignment to user",
"Add eligible member to role", "Add owner to application",
"Add service principal credentials", "Reset user password",
"Update user", "Disable Strong Authentication",
"Update conditional access policy", "Delete conditional access policy"
]);
let Auths = ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(30d)
| where ResultType == 0
| project AuthTime = TimeGenerated, UserPrincipalName, IPAddress, Location;
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName in (PrivOps)
| where Result =~ "success"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| join kind=inner (Auths) on $left.Actor == $right.UserPrincipalName
| where TimeGenerated between (AuthTime .. AuthTime + 1h)
| project
TimeGenerated, Actor, OperationName, IPAddress, Location,
AuthTime,
TargetResources, AdditionalDetails
| order by TimeGenerated desc
Explanation
This query is designed to identify potential security threats by correlating successful sign-ins through Active Directory Federation Services (ADFS) with privileged actions in Azure Active Directory (Azure AD) within a one-hour window. Here's a simplified breakdown:
-
Purpose: The query aims to detect if a user who successfully signed in via ADFS subsequently performed any high-privilege actions in Azure AD, which could indicate a compromised account.
-
Severity: The query is marked as high severity, indicating the importance of the potential security threat it is designed to detect.
-
Data Sources: It uses data from two sources:
- ADFSSignInLogs: Logs of sign-ins through ADFS.
- AuditLogs: Logs of actions performed in Azure AD.
-
Time Frame: The query looks at data from the past 30 days.
-
Privileged Operations: It focuses on specific high-privilege operations such as adding members to roles, resetting passwords, and updating conditional access policies.
-
Process:
- It first filters ADFS sign-in logs to exclude any allowlisted IPs and only considers successful sign-ins.
- It then filters Azure AD audit logs for successful privileged operations.
- The query joins these two datasets to find cases where a user who signed in via ADFS performed a privileged action within one hour of signing in.
-
Output: The results include details such as the time of the action, the user (Actor), the operation performed, the IP address, location, and additional details about the target resources.
-
Use Case: This query is useful for security teams to investigate and understand the potential impact (blast radius) of a suspected federated account compromise, focusing on privilege escalation and persistence tactics.
Details
David Alonso
Released: May 13, 2026
Tables
Keywords
Operators