Query Details

High-Frequency Token Refresh - Possible Session Hijack or Automated Abuse

19 High Frequency Token Refresh

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
    RefreshCount = count(),
    Apps         = make_set(AppDisplayName),
    Countries    = make_set(Location)
  by UserPrincipalName, IPAddress
| where RefreshCount > 150
| order by RefreshCount desc

Explanation

This query is designed to detect unusual activity related to token refreshes in Azure Active Directory. It looks for users or IP addresses that have more than 150 successful non-interactive token refreshes within a single hour. Such high refresh rates can indicate potential security threats like session hijacking, automated abuse, or malware activity.

Here's a simplified breakdown of the query:

  1. Purpose: Identify users or IPs with an unusually high number of token refreshes, which could suggest malicious activity.

  2. Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-ins.

  3. Time Frame: The query checks for activity within the past hour.

  4. Criteria: It filters for successful token refreshes (ResultType == 0) and counts how many times each user or IP address refreshes tokens.

  5. Threshold: Alerts are triggered if the refresh count exceeds 150 within an hour.

  6. Output: The results are sorted by the number of refreshes, and details like the applications used and the countries involved are included.

  7. Alerting: If the threshold is met, an alert is generated with details about the user, IP address, and the number of refreshes. This alert is formatted to highlight the potential issue.

  8. Incident Management: The system can create incidents based on these alerts, grouping them by user account and IP address to manage and investigate potential security incidents effectively.

Overall, this query helps security teams monitor and respond to potential threats related to token misuse in their Azure environment.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressAppsCountriesAccountIPTokenRefreshCount

Operators

ago()count()make_set()summarizewhereorder by

Severity

Medium

Tactics

CredentialAccessPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub