What Changed
New hunting query SignInASNMismatchInteractiveVsNonInteractive.yaml added to Hunting Queries/MultipleDataSources/ targeting post-compromise authentication material abuse.
Detection Logic
The query correlates successful interactive sign-ins (SigninLogs) with successful non-interactive sign-ins (AADNonInteractiveUserSignInLogs) for the same user within a 10-minute window. It triggers when:
- Both sign-ins have different Autonomous System Numbers (ASNs)
- IP addresses differ between the two events
- Both authentication events are successful (ResultType == 0)
Entity mappings include Account (FullName, Name, UPNSuffix) and IP (NonInteractiveIP address).
MITRE Mapping
- T1550.001 — Use Alternate Authentication Material: Application Access Token
- T1539 — Steal Web Session Cookie (post-compromise usage pattern)
Security Impact
This hypothesis-driven hunting query provides a new angle for detecting potential post-compromise token misuse that doesn’‘’t require non-AAD connectors. It complements existing PossibleAiTMPhishingAttemptAgainstAAD detection by focusing purely on Microsoft Entra ID sign-in telemetry patterns. Analysts must validate all results as benign matches are expected in VPN, roaming, mobile background refresh, multi-device, and corporate proxy scenarios.
Affected Files
Hunting Queries/MultipleDataSources/SignInASNMismatchInteractiveVsNonInteractive.yaml