Query Details

ROPC Impossible Travel - Multiple Countries via Password Grant

28 ROPC Impossible Travel

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
// ROPC sign-ins surface in SigninLogs more than the non-interactive table; correlate both.
let RopcSignIns =
    union isfuzzy=true
        (SigninLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType),
        (AADNonInteractiveUserSignInLogs
            | where TimeGenerated > ago(1h)
            | where AuthenticationProtocol =~ "ropc"
            | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType);
RopcSignIns
| invoke ExcludeAllowlistedIPs_AADNI()
| where ResultType == 0
| where AppDisplayName !in~ (LegitRopcApps)
| where isnotempty(Location)
| summarize
    Count        = count(),
    Countries    = make_set(Location),
    CountryCount = dcount(Location),
    IPs          = make_set(IPAddress),
    IPCount      = dcount(IPAddress),
    Apps         = make_set(AppDisplayName),
    FirstSeen    = min(TimeGenerated),
    LastSeen     = max(TimeGenerated)
  by UserPrincipalName
| where CountryCount >= 2 and IPCount >= 2
| extend IPAddress = tostring(IPs[0])
| order by CountryCount desc, Count desc

Explanation

This query is designed to detect suspicious login activity using the Resource Owner Password Credentials (ROPC) flow, which requires a user's password for authentication. Specifically, it looks for instances where the same user successfully logs in from two or more different countries within a one-hour period. This could indicate that the user's credentials have been stolen and are being used by attackers from different locations.

Here's a simplified breakdown of the query:

  1. Purpose: Identify potential misuse of user credentials by detecting logins from multiple countries within a short time frame, which is unusual and suggests possible credential theft.

  2. Data Sources: The query examines logs from two tables: SigninLogs and AADNonInteractiveUserSignInLogs, which record sign-in activities.

  3. Criteria:

    • The user must log in from at least two different countries and two different IP addresses within one hour.
    • The login must use the ROPC authentication protocol.
    • The application used for login should not be one of the known legitimate ROPC applications (e.g., Microsoft Office, Azure AD Connect).
  4. Exclusions:

    • IP addresses that are on an allowlist (e.g., corporate VPNs) are excluded to reduce false positives.
    • Known legitimate ROPC applications are excluded from triggering alerts.
  5. Alerting:

    • If the criteria are met, an alert is generated indicating "impossible travel" for the user, highlighting the number of countries involved.
    • The alert includes details such as the number of sign-ins, countries, distinct IPs, and applications used.
  6. Severity and Response:

    • The severity of this alert is classified as "High" due to the potential risk of account takeover.
    • An incident is created for further investigation, and similar alerts can be grouped together if they involve the same user account.

Overall, this query helps security teams quickly identify and respond to potential security breaches involving compromised user credentials.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

UserDevicesIntuneAccountIPAddressLocationAuthenticationProtocolAppDisplayNameResultTypeTimeGenerated

Operators

letdynamicunionisfuzzywhere=~projectinvokeExcludeAllowlistedIPs_AADNI==!in~isnotemptysummarizecountmake_setdcountminmaxby>=extendtostringorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub