Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query monitors STS refresh token changes by Service Principals/Applications excluding DirectorySync. It could be due to admins adjusting tokens or for improved login experience. Includes an allowlist. Analyze for unusual operations.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Cloud Identity Threat Protection Essentials |
| ID | 4696e072-aca8-4a4f-bf05-89fddc5ac3c9 |
| Severity | Low |
| Tactics | CredentialAccess |
| Techniques | T1550.001 |
| Required Connectors | AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AuditLogs |
OperationName has "StsRefreshTokenValidFrom" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Hunting Queries · Back to Cloud Identity Threat Protection Essentials