Unusual ADFS Remote Synchronization network connections from non-ADFS server

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2026-06-15

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Firewall EAL Logs OR XDR Agent
Detection Modules
Detector Tags	Active Directory Federation Services Analytics
ATT&CK Tactic	Credential Access (TA0006) Lateral Movement (TA0008)
ATT&CK Technique	Forge Web Credentials: SAML Tokens (T1606.002) Exploitation of Remote Services (T1210)
Severity	Low

Description

Detected an unauthorized configuration sync request to the ADFS Policy Store from a non-ADFS server, step for forging SAML tokens in a Golden SAML attack.

Attacker's Goals

The attack goal is to forge a valid SAML token to impersonate any user and gain persistent, unauthorized access to cloud resources, effectively bypassing MFA and standard security controls.

Investigative actions

Correlate this network event with AD FS service account activity. The attacker must use the service account's credentials to authenticate this request.
Check for a possible DCSync alerts.
Check alerts that related to ADFS server.
Check for other correlated alerts on on-premises systems that may be related to the Golden SAML attack.
Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
Inspect the source machine for the presence of tools like AADInternals or custom SOAP-based scripts.