ADFS Extranet Lockout - Sustained Brute Force (Error 396083)
01 ADFS Extranet Lockout
Query
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 396083
| summarize
LockoutCount = count(),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress, 20),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where LockoutCount >= 3
| order by LockoutCount descExplanation
This query is designed to detect potential brute force or credential stuffing attacks on Active Directory Federation Services (ADFS) by identifying users who trigger multiple extranet lockout events (specifically error code 396083) within a 24-hour period. Here's a simplified breakdown:
- Purpose: To identify users who are repeatedly locked out due to failed login attempts, suggesting a possible attack.
- How it works:
- It examines ADFS sign-in logs over the past day (24 hours) for instances of error code 396083, which indicates an extranet lockout.
- It counts the number of lockouts per user and gathers information on the number of unique IP addresses, the countries from which the attempts originated, and the applications involved.
- It flags users who have been locked out three or more times.
- Alerting:
- If a user triggers three or more lockouts, an alert is generated.
- The alert includes details such as the number of lockouts, unique IP addresses involved, and potential countries of origin.
- Frequency: The query runs every 4 hours to ensure timely detection.
- Severity: The alert is marked as high severity due to the potential security risk.
- Incident Management:
- Incidents are created for detected cases, with the ability to group related alerts by user account.
- The system does not reopen closed incidents but looks back 12 hours to group related alerts.
Overall, this query helps security teams quickly identify and respond to potential unauthorized access attempts on ADFS by monitoring for patterns indicative of brute force attacks.
