Query Details

ADFS Extranet Lockout - Sustained Brute Force (Error 396083)

01 ADFS Extranet Lockout

Query

ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 396083
| summarize
    LockoutCount = count(),
    UniqueIPs    = dcount(IPAddress),
    IPs          = make_set(IPAddress, 20),
    Countries    = make_set(Location),
    Apps         = make_set(AppDisplayName),
    FirstSeen    = min(TimeGenerated),
    LastSeen     = max(TimeGenerated)
  by UserPrincipalName
| where LockoutCount >= 3
| order by LockoutCount desc

Explanation

This query is designed to detect potential brute force or credential stuffing attacks on Active Directory Federation Services (ADFS) by identifying users who trigger multiple extranet lockout events (specifically error code 396083) within a 24-hour period. Here's a simplified breakdown:

  • Purpose: To identify users who are repeatedly locked out due to failed login attempts, suggesting a possible attack.
  • How it works:
    • It examines ADFS sign-in logs over the past day (24 hours) for instances of error code 396083, which indicates an extranet lockout.
    • It counts the number of lockouts per user and gathers information on the number of unique IP addresses, the countries from which the attempts originated, and the applications involved.
    • It flags users who have been locked out three or more times.
  • Alerting:
    • If a user triggers three or more lockouts, an alert is generated.
    • The alert includes details such as the number of lockouts, unique IP addresses involved, and potential countries of origin.
  • Frequency: The query runs every 4 hours to ensure timely detection.
  • Severity: The alert is marked as high severity due to the potential security risk.
  • Incident Management:
    • Incidents are created for detected cases, with the ability to group related alerts by user account.
    • The system does not reopen closed incidents but looks back 12 hours to group related alerts.

Overall, this query helps security teams quickly identify and respond to potential unauthorized access attempts on ADFS by monitoring for patterns indicative of brute force attacks.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSExtranetLockoutUsersIPsCountriesAppsAccounts

Operators

ago==summarizecountdcountmake_setminmaxby>=order by

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 4h

Period: 1d

Actions

GitHub