Query Details
02 ADFS Password Spray Single IP
Query
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
name: ADFS Password Spray - Single IP Targeting Multiple Accounts
version: 1.0.0
kind: Scheduled
description: |
Detects a single IP address generating credential errors (invalid password, locked account,
user not found, extranet lockout) against more than 10 distinct ADFS accounts within 24 hours.
This is the classic password spray pattern: one IP cycling through many usernames with common
passwords to stay under per-account lockout thresholds. ADFS-based spray is stealthy because
it may not trigger per-user lockout until the extranet lockout threshold is reached.
MITRE ATT&CK: T1110 (Brute Force - Password Spraying)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 4h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1110
query: |
let SprayErrors = dynamic(["50126", "50034", "50053", "396083"]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (SprayErrors)
| summarize
TargetCount = dcount(UserPrincipalName),
Targets = make_set(UserPrincipalName, 30),
FailCount = count(),
ErrorCodes = make_set(ErrorCode),
UserAgents = make_set(UserAgent),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IPAddress
| where TargetCount > 10
| order by TargetCount desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
TargetCount: TargetCount
FailCount: FailCount
ErrorCodes: ErrorCodes
alertDetailsOverride:
alertDisplayNameFormat: "ADFS Password Spray from {{IPAddress}} - {{TargetCount}} accounts targeted"
alertDescriptionFormat: "IP {{IPAddress}} has targeted {{TargetCount}} ADFS accounts with {{FailCount}} credential failures. Possible password spray attack."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential password spray attacks targeting Active Directory Federation Services (ADFS). Here's a simplified breakdown of what it does:
-
Purpose: The query identifies instances where a single IP address is causing multiple credential errors (like invalid passwords or locked accounts) across more than 10 different ADFS accounts within a 24-hour period. This pattern is indicative of a password spray attack, where an attacker tries common passwords across many accounts to avoid triggering lockouts.
-
Severity and Techniques: The severity of this detection is marked as "High," and it aligns with the MITRE ATT&CK technique T1110, which involves brute force attacks like password spraying.
-
Data Source: It uses data from Azure Active Directory, specifically the ADFSSignInLogs, to find these patterns.
-
Query Logic:
- It looks at sign-in logs from the past day.
- Filters for specific error codes that indicate credential failures.
- Summarizes the data by counting distinct user accounts targeted by each IP address.
- Checks if an IP address has targeted more than 10 accounts.
- Orders the results by the number of accounts targeted.
-
Alerting: If the query finds any IP addresses meeting these criteria, it generates an alert. The alert includes details like the number of accounts targeted and the number of failed attempts, suggesting a possible password spray attack.
-
Incident Management: The system is configured to create an incident for each alert, grouping alerts by IP address to manage them efficiently.
Overall, this query helps security teams identify and respond to stealthy password spray attacks on ADFS systems by monitoring for suspicious login patterns from single IP addresses.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators