Non-Interactive Brute Force - Single User Targeted by Multiple IPs
23 Brute Force Single User Targeted
Query
let BruteForceErrors = dynamic([
"50126", // InvalidPasswordOrUsernameOrTenantInvalid
"50055", // InvalidPasswordExpiredPassword
"50056", // InvalidPasswordNullPassword
"50064", // CredentialAuthenticationError
"50053", // IdsLocked (account locked)
"50034", // UserAccountNotFound
"50057", // UserDisabled
"50128" // InvalidTenantName
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (BruteForceErrors)
| summarize
FailCount = count(),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress, 20),
Countries = make_set(Location),
ErrorCodes = make_set(ErrorCode),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| where FailCount > 50
| extend IPAddress = tostring(IPs[0])
| order by FailCount descExplanation
This query is designed to detect brute force or credential stuffing attacks targeting a single user account. Here's a simplified breakdown:
-
Purpose: It identifies attacks where multiple IP addresses are used to attempt sign-ins to a single user account, likely to bypass rate limiting. These attacks are characterized by numerous failed login attempts with specific error codes indicating wrong passwords or locked accounts.
-
Data Source: The query analyzes logs from Azure Active Directory, specifically focusing on non-interactive user sign-in attempts.
-
Time Frame: It looks at sign-in attempts from the past hour.
-
Error Codes: The query filters for specific error codes that indicate failed login attempts due to incorrect passwords, expired passwords, locked accounts, etc.
-
Analysis: It counts the number of failed attempts, identifies the number of unique IP addresses involved, and collects information about these IPs and the countries they are from.
-
Threshold: It flags cases where there are more than 50 failed attempts for a single user within the hour.
-
Alerting: If such an attack pattern is detected, an alert is generated. The alert includes details like the number of failures, the number of distinct IPs, and the user account targeted.
-
Incident Management: If an alert is triggered, an incident is created. The system can group related alerts into a single incident based on the user account involved.
Overall, this query helps security teams identify and respond to potential brute force attacks on user accounts by monitoring failed login attempts from multiple IP addresses.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h