KQL Search

Query Details

HUNT 01 ADFS Extranet Lockout History 30d

Query

id: a1f00001-0001-4001-9001-adfs00000001
name: HUNT-01 ADFS Extranet Lockout History (30d)
description: |
  30-day timeline of ADFS extranet lockout events (ResultType 396083) per user/IP.
  Surfaces sustained brute-force campaigns that RULE-01 might suppress via
  grouping. Excludes IPs from the NetworkAllowlist watchlist.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
tactics:
  - CredentialAccess
relevantTechniques:
  - T1110
query: |
  ADFSSignInLogs
  | invoke ExcludeAllowlistedIPs()
  | where TimeGenerated > ago(30d)
  | where ResultType == 396083
  | summarize
      LockoutCount = count(),
      UniqueIPs    = dcount(IPAddress),
      IPs          = make_set(IPAddress, 25),
      Countries    = make_set(Location, 10),
      Apps         = make_set(AppDisplayName, 10),
      FirstSeen    = min(TimeGenerated),
      LastSeen     = max(TimeGenerated),
      ActiveDays   = dcount(startofday(TimeGenerated))
    by UserPrincipalName
  | extend SustainedCampaign = ActiveDays >= 3
  | order by LockoutCount desc

Explanation

This query is designed to analyze and summarize Active Directory Federation Services (ADFS) extranet lockout events over the past 30 days. Here's a simple breakdown of what it does:

  1. Data Source: It uses data from the ADFSSignInLogs, which is part of the Azure Active Directory data connector.

  2. Exclusion: It excludes any IP addresses that are on a predefined allowlist (trusted IPs).

  3. Time Frame: It focuses on events that occurred in the last 30 days.

  4. Event Type: It specifically looks for events with a ResultType of 396083, which indicates extranet lockout events.

  5. Aggregation: For each user (identified by their UserPrincipalName), it calculates:

    • The total number of lockout events (LockoutCount).
    • The number of unique IP addresses involved (UniqueIPs).
    • A list of up to 25 IP addresses that were involved (IPs).
    • A list of up to 10 countries from which the lockout attempts originated (Countries).
    • A list of up to 10 applications that were targeted (Apps).
    • The first and last time the lockout events were seen (FirstSeen and LastSeen).
    • The number of days on which lockout events occurred (ActiveDays).

  6. Sustained Campaign Detection: It flags users who experienced lockout events on three or more different days as being potentially targeted by a sustained brute-force campaign (SustainedCampaign).

  7. Ordering: The results are ordered by the number of lockout events in descending order, highlighting users with the most lockout activity.

Overall, this query helps identify users who might be under attack from brute-force attempts by analyzing lockout patterns and excluding known safe IPs.

Details

David Alonso profile picture

David Alonso

Released: May 13, 2026

Tables

ADFSSignInLogs

Keywords

ADFSSignInLogsIPAddressLocationAppDisplayNameUserPrincipalNameTimeGenerated

Operators

invokeExcludeAllowlistedIPswhereagosummarizecountdcountmake_setminmaxstartofdayextendorder by

Actions