HUNT 01 ADFS Extranet Lockout History 30d
Query
ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(30d)
| where ResultType == 396083
| summarize
LockoutCount = count(),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress, 25),
Countries = make_set(Location, 10),
Apps = make_set(AppDisplayName, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
ActiveDays = dcount(startofday(TimeGenerated))
by UserPrincipalName
| extend SustainedCampaign = ActiveDays >= 3
| order by LockoutCount descExplanation
This query is designed to analyze and summarize Active Directory Federation Services (ADFS) extranet lockout events over the past 30 days. Here's a simple breakdown of what it does:
-
Data Source: It uses data from the ADFSSignInLogs, which is part of the Azure Active Directory data connector.
-
Exclusion: It excludes any IP addresses that are on a predefined allowlist (trusted IPs).
-
Time Frame: It focuses on events that occurred in the last 30 days.
-
Event Type: It specifically looks for events with a ResultType of 396083, which indicates extranet lockout events.
-
Aggregation: For each user (identified by their UserPrincipalName), it calculates:
- The total number of lockout events (
LockoutCount). - The number of unique IP addresses involved (
UniqueIPs). - A list of up to 25 IP addresses that were involved (
IPs). - A list of up to 10 countries from which the lockout attempts originated (
Countries). - A list of up to 10 applications that were targeted (
Apps). - The first and last time the lockout events were seen (
FirstSeenandLastSeen). - The number of days on which lockout events occurred (
ActiveDays).
- The total number of lockout events (
-
Sustained Campaign Detection: It flags users who experienced lockout events on three or more different days as being potentially targeted by a sustained brute-force campaign (
SustainedCampaign). -
Ordering: The results are ordered by the number of lockout events in descending order, highlighting users with the most lockout activity.
Overall, this query helps identify users who might be under attack from brute-force attempts by analyzing lockout patterns and excluding known safe IPs.
Details

David Alonso
Released: May 13, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques