Query Details

Non-Interactive Brute Force - Single User Targeted by Multiple IPs

23 Brute Force Single User Targeted

Query

let BruteForceErrors = dynamic([
    "50126",  // InvalidPasswordOrUsernameOrTenantInvalid
    "50055",  // InvalidPasswordExpiredPassword
    "50056",  // InvalidPasswordNullPassword
    "50064",  // CredentialAuthenticationError
    "50053",  // IdsLocked (account locked)
    "50034",  // UserAccountNotFound
    "50057",  // UserDisabled
    "50128"   // InvalidTenantName
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| extend ErrorCode = tostring(ResultType)
| where ErrorCode in (BruteForceErrors)
| summarize
    FailCount   = count(),
    UniqueIPs   = dcount(IPAddress),
    IPs         = make_set(IPAddress, 20),
    Countries   = make_set(Location),
    ErrorCodes  = make_set(ErrorCode),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
  by UserPrincipalName
| where FailCount > 50
| extend IPAddress = tostring(IPs[0])
| order by FailCount desc

Explanation

This query is designed to detect brute force or credential stuffing attacks targeting a single user account. Here's a simplified breakdown:

  • Purpose: It identifies attacks where multiple IP addresses are used to attempt sign-ins to a single user account, likely to bypass rate limiting. These attacks are characterized by numerous failed login attempts with specific error codes indicating wrong passwords or locked accounts.

  • Data Source: The query analyzes logs from Azure Active Directory, specifically focusing on non-interactive user sign-in attempts.

  • Time Frame: It looks at sign-in attempts from the past hour.

  • Error Codes: The query filters for specific error codes that indicate failed login attempts due to incorrect passwords, expired passwords, locked accounts, etc.

  • Analysis: It counts the number of failed attempts, identifies the number of unique IP addresses involved, and collects information about these IPs and the countries they are from.

  • Threshold: It flags cases where there are more than 50 failed attempts for a single user within the hour.

  • Alerting: If such an attack pattern is detected, an alert is generated. The alert includes details like the number of failures, the number of distinct IPs, and the user account targeted.

  • Incident Management: If an alert is triggered, an incident is created. The system can group related alerts into a single incident based on the user account involved.

Overall, this query helps security teams identify and respond to potential brute force attacks on user accounts by monitoring failed login attempts from multiple IP addresses.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsUserPrincipalNameIPAddressLocationTimeGeneratedResultTypeAccountIP

Operators

letdynamicwhereagoextendtostringinsummarizecountdcountmake_setminmaxbyorderdesc

Severity

Medium

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub