Queries for the ADFSSignInLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Top ADFS account lockouts

Returns top 10 IP addresses by number of lockouts.

ADFSSignInLogs
| where TimeGenerated > ago(7d)
| extend errorCode = toint(parse_json(Status).errorCode)
| where errorCode == 300300
| summarize Lockouts = count() by IPAddress
| top 10 by Lockouts