ADFSSignInLogs 數據表的查詢

前幾個 ADFS 帳戶鎖定

依鎖定數目傳回前 10 個 IP 位址。

ADFSSignInLogs
| where TimeGenerated > ago(7d)
| extend errorCode = toint(parse_json(Status).errorCode)
| where errorCode == 300300
| summarize Lockouts = count() by IPAddress
| top 10 by Lockouts