Locked Users
Query
// A user account was locked out.
SecurityEvent
| where EventID == 4740
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LockoutsCount = count() by Activity, Account, TargetSid, TargetDomainName, SourceComputerId, SourceDomainController = Computer
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = TargetDomainNameExplanation
This query is looking for security events where a user account was locked out. It summarizes the start and end times of the lockout, the number of lockouts, and provides details about the activity, account, target SID, target domain name, source computer ID, and source domain controller. It also adds custom entities for the account and host.
Details

Rod Trent
Released: April 6, 2023
Tables
SecurityEvent
Keywords
UserAccountLockoutsCountActivityTargetSidTargetDomainNameSourceComputerIdSourceDomainControllerStartTimeEndTimetimestampAccountCustomEntityHostCustomEntity
Operators
wheresummarizeminmaxcountbyextend