Query Details
Locked Users
Query
// A user account was locked out. SecurityEvent | where EventID == 4740 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LockoutsCount = count() by Activity, Account, TargetSid, TargetDomainName, SourceComputerId, SourceDomainController = Computer | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = TargetDomainName
Explanation
This query is looking for security events where a user account was locked out. It summarizes the start and end times of the lockout, the number of lockouts, and provides details about the activity, account, target SID, target domain name, source computer ID, and source domain controller. It also adds custom entities for the account and host.
Details
Rod Trent
Released: April 6, 2023
Tables
SecurityEvent
Keywords
User,Account,LockoutsCount,Activity,TargetSid,TargetDomainName,SourceComputerId,SourceDomainController,StartTime,EndTime,timestamp,AccountCustomEntity,HostCustomEntity
Operators
wheresummarizeminmaxcountbyextend