Adversaries may attempt to brute force credentials by repeatedly locking out and unlocking Active Directory accounts to evade detection. SOC teams should proactively hunt for this behavior to identify potential credential compromise attempts in their Azure Sentinel environment.
KQL Query
IdentityDirectoryEvents
| where ActionType == 'Account Unlock changed'
| extend AccountLockStatus = iif(tobool(parse_json(AdditionalFields)['TO Account Unlock']), 'Locked', 'Unlocked')
id: 9f384f37-ff17-446d-b49a-40c6fb98b1ba
name: Active Directory Account lockout and unlocks
description: |
This query lists Active Directory accounts lockout and unlock events
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityDirectoryEvents
tactics:
- Initial Access
relevantTechniques: []
query: |
IdentityDirectoryEvents
| where ActionType == 'Account Unlock changed'
| extend AccountLockStatus = iif(tobool(parse_json(AdditionalFields)['TO Account Unlock']), 'Locked', 'Unlocked')
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Martin Schvartzman
support:
tier: Community
categories:
domains: [ "Security - Identity" ]
| Sentinel Table | Notes |
|---|---|
IdentityDirectoryEvents | Ensure this data connector is enabled |
Scenario: Scheduled account lockout testing by security team using PowerShell
Filter/Exclusion: EventID != 4740 or Source != "Microsoft-Windows-Security-Auditing"
Scenario: Automated account unlock via Microsoft Entra ID (formerly Azure AD) synchronization job
Filter/Exclusion: EventID != 4741 or Source != "Microsoft-Windows-Security-Auditing"
Scenario: Temporary lockout during Group Policy Object (GPO) enforcement or update
Filter/Exclusion: EventID != 4740 or Source != "Microsoft-Windows-Security-Auditing"
Scenario: Account lockout due to failed login attempts from Windows Server Backup service
Filter/Exclusion: EventID != 4625 or Source != "Microsoft-Windows-Security-Auditing"
Scenario: Manual account unlock performed by an admin using Local Security Policy (secpol.msc)
Filter/Exclusion: EventID != 4741 or Source != "Microsoft-Windows-Security-Auditing"