Adversaries may attempt to brute force credentials by triggering AD account lockouts to gain unauthorized access. SOC teams should proactively hunt for this behavior to identify potential credential compromise and prevent lateral movement in their Azure Sentinel environment.
KQL Query
SecurityEvent
| where EventID == 4740
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LockoutsCount = count() by Activity, Account, TargetSid, TargetDomainName, SourceComputerId, SourceDomainController = Computer
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = TargetDomainName
id: e7642e6e-cf27-46ec-a4b9-e4475228fead
name: AD Account Lockout
description: |
'Detects Active Directory account lockouts'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Impact
relevantTechniques:
- T1531
query: |
SecurityEvent
| where EventID == 4740
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LockoutsCount = count() by Activity, Account, TargetSid, TargetDomainName, SourceComputerId, SourceDomainController = Computer
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = TargetDomainName
| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Account Lockout for Compliance Purposes
Description: An admin uses a tool like PowerShell or ADSI Edit to manually lock out an account as part of a compliance or audit process.
Filter/Exclusion: Check for EventID 4740 with a source of Microsoft-Windows-Security-Auditing and filter out events where the account is locked out by an admin with a known compliance task or script.
Scenario: Automated Account Lockout During Password Reset
Description: A password reset tool (e.g., Microsoft Password Reset or LAPS) triggers an account lockout during a password change due to invalid credentials or policy enforcement.
Filter/Exclusion: Include a filter for events where the account is associated with a password reset tool or where the lockout is triggered by a service account or a known password management system.
Scenario: System Maintenance Task Locking an Account
Description: A scheduled task (e.g., Task Scheduler or PowerShell Scheduled Job) runs a script that temporarily locks an account during maintenance or configuration changes.
Filter/Exclusion: Filter events where the lockout is associated with a known maintenance task or script, or where the account is a service account used for system operations.
Scenario: False Positive from Third-Party Application
Description: A third-party application (e.g., Microsoft Intune, Azure AD Connect, or SCCM) incorrectly triggers an account lockout due to misconfiguration or integration issues.
Filter/Exclusion: Exclude events where the lockout is associated with a known third-party tool or where the account is used for integration or synchronization purposes.
Scenario: Account Lockout Due to Temporary Credential Failure
Description: A legitimate user attempts to log in with