Privileged accounts being locked out may indicate adversarial attempts to brute-force access or escalate privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise or lateral movement tactics.
KQL Query
let admins = (IdentityInfo
| where AssignedRoles contains "Admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
SigninLogs
| where ResultType == 50053
| extend AccountUPN = tolower(UserPrincipalName)
| extend AltUPN = tolower(AlternateSignInName)
| where AccountUPN in (admins) or AltUPN in (admins)
| extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress
id: fc12c925-84ce-4371-bcff-e745cd937da6
name: Privileged Accounts Locked Out
description: |
'Identifies privileged accounts that have been locked out. Verify these lockout are due to legitimate user activity and not due to threat actors attempting to access the accounts.
Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |
let admins = (IdentityInfo
| where AssignedRoles contains "Admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
SigninLogs
| where ResultType == 50053
| extend AccountUPN = tolower(UserPrincipalName)
| extend AltUPN = tolower(AlternateSignInName)
| where AccountUPN in (admins) or AltUPN in (admins)
| extend AccountCustomEntity = AccountUPN, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.1.0
| Sentinel Table | Notes |
|---|---|
IdentityInfo | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Execution
Description: A legitimate scheduled job (e.g., SQL Server Agent Job, AWS EC2 Instance Scheduler, or Ansible Tower Job) may attempt to authenticate using a privileged account, leading to a lockout if the job fails or is misconfigured.
Filter/Exclusion: Exclude events where the source is a known scheduled job or system service (e.g., source = "SQLAgent", source = "Ansible", or process_name = "schtasks.exe").
Scenario: Admin Task with Temporary Password
Description: An administrator may use a temporary password (e.g., via PowerShell, SSH, or RDP) to perform a one-time task, which could result in a lockout if the password is entered incorrectly.
Filter/Exclusion: Exclude events where the user is a known admin and the action is associated with a temporary password (e.g., user = "admin", event_id = "4625", and logon_type = "3").
Scenario: Password Reset via Self-Service Portal
Description: A user may attempt to reset their password through a self-service portal (e.g., Microsoft Azure AD Password Reset, Okta, or Ping Identity), which could trigger a lockout if the reset fails.
Filter/Exclusion: Exclude events where the source is a known self-service portal (e.g., source = "AzureAD", source = "Okta", or event_type = "PasswordResetAttempt").
Scenario: Multi-Factor Authentication (MFA) Failure
Description: A user may fail MFA authentication (e.g., via Azure MFA, Google Authenticator, or Authy) when attempting to log in, leading