[Azure Sentinel] How I can know from where an account is getting locked

Question

Hello everyone, I´m starting with Azure Sentinel in my organization and one of the first data we want to know, is if an account is locked, from where the user/malware was trying.

Thanks in advanced

Grettings

clivewatson · Answer

aguaita-&nbsp;
&nbsp;
Do you mean a user account, if so from AD or Azure AD?&nbsp; &nbsp;AD is normally handled by Security Events/logs and AAD is contained in the Siginlogs table (after you connect AAD to Sentinel)

aguaita- · Answer

Yes, user account in our premise AD. We have also a copy in AAD. I´m searching for query that when I run it, can tell me how many users are locked out and from what IP. I have the query for Powershell but I dont know if it´s possible run it inside Azure Sentinel

clivewatson · Answer

aguaita-&nbsp;
&nbsp;
Lockout needs this&nbsp;https://docs.microsoft.com/en-us/azure/active-directory-domain-services/troubleshoot-account-lockout#troubleshoot-account-lockouts-with-security-audits&nbsp; and&nbsp;https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events

aguaita- · Answer

Thanks for the info. but this query didn´t give me any data:AADDomainServicesAccountManagement| where TimeGenerated &gt;= ago(7d)| where OperationName has "4740"I think is because I dont have Azure AD Domain Services enabled.I could figure this out with this simple query (at least, it´s being giving me data, with a 2hs delay)SecurityEvent| where EventID == 4740

Forum Discussion

[Azure Sentinel] How I can know from where an account is getting locked

4 Replies

Resources