Forum Discussion
aguaita-
May 12, 2020Copper Contributor
[Azure Sentinel] How I can know from where an account is getting locked
Hello everyone, I´m starting with Azure Sentinel in my organization and one of the first data we want to know, is if an account is locked, from where the user/malware was trying.
Thanks in advanced
Grettings
- CliveWatsonMicrosoft
Do you mean a user account, if so from AD or Azure AD? AD is normally handled by Security Events/logs and AAD is contained in the Siginlogs table (after you connect AAD to Sentinel)
- aguaita-Copper ContributorYes, user account in our premise AD. We have also a copy in AAD. I´m searching for query that when I run it, can tell me how many users are locked out and from what IP. I have the query for Powershell but I dont know if it´s possible run it inside Azure Sentinel
- CliveWatsonMicrosoft