Forum Discussion
aguaita-
May 12, 2020Copper Contributor
[Azure Sentinel] How I can know from where an account is getting locked
Hello everyone, I´m starting with Azure Sentinel in my organization and one of the first data we want to know, is if an account is locked, from where the user/malware was trying. Thanks in advanc...
CliveWatson
Microsoft
May 12, 2020
Lockout needs this https://docs.microsoft.com/en-us/azure/active-directory-domain-services/troubleshoot-account-lockout#troubleshoot-account-lockouts-with-security-audits and https://docs.microsoft.com/en-us/azure/active-directory-domain-services/security-audit-events
aguaita-
May 12, 2020Copper Contributor
Thanks for the info. but this query didn´t give me any data:
AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"
I think is because I dont have Azure AD Domain Services enabled.
I could figure this out with this simple query (at least, it´s being giving me data, with a 2hs delay)
SecurityEvent
| where EventID == 4740
AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"
I think is because I dont have Azure AD Domain Services enabled.
I could figure this out with this simple query (at least, it´s being giving me data, with a 2hs delay)
SecurityEvent
| where EventID == 4740