Forum Discussion

Marek Stelcik's avatar
Marek Stelcik
Copper Contributor
Jul 26, 2023
Solved

Locked accounts in onprem AD - KQL

Can you help me please with query to list locked accounts?    The event of being locked in on prem AD is this security event. We do not have much connectors so I need to work with security event. ...
KQL
kusto
  • KubaTom's avatar
    KubaTom
    Aug 01, 2023

    Marek Stelcik 

     

    You're correct, my bad! Try this:

     

    let UnlockEvent=SecurityEvent
| where EventID == 4767
| summarize arg_max(TimeGenerated, *) by TargetUserName
| extend UnlockTime=TimeGenerated;
SecurityEvent
| where EventID == 4740
| summarize arg_max(TimeGenerated, *) by TargetUserName
| extend LockoutTime=TimeGenerated
| join kind=leftouter UnlockEvent on TargetUserName
| where LockoutTime > UnlockTime or isempty(UnlockTime)
| project TargetUserName, LockoutTime, UnlockTime
| sort by TargetUserName asc

     

DS2022's avatar
DS2022
Copper Contributor
Aug 03, 2023

 

SecurityEvent
|where EventID =="4740"
|summarize by TimeGenerated, Activity,TargetUserName,SubjectUserName,TargetDomainName, Computer
|sort by TimeGenerated

Marek Stelcik 

Resources