[Azure Sentinel] How I can know from where an account is getting locked

Copper Contributor

Hello everyone, I´m starting with Azure Sentinel in my organization and one of the first data we want to know, is if an account is locked, from where the user/malware was trying.

 

Thanks in advanced

 

Grettings

4 Replies

@aguaita- 

 

Do you mean a user account, if so from AD or Azure AD?   AD is normally handled by Security Events/logs and AAD is contained in the Siginlogs table (after you connect AAD to Sentinel)

Yes, user account in our premise AD. We have also a copy in AAD. I´m searching for query that when I run it, can tell me how many users are locked out and from what IP. I have the query for Powershell but I dont know if it´s possible run it inside Azure Sentinel
Thanks for the info. but this query didn´t give me any data:

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"

I think is because I dont have Azure AD Domain Services enabled.

I could figure this out with this simple query (at least, it´s being giving me data, with a 2hs delay)

SecurityEvent
| where EventID == 4740