[Azure Sentinel] How I can know from where an account is getting locked

%3CLINGO-SUB%20id%3D%22lingo-sub-1382362%22%20slang%3D%22en-US%22%3E%5BAzure%20Sentinel%5D%20How%20I%20can%20know%20from%20where%20an%20account%20is%20getting%20locked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382362%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%20I%C2%B4m%20starting%20with%20Azure%20Sentinel%20in%20my%20organization%20and%20one%20of%20the%20first%20data%20we%20want%20to%20know%2C%20is%20if%20an%20account%20is%20locked%2C%20from%20where%20the%20user%2Fmalware%20was%20trying.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advanced%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrettings%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382495%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAzure%20Sentinel%5D%20How%20I%20can%20know%20from%20where%20an%20account%20is%20getting%20locked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382495%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F664612%22%20target%3D%22_blank%22%3E%40aguaita-%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20mean%20a%20user%20account%2C%20if%20so%20from%20AD%20or%20Azure%20AD%3F%26nbsp%3B%20%26nbsp%3BAD%20is%20normally%20handled%20by%20Security%20Events%2Flogs%20and%20AAD%20is%20contained%20in%20the%20Siginlogs%20table%20(after%20you%20connect%20AAD%20to%20Sentinel)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382510%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAzure%20Sentinel%5D%20How%20I%20can%20know%20from%20where%20an%20account%20is%20getting%20locked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382510%22%20slang%3D%22en-US%22%3EYes%2C%20user%20account%20in%20our%20premise%20AD.%20We%20have%20also%20a%20copy%20in%20AAD.%20I%C2%B4m%20searching%20for%20query%20that%20when%20I%20run%20it%2C%20can%20tell%20me%20how%20many%20users%20are%20locked%20out%20and%20from%20what%20IP.%20I%20have%20the%20query%20for%20Powershell%20but%20I%20dont%20know%20if%20it%C2%B4s%20possible%20run%20it%20inside%20Azure%20Sentinel%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382602%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAzure%20Sentinel%5D%20How%20I%20can%20know%20from%20where%20an%20account%20is%20getting%20locked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382602%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F664612%22%20target%3D%22_blank%22%3E%40aguaita-%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELockout%20needs%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ftroubleshoot-account-lockout%23troubleshoot-account-lockouts-with-security-audits%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ftroubleshoot-account-lockout%23troubleshoot-account-lockouts-with-security-audits%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fsecurity-audit-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fsecurity-audit-events%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382689%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAzure%20Sentinel%5D%20How%20I%20can%20know%20from%20where%20an%20account%20is%20getting%20locked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382689%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20info.%20but%20this%20query%20didn%C2%B4t%20give%20me%20any%20data%3A%3CBR%20%2F%3E%3CBR%20%2F%3EAADDomainServicesAccountManagement%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(7d)%3CBR%20%2F%3E%7C%20where%20OperationName%20has%20%224740%22%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20is%20because%20I%20dont%20have%20Azure%20AD%20Domain%20Services%20enabled.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20could%20figure%20this%20out%20with%20this%20simple%20query%20(at%20least%2C%20it%C2%B4s%20being%20giving%20me%20data%2C%20with%20a%202hs%20delay)%3CBR%20%2F%3E%3CBR%20%2F%3ESecurityEvent%3CBR%20%2F%3E%7C%20where%20EventID%20%3D%3D%204740%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello everyone, I´m starting with Azure Sentinel in my organization and one of the first data we want to know, is if an account is locked, from where the user/malware was trying.

 

Thanks in advanced

 

Grettings

4 Replies

@aguaita- 

 

Do you mean a user account, if so from AD or Azure AD?   AD is normally handled by Security Events/logs and AAD is contained in the Siginlogs table (after you connect AAD to Sentinel)

Yes, user account in our premise AD. We have also a copy in AAD. I´m searching for query that when I run it, can tell me how many users are locked out and from what IP. I have the query for Powershell but I dont know if it´s possible run it inside Azure Sentinel
Thanks for the info. but this query didn´t give me any data:

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"

I think is because I dont have Azure AD Domain Services enabled.

I could figure this out with this simple query (at least, it´s being giving me data, with a 2hs delay)

SecurityEvent
| where EventID == 4740