Lockout Events from DC
Log In or Register to download the BES file, and more.

0 Votes

Description

This analysis search the domain controllers security event log for the 4740 (lockout user) event ID. It search in the las 24 hour. 

 


Property Details

ID2998671
StatusBeta - Preliminary testing ready for more
TitleLockout Events from DC
DomainBESC
KeywordsDC, Event-log,Lockout user
Added by on 3/23/2022 11:25:52 AM
Last Modified by on 3/23/2022 11:25:52 AM
Counters 213 Views / 1 Download
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Lockout Users
Period 1 hour
 
  * Results in a true/false
Show indented relevance
computer name, ((month of it as two digits & "/" & day_of_month of it as two digits & "/" & year of it as string) of dates (local time zone) of times generated of it, (time of times (local time zone) of times generated of it), concatenation of substrings separated by "%0d%0a" of (preceding text of first "%0d%0a" of following text of last "Account Name:%09%09" of it) of (descriptions of it)) of records whose (event id of it = 4740 and now - time generated of it < 1*day) of (security event log)

Relevance

isWindows (Relevance 1172)
Used in 1145 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 analsis   * Results in a true/false
Show indented relevance
product type of operating system = nt domain controller product type

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
sonofmalkav -
Thank you, I will testing it.
jgstew -
Event log relevance can be very slow, it might make more sense for this property to report less often (once every 3 or 6 hours) but cover 2 days of time.