index=windows eventtype="msad-account-lockout" (host=*)
| eval src_nt_host=if(isnull(src_nt_host),host,src_nt_host)
| eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No")
| stats latest(_time) AS time, latest(src_nt_host) AS host, latest(lockout) AS lockout by dest_nt_domain, user
| search lockout="Yes"
| eval ltime=strftime(time,"%c")
| table ltime, user, host
| rename ltime AS "Lockout Time", user AS "Account", host AS "Domain Controller"
Created
July 9, 2021 01:57
-
-
Save anthonygrees/43a7f7a1eb969b3f5aa429bc6aab8201 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment