We get a number of tickets for users accounts being locked out over and over again, I was wondering if anyone had any quick wins on how they find out the cause of this ?
I have been using -
index=main sourcetype="*wineventlog:security" "usersADaccount" ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User Account" = coalesce(Logon_Account,Logon_account)
This brings back the locked out events but I cant really see why its happening from this.
not a full answer but from what i have seen in the past, many times the reason is many failed login attempts. windows logs it in event code 4625.
read here more: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
create a search that correlates the locked accounts with failed logins, maybe this is the reason
i wonder maybe your AD admin can help you as well to find root cause
hope it helps