Right now the workflow is realtime alert on this search:
Lockout Alert:
eventtype=msad-account-lockout out | lookup AD_Users_Lookup sAMAccountName as user | table _time, displayName, user, email, telephoneNumber, mobile, pwdLastSet, description, Caller_Computer_Name, dest_nt_host | rename Caller_Computer_Name as "Occurred On", mobile as "Mobile Phone", telephoneNumber as "Phone", user as "UserID", pwdLastSet as "Password Changed On", signature as "Action", description as Description, dest_nt_host as "Reported By"
The secondary search that I'm thinking about looping in is:
Why it locked out, but may come back with multiple results if they try on different PCs (src):
eventtype="msad-failed-user-logons" EventCode=4625 | table user, src, src_ip, EventCodeDescription, dest
... View more