{
  "id": "4740",
  "source": "windows_security",
  "category": "AccountMgmt",
  "name": "A user account was locked out",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4740 records a domain account lockout and is a key correlation point for brute-force activity and stale credential troubleshooting.",
  "trigger_scenarios": "A domain controller generates the event when failed authentication reaches the configured account-lockout threshold.",
  "key_fields": [
    {
      "field": "Account That Was Locked Out",
      "explanation": "The affected account. Determine whether it is a user, privileged, service, or shared identity."
    },
    {
      "field": "Caller Computer Name",
      "explanation": "The computer that submitted the failed credentials. This is often the fastest path to the underlying source."
    },
    {
      "field": "Subject",
      "explanation": "The domain controller context that recorded the lockout; it is not necessarily the user who caused it."
    }
  ],
  "false_positives": [
    "Stale credentials in services, mobile devices, and mapped drives commonly cause lockouts.",
    "Users can lock themselves out by repeatedly entering an old password."
  ],
  "related_event_ids": [
    "4625",
    "4776",
    "4768"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1110",
      "technique_name": "Brute Force"
    }
  ],
  "detection_notes": "T1110 brute force is distinguished through Caller Computer Name and policy values: repeated lockouts from one caller across many Target Accounts inside one Account Lockout Observation Window are spray-like, while one account locked from many callers often reflects stale credentials. Correlate preceding 4625 Sub Status 0xC000006A (bad password) versus 0xC0000072 (disabled account); only the former normally drives password-lockout behavior. Compare counts with the configured Account Lockout Threshold before alerting.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4740\n| project TimeGenerated, Computer, TargetAccount, CallerComputerName\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4740\n| table _time, host, TargetUserName, CallerComputerName",
  "sample_log": "Account That Was Locked Out: CORP\\jsmith\nCaller Computer Name: WS-014\nComputer: DC01",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740",
  "route": "/windows-events/4740/",
  "canonical_url": "https://soceventlookup.com/windows-events/4740/",
  "json_url": "/api/events/windows-security/4740.json"
}
