Custom Rule for Locked Accounts / LEQL Query Help?

Is it possible to set a custom alert for when 10 or more unique accounts are locked out within a 1 hr time period? I see an optional alert to create investigations for accounts being locked out, but alerts on a per-user basis seems excessive and not what I’m looking for.

The closest ive gotten is a custom alert where when 10 or more accounts had failed logins with the failure reason being account locked, but this could generate alerts for one single account with 10+ failed login attempts from being disabled in 1 hr window, vs 10 unique accounts locked in 1 hr i believe.

Any guidance would be appreciated, thanks!

Hi @Rahpudsehvun

this is possible with our new Custom Detection Rules feature Custom Detection Rules | InsightIDR Documentation

You should select the AD Admin Activity Logset

and set your query to


and then for the threshold conditions you will want to leave the groupby option blank

within the unique keys section you will use target_account (or source_account whichever is appropriate)

Then for the threshold setting something like this

Screenshot 2023-10-11 at 1.14.44 PM

When setting the rule action for this custom detection rule, we recommend using Assess Activity to establish the rule accuracy and the frequency of potential alerts if it were to be enabled. Once the Assessment Period is over an assessment report is generated. Modify ABA Detection Rules | InsightIDR Documentation


This seems like it’s for alerts when admins lock 10 or more accounts within 1 hr, which is useful, but not my goal.

I am specifically wondering if i can get alerts when 10 or more unique accounts are locked out within 1 hr, not by an admin, but due to too many failed password attempts. I was assuming in this kind of case, i would use the asset authentication event type instead,

the closest ive gotten is
from( event_type = “asset_auth”) where ( result = “FAILED_ACCOUNT_LOCKED”)

how can I narrow something like this down in the query so that im only alerted when its 10+ unique locks?

@Rahpudsehvun the name of the logset is called AD Admin Activity, but the account locked event code is written to this logset.

Event 4740

It is collected on your Domain Controllers by an Event Source or by using the Insight Agent.

So its not necessarily an Admin locking the account, a typical account locked event will show the source_account and target account are the same.

You can even filter for these types of ACCOUNT_LOCKED events by adding source_account==target_account

where(action=ACCOUNT_LOCKED AND source_account==target_account)

For the AD Admin Activity Logset.


The above suggestion would be for if the detection was explicitly to catch accounts being locked out.

If you wish to use the Asset Authentication logs thats also possible.

You can use the query you provided, and in the threshold you would set the unique key but ensuring you reference the correct key from the log in log search, for example destination_account