Tracking down User lockout source

I’m running into a few issues with a user being locked out of AD every 30 or so minutes. There are plenty of logs showing his account was locked out, and that his account is disabled when whatever device keeps trying to login continues but I can’t see to find any way to track down what device is attempting to login when it locks his account. All I’m finding is SourceName Microsoft-Windows-Security-Auditing
This does not help me and this user has three computers, and a phone and we have a SSO platform all of which authenticate to AD for logins. Am I missing something?
I tell it the source account to look for, and searching for the event code doesn’t tell me what asset is locking him out.

Hi Josh,

Where I start is checking on just the “Asset Authentication” log bucket in log search. I will then use the query “where(result=/failed.*/i AND destination_user="user name")” in advanced mode, replacing “user name” with the gentlemens name (case sensitive). I will then pivot to the Visualization view option, as opposed to “Entries” or “Table”. From there I will delete out the cards that are pre-populated using the cog icon at the top right corner of each card. I will then add new cards for: source_asset, destination_user, result, destination_asset, logon_type, and service; all as a pie graph. This will give you an idea of the source and destination of failed authentications for the user. The "/failed.*/i" part of the query will give you case insensitive results (from the “i”) for failed login attempts whether the result is failed bad login, failed bad password or what ever it may be, hence the failed.*

1 Like