EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4740Audit SuccessSecurityT1110

Windows Event ID 4740Account Lockout

Logged on the domain controller when a user account is locked out after exceeding the failed logon threshold.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

Account lockouts confirm that a credential attack has crossed the volume threshold set by your lockout policy. Multiple accounts locking out in a short window is a near-certain sign of a password spray attack in progress.

Key Fields

Account NameThe account that was locked out
Caller Computer NameThe machine that generated the excessive failed logons
Subject Account NameThe account that triggered the lockout (usually the DC machine account)

Investigation Tips

  1. 1.Check Caller Computer Name — it identifies the source of the bad password attempts.
  2. 2.Multiple different accounts locking out from the same Caller Computer Name = password spray.
  3. 3.Correlate with 4625 on the caller machine to see the failed logon attempts.
  4. 4.Check if the account is a service account — service accounts lock out when a password is changed without updating the service.

Related Event IDs

4625Failed logon — the attempts that caused the lockout
4767Account unlocked

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4740

See Event ID 4740 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects account lockout patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →