LogsDBLogsDB
Windows logo

Windows Event ID 4740 - Account Lockout

Records when a user account is locked out after exceeding the failed logon threshold. Critical for detecting brute force attacks, password spraying, and identifying users with password issues

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/1/2026 09:30:15 AM
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.corp.local
Description:
A user account was locked out.

Subject:
    Security ID:        S-1-5-18
    Account Name:       DC01$
    Account Domain:     CORP
    Logon ID:           0x3E7

Account That Was Locked Out:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith

Additional Information:
    Caller Computer Name:   CLIENT01

Structure:

XML-based binary format with structured EventData fields

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/1/2026 09:30:15 AM
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.corp.local
Description:
A user account was locked out.

Subject:
    Security ID:        S-1-5-18
    Account Name:       DC01$
    Account Domain:     CORP
    Logon ID:           0x3E7

Account That Was Locked Out:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith

Additional Information:
    Caller Computer Name:   CLIENT01

Structure:

XML-based binary format with structured EventData fields

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4740</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-02-01T09:30:15.123456789Z"/>
    <EventRecordID>234567</EventRecordID>
    <Computer>DC01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="TargetUserName">jsmith</Data>
    <Data Name="TargetDomainName">CORP</Data>
    <Data Name="TargetSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DC01$</Data>
    <Data Name="SubjectDomainName">CORP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
  </EventData>
</Event>

Structure:

Native XML representation of the event

JSON (Winlogbeat/NXLog)

Example:

{
  "event_id": 4740,
  "log_name": "Security",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "computer_name": "DC01.corp.local",
  "time_created": "2026-02-01T09:30:15.123Z",
  "keywords": ["Audit Success"],
  "event_data": {
    "TargetUserName": "jsmith",
    "TargetDomainName": "CORP",
    "TargetSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "DC01$",
    "SubjectDomainName": "CORP",
    "SubjectLogonId": "0x3e7"
  }
}

Structure:

Structured JSON from log forwarders

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4740 for account lockout)4740
TimeCreated
datetime
Timestamp when the account was locked out2026-02-01T09:30:15.123Z
Computer
string
Computer name where the lockout was processed (typically DC)DC01.corp.local
TargetUserName
string
Account name that was locked outjsmith
TargetDomainName
string
Domain of the locked out accountCORP
TargetSid
string
SID of the locked out accountS-1-5-21-1234567890-1234567890-1234567890-1001
SubjectUserSid
string
SID of the account that reported the lockoutS-1-5-18
SubjectUserName
string
Account name that reported the lockout (usually machine account)DC01$
SubjectDomainName
string
Domain of the subject accountCORP
SubjectLogonId
string
Logon ID for correlation0x3E7

Parsing Patterns

Grok Patterns

xml:

<Data Name="TargetUserName">%{DATA:target_username}</Data>.*<Data Name="TargetDomainName">%{DATA:target_domain}</Data>

Regular Expressions

xml:

TargetUserName">(?P<target_username>[^<]+)</Data>.*TargetDomainName">(?P<target_domain>[^<]+)</Data>

Collector Configurations

splunkyaml
1# Splunk search for Event ID 4740
2index=wineventlog EventCode=4740
3| stats count by TargetUserName, Computer
4| sort -count
5
6# Account lockouts by hour
7index=wineventlog EventCode=4740
8| timechart span=1h count by TargetUserName
9
10# Correlate lockout with failed logons
11index=wineventlog (EventCode=4740 OR EventCode=4625) TargetUserName=jsmith
12| transaction TargetUserName maxspan=5m
13| table _time, TargetUserName, EventCode, IpAddress, Computer

Configuration

Enable Logging

Enable account lockout auditing via Group Policy or auditpol

auditpol /set /subcategory:"User Account Management" /success:enable

Log To Syslog

Forward via Windows Event Forwarding (WEF)

# Include in WEF subscription for account management events

Use Cases

Track account lockouts

Monitor which accounts are getting locked out

TargetUserName
TimeCreated
Computer
EventID=4740 | stats count by TargetUserName

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue