Windows Event ID 4740 — Account Lockout

Logged on the domain controller when a user account is locked out after exceeding the failed logon threshold.

MITRE ATT&CK

Technique

T1110 · Brute Force

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

Account lockouts confirm that a credential attack has crossed the volume threshold set by your lockout policy. Multiple accounts locking out in a short window is a near-certain sign of a password spray attack in progress.

Key Fields

Account NameThe account that was locked out

Caller Computer NameThe machine that generated the excessive failed logons

Subject Account NameThe account that triggered the lockout (usually the DC machine account)

Investigation Tips

1.Check Caller Computer Name — it identifies the source of the bad password attempts.
2.Multiple different accounts locking out from the same Caller Computer Name = password spray.
3.Correlate with 4625 on the caller machine to see the failed logon attempts.
4.Check if the account is a service account — service accounts lock out when a password is changed without updating the service.

Seeing Event ID 4740 in your own logs? Upload an .evtx file — EventPeeker flags account lockout automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4625Failed logon — the attempts that caused the lockout

4767Account unlocked

Go deeper: the full Event ID 4740 — Account Lockout guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Event ID 4740 — Account Lockout guide →

See Event ID 4740 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects account lockout patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →