A user account was locked out
A user account was locked out after exceeding the configured threshold of consecutive failed logon attempts.
Event ID 4740 documents that an Active Directory user account or local account has been locked out due to excessive consecutive authentication failures. This event is logged on Domain Controllers (if a domain account) or local machines (if a local account) and records the target account name alongside the 'Caller Computer Name' that originated the failed attempts that triggered the lockout.
Failure Reason / Root Cause:
Repeated authentication failures from cached old passwords on mobile/remote devices, aggressive brute-force attacks, or credential stuffing.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.901Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to A user account was locked out -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1110 | Brute Force | Credential Access |
T1531 | Account Access Removal | Impact |
Recommended actions
- Inspect the 'Caller Computer Name' field in the event data to isolate the specific endpoint generating the failed authentication requests.
- Cross-reference Event ID 4740 timestamps with preceding Event ID 4625 records to verify if the lockout originated from external network attempts.
- Ensure domain lockout policies are paired with MFA and automated IP blocking at the firewall/gateway.