User reports their account is being locked out repeatedly. How do you investigate?

Multi-source investigation: (1) Active Directory — query event 4740 (account lockout) for source workstation/IP; (2) Filter logs from that workstation — what's authenticating? Could be: cached credentials on phone/Outlook/RDP after password change; service running with old credentials; brute-force attack from compromised host. (3) PowerShell Get-WinEvent or Splunk SPL: index=ad EventCode=4740 user=affected_user | stats count by Caller_Computer_Name. (4) On caller machine: check scheduled tasks, services, drive mappings using old creds. (5) Check for actual brute force: many failed authentications from external IP = compromised user, not just 'forgot password' lockout.

Want the full explanation? This is the atomic answer suitable for quick interview prep. For the structured deep-dive — including code samples, strong-answer vs weak-answer notes, common follow-up questions, and how this fits the larger soc analyst topic — see the full Q&A on Networkers Home:

→ SOC Analyst Interview Hub — Full Q&A with deep context

How Networkers Home prepares students for this kind of question

This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.

→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation

User reports their account is being locked out repeatedly. How do you investigate?

How Networkers Home prepares students for this kind of question

Related Log Analysis questions

Q. What's the difference between Windows Security event 4624 vs 4625 vs 4634?