Incident Micro-Scenario: Locked Accounts Spike in 15 Minutes

Scenario: Multiple users report lockouts within 15 minutes.

Step 1: Confirm lockout events

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddMinutes(-30)} | Select TimeCreated,Message

Step 2: Correlate failed logons

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddMinutes(-30)} | Select TimeCreated,Message

Step 3:

Look for repeated source host or stale credentials.

Step 4:

Contain, reset, and document root cause.