I kept seeing this error in the SIEM and it was bugging me because I couldn't identify the source.  At first glance, I thought it was an attacker because that's just how my mind works but given that this bad password was hitting the logs every 30 minutes, I was thinking that it was the slowest brute force attack... ever.  And it was literally every 30 minutes.  A quick Google search uncovered this free tool which made it super easy to get to the source. 

First, here's our SIEM alert:




Technically, it's not a locked account but this will still get to the source:

Investigation time will vary based on company size.  This company is < 50 users and it took no more than 10 minutes.

What we learn is that there was a scheduled task that was scheduled to run every 30 minutes.  It had bad credentials and that is the source of our SIEM alert.