This detection rule monitors for a surge of Microsoft 365 user account lockouts occurring within a brief time frame of 5 minutes. It identifies an elevated count of 'IdsLocked' login errors across several user accounts, which may signify brute-force attacks targeting those accounts. The rule applies ESQL aggregations to dynamically generate fields associated with the lockout events. When high lockout rates are noted, it prompts security teams to investigate potential automated attacks, verify user targeting patterns, assess IP activity, and review associated authentication logs. There are considerations for false positives, including automated processes and user behavior anomalies, necessitating thorough analysis before response actions. Recommendations include notifying affected users, blocking IPs exhibiting malicious behavior, and enhancing lockout policies if neccessary.