The OneLogin User Account Locked detection rule is designed to identify events where a user account has been locked or suspended. This can occur through various methods in the OneLogin system such as API calls from administrators. The rule leverages specific event type IDs corresponding to account locking and suspension events. The goal is to ensure that any anomalies or unexpected actions resulting in user account locks are investigated promptly. The tests included evaluate different scenarios leading to account locking via API actions and ensure that normal activation events are not mistakenly flagged. The rule operates in the context of credential access threats, particularly those associated with brute force attacks, as outlined in the MITRE ATT&CK framework under technique T1110. In case of detection, the severity is classified as low, implying that while the event is noteworthy, it may not indicate an immediate or high level of threat without further investigation.