The 'OneLogin User Account Locked' rule is designed to detect when a user account within the OneLogin platform becomes locked or suspended. It identifies three specific event types related to user accounts: event type ID 532 indicates an account lock, event ID 553 indicates an account suspension, and event ID 551 signifies an account lock due to security concerns. The detection condition for triggering an alert is met when any one of these event types is detected, allowing for a flexible yet effective monitoring approach. This rule serves as a proactive measure to ensure that any unauthorized access attempts or internal policy violations that result in account lockouts are promptly reported. Since this rule can generate alerts on low-level events, it is vital to appropriately filter and investigate alerts to mitigate false positives, which may occur during normal system operations, such as when accounts are intentionally locked due to inactivity or other administrative actions.