This detection rule aims to identify excessive Microsoft Entra ID account lockouts triggered by high volumes of failed sign-in attempts. Specifically, it targets instances where adversaries may attempt to compromise user accounts through techniques such as brute-forcing, password spraying, or credential stuffing, which can lead to the account being locked out by Entra ID Smart Lockout policies. The detection is accomplished through an aggregation query that monitors Azure sign-in logs for specific error codes indicating account lockouts. The rule captures key telemetry data such as user IDs, authentication results, IP addresses, and client application details, allowing for a contextual analysis of the sign-in failures. Investigative actions include reviewing affected user accounts, examining authentication error codes, and analyzing the source of the attempts to distinguish between legitimate and malicious activities. The rule is designed to trigger when a significantly high number of failed attempts are recorded within a defined time frame, suggesting coordinated attacks on multiple accounts. False positives may arise from misconfigured automated processes or internal systems, which the guidance includes mitigating strategies for.