The 'Duo Admin Lockout' detection rule is designed to monitor and alert when a Duo administrator is locked out of their account due to multiple incorrect passcode attempts. This rule is crucial because it allows cybersecurity teams to quickly identify potential account compromise or misuse of administrative privileges. It analyzes log data specifically looking for events where the action logged is an 'admin_lockout' and where the description indicates that the admin was temporarily locked out. The rule considers both valid and invalid lockout log formats, ensuring robustness in detection. It handles log timestamps and deduplicates alerts for a period of 60 minutes to prevent alert fatigue for repeated lockouts within a short time frame. This rule leverages Duo's administrative logs and is built to operate with a defined threshold to facilitate accurate threat detection without overwhelming security teams. When an administrator is locked out, an alert with medium severity is generated, allowing for timely intervention before any potential escalation.