This rule is designed to detect locked workstation session events, indicated by Event ID 4800 in the Windows Security log. A locked workstation is typically triggered automatically after a defined period of user inactivity, which is an essential security measure to prevent unauthorized access to user sessions. Monitoring these events helps organizations maintain awareness of user session security and can alert security teams to unusual patterns of workstation locking that may signal security concerns. The rule has been stable since its creation and continues to be valuable for enforcing access controls in compliance with various cybersecurity standards.