This rule detects when an Okta user account has been locked due to exceeding the maximum number of failed login attempts. The detection is based on events logged within Okta's System Log, specifically under the event type 'user.account.lock'. In the provided tests, a successful detection occurs when the event shows a lockout outcome with a corresponding display message. The rule also includes an invalid scenario where a different event type is processed, demonstrating how the rule differentiates between legitimate lockout events and other user-related activities. The severity of this rule is classified as low, indicating that account lock events, while they may signify a potential security concern, are relatively common and not necessarily indicative of a successful attack.