This detection rule is designed to identify when an Okta user account experiences three lockout events within a three-hour period, which may suggest a brute force or password spraying attack against the account. When an attempted brute force occurs, an attacker will typically try excessively to guess credentials until succeeded or accounts are locked. In accordance with Okta's default security policy, accounts become locked after 10 unsuccessful login attempts. The detection logic is orchestrated through the `event.dataset:okta.system` dataset alongside the filter for user account lock actions, providing a threshold-based approach to alert on patterns indicative of unauthorized access attempts. The investigation process involves reviewing various fields associated with the Okta events to gather contextual information such as which user was targeted, event severities, potential correlations regarding IP addresses, and unusual timing of events. This helps determine whether the investigations reveal a genuine threat or a false alarm due to normal user errors. Potential responses include alerting the user, initiating incident response protocols, password changes, and evaluating if the account was abused during the attack attempts. Proper implementation of this detection mechanism can significantly enhance an organization’s capability to mitigate risks associated with unauthorized access attempts.