This detection rule identifies user account lockouts on Cisco ASA devices, which occur when a user exceeds the configured maximum number of failed authentication attempts. The rule utilizes the ASA message ID 113006, which is triggered when a user account gets locked due to excessive failed authentication attempts. Such lockouts can be indicative of various malicious activities, including brute force attacks, password spraying, and automation misconfigurations. The key aspects to monitor include the account type being locked out (especially privileged or administrative accounts), patterns of simultaneous lockouts across various accounts (potentially indicating a password spraying attempt), and lockouts sourced from unusual or suspicious IP addresses and times, such as off-hours. When investigating these incidents, it is important to analyze the context and patterns to differentiate between legitimate and malicious activities.