The rule 'Detect Excessive User Account Lockouts' aims to identify user accounts that experience an abnormal frequency of lockouts within a condensed time span, indicating potential brute-force attacks or configuration issues. It utilizes the 'Change' data model, particularly examining lockout results to detect concerning activities. The analytic operates by querying user lockout events, aggregating counts, and filtering cases where more than five lockouts occur. This behavior signals a risk of account compromise or unauthorized access, necessitating immediate investigation. Additionally, the search is dependent on the appropriate ingestion of Windows security event logs into the relevant data model to function effectively. Acknowledging practical implementation considerations, users are encouraged to customize the monitoring thresholds per their organizational needs and to be mindful of legitimate user issues that could lead to false positives, such as misconfigurations that cause repeated login failures. The rule includes methods for further investigation through drilldown searches and an emphasis on linking findings to risk events in the environment.