Summary

Tightening the Entra ID Excessive Account Lockouts Detected detection to ignore internal CIDRs and reduce the rolling window from 1h (interval 30m) --> 30m (interval 15m) for bursts of account lockouts. We also added a more in-depth investigation guide for this rule to aid analysts with investigations. This stems from feedback via customer SDH 652.

Globally, this rule has only fired for 10% of our Entra ID customer base whom have the rule enabled at ~1k in the last 90 days which indicates it is not globally noisy, but has room for tightening.

We have emulated this behavior to ensure the alert still fires.