Account Locks - 3 or more lock actions for any connected SaaS application within 12 hours.
Contact the Customer or User and make them aware of this event. If it is not several admin suspensions, this event indicates an active ongoing attempt to execute a brute force login attack on the user account. The account should be secured by forcible log-out from all devices (if the SaaS Product provides this functionality), resetting the user password using complex password best practices, and enabling MFA if offered and not enabled. If this problem persists, it is advised to create a new login account for this user and remove the account which is under persistent attack. If the account is associated with a user mailbox the previous account can be added as an alias to the new user account.