the eDirectory collector classifies intruder lockout events that occur if a
login attempt with an invalid password was performed too often as
XDAS_AE_CREATE_SESSION with an outcome of XDAS_OUT_FAILURE. I don't think
this taxonomy correctly describes the action. From the list of action
taxonomies XDAS_AE_DISABLE_ACCOUNT with a success outcome seems the best fit
("An action that prevents a principal account from being used within a
Would this choice conflict with Disable Login using the same taxonomy?
Is this also used for audit events generated by Sentinel's Intruder
Detection and Lockout Mechanisms?