Greetings,
I came across a thread (https://thwack.solarwinds.com/thread/66209) that described a modified filter that would be good at catching someone trying to guess user passwords without locking accounts. I created a filter, and as a test I had one of the schema/domain/enterprise admins attempt a logon but purposely fat finger the password. Nothing was caught. I'm a LEM newb, so is there a more experienced LEM-er (or is it LEM-ming?) that could check my filter below and let me know where I may have gone astray? I first built this with the UserLogonFailure.DestinationAccount events, but that wasn't catching anything, so I added the UserLogonFailure.SourceAccount events, but that didn't catch anything either.
Image may be NSFW.
Clik here to view.
If this looks ok (<gasp> which I doubt), could there be an Audit Policy that is not turned on?
Thanks!
