I have never really masted this platform so forgive me if this is an easy one. I get thousands of these in the logs daily and the detail says it is coming from the SEM itself. What am I missing?
There must be a rule defined in your SEM platform to detect "user logon failure" events and create an high priority "inference" events for reporting or alerting purpose. SEM rules can be configured with different settings, for example; this rule can be fired when there are more than 10 user logon failure events detected for the same account in last 30 seconds. You can customize event count or time frame settings based on your environment.
I think the current rule configuration is not suitable to your environment as this rule is being fired thousands of time in a day. I would suggest reviewing the current rule configuration for "user logon failure" and tune the condition for your organization.
