Is there a why to create a email event when a users has lock them self out and used a bad password so many times in a certain time period?
Check your rules. Build -> Rules.
There should be something there about Account Locking out due to bad passwords etc.
Yes there is one with lock out user with bad password but I am trying to see if same users try's 3 different times in the time out threshold, Example - they lock them self's out with bad password then wait XX number of minutes you have set before you account is unlock and they fail again and they wait again the a lot time and try again. This is where I would like to get email when user Has bad password 3 times in allotted time so I can see if someone might be trying a brute force attack.
You seem to be describing a long term notification, so if I'm understanding you correctly, as an example:
User locks themselves out for 3 bad attempts, they wait 30 minutes for the account to unlock, do it again two more times for a total of 9 failures over 1.5 hours or so.
This is the situation you would like LEM to alert on?
If the above is accurate then it would not typically be possible. LEM is a real time event correlation engine and will only correlate events within the last 5 minutes by default. In order to increase the threshold to 1.5 hours for example would require a huge increase in resources to even attempt and typically isn't going to work.
Usually for this type of scenario you would want to create a lockout report so that you can verify if the same account is getting locked out on a regular basis (daily, weekly, etc).
