I did some digging, and it looks like the easy answer is, if Windows logs the event twice (whether on the same computer or different computers), you're going to see two alerts for it. And, oftentimes, this is going to directly affect your rules.
That said, if all you're looking for from your rule at this point is an email notification, one thing you might consider doing is tweaking the rule so that it looks for the same events your DCs are looking for rather than the lockout events themselves.
For example, if your DCs are set to lock out an account after 3 incorrect password attempts within a specific time frame, configure your rule to look for 3 UserLogonFailure alerts to a single account within the same time frame used by your DCs. If you choose to go this route, keep the following in mind:
- Exclude accounts that your DCs exclude (administrators, for example) in your rule to avoid false positives.
- Use the Correlation Time box under the rule's Correlations to set the number of alerts and specific time frame that should fire the rule.
- Use the Advanced Thresholds (small clock/gear icon to the right of the time increment menu in the Correlation Time box) to tell your rule that you only want it to fire if the logon failures occur on the same account.
- Take a look at the Critical Account Logon Failures rule in the NATO5 Rules folder to see what a rule like this might look like.
I know this probably isn't the exact response you were looking for, but I think it will get the job done.
Thanks Phil. Being new to the software, I wasn't sure this was expected behavior or not. Thanks for the response!