In the nDepth tool, I would navigate to the Search Builder (the last selection on the bottom) to make it easier to build. Then you can try with:
Events>Failed Authentication>Destination Account OR
Events>UserAuthTicketFailure>Destination Account OR
See if that gets you the information you need.
Hope this helps
Thank you! It looks like this shows me what I am looking for.
Handy tip - if you have a filter that shows you what you're interested in in real time, you can always go Gear (on the top left) -> send to nDepth to search for the same data historically.
You might want to use an Alert/Event Group to expand to all types of "Auth Audit Events" (not just individuals) - something like Auth Audit Events.DestinationAccount = <blah>. DestinationAccount generally shows you the target account (the account being logged on TO), SourceAccount shows you the account events might be coming from (usually only for changes).
nDepth also has a common/combined field called "Username". You can build some queries after the fact that just use the fields and don't refine to specific event types by dragging that field from the "Refine Fields" to the search bar/search area.