Currently, we use LEM heavily for identifying account lockouts/bad password attempts. I currently use this search in nDepth to find them: ( "Event Name" = UserLogonFailure ) AND ( DestinationAccount = <username> )
However, I'd ideally like to add the ability to show bad password attempts against our Network Policy Server. The above search find the 4625 error on the Net. Policy server but I need the 6273 error to retrieve the MAC Address of the device locking the users account out. Is this even possible to do with LEM? I have been going through both the rules and filter, and have not found a way to do this.
Figures, after I submit this question I figured out the answer myself.
In nDepth I created this search:
( "Event Name" = UserAuthAudit ) AND ( ( "Event Name" = UserAuthAudit ) AND ( EventInfo = "*Network Policy Server*" ) )