Currently, we use LEM heavily for identifying account lockouts/bad password attempts. I currently use this search in nDepth to find them: ( "Event Name" = UserLogonFailure ) AND ( DestinationAccount = <username> )
However, I'd ideally like to add the ability to show bad password attempts against our Network Policy Server. The above search find the 4625 error on the Net. Policy server but I need the 6273 error to retrieve the MAC Address of the device locking the users account out. Is this even possible to do with LEM? I have been going through both the rules and filter, and have not found a way to do this.