Should this not send an alert email whenever a user fails to log on to one of the monitored endpoints? The filter appears to be capturing the event, but the rule is not firing. I am not sure what I am missing. This is mostly just a test to be sure that I can get the email action to work properly. I will change it to only fire after several failed logon attempts once I know it is working.
