Create and enable a critical logon failures rule
Clone and enable critical account logon failures rule to track failed logon attempts to the default Windows Administrator account. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.
Log in to the SEM Console.
On the toolbar, click Rules.
On the Rules toolbar, click Create rule from template.
In the search box, enter:
"critical account" failures
- Select the Critical Account Logon Failures rule template, and then click Next.
- Review and edit the existing conditions and values where needed, and then click Next.
- Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.