Update: Since posting, I am able to perform an nDepth search to find failed authentication requests to OWA.
Refine the query with the following conditions:
WebTrafficAudit.AlertActivityType=HTTP-401 AND WebTrafficAudit.URL=<URL> (e.g. 192.168.0.1/owa/auth.owa)
Specify a time period and run the search.
I am yet to distinguish auth success events generated by users logging into OWA and not general navigation through OWA. Any help on refining my results to show only these events would be highly appreciated.
-Garreth