Your solution will not give the desired effect. You have all your conditions in a correlation box set to OR (yellow right edge). So, if any of these conditions are met it will apply. That means the "DetectionIP not equal to *swi-lem* " will meet this even if the DestinationAccount isn't administrator, root, or guest.
I believe this will accomplish that.
The right edge is set to AND (Blue). Meaning that both groups must meet the condition for the correlation to be true. The (DestinationAccount is equal to administrator, root, or guest) AND the (DestinationIP is not equal to your LEM appliance).