I'm trying to generate an alert if there are multiple failed login attempts from the same IP address, regardless of the username. The part I'm having trouble with is telling LEM to only alert if it's from the same IP address. In the parameters I know to put * for all, or a specific word, but not sure how to say "if same IP address".
In the Rule Creation this is what I have the Correlations set for:
UserLogonFailure
AND
UserLogonFailure.SourceMachine = ?????