Hi,
some things:
1. In your advanced threshold settings you are looking for same DetectionIP, which is the machine from where the event comes from. For AD logons, that would be your DC(s). You may want to look at the SourceMachine field instead (see #2)
2. Is your LEM getting UserLogonFailure events ? You may want to do an nDepth search to validate, and also look into the info returned in each field to see which one holds the machine info you are looking for.
3. Make sure you hit the Activate button at the top of the Rule list after you save and enable the rule. I still forget to hit it myself from time to time.
Cheers!