Unfortunately, sometimes this is down to the way in which Windows logs the failed authentication events. Are you getting the same EventID (ProviderSID in SEM) for each logon failure, or are they different Event IDs?
Worth noting that LogonType can often help to filter out some of the noise. For example, you can hone in on Interactive, Remote and Unlock logon types versus network logons for SMB shares.