Thank you both, but not exactly what I'm looking for I think. Maybe an example would be a bit better.
UserA = failed login pc1 (no alert)
UserA = failed login pc1 (no alert)
UserB = failed login pc1 (alert) that multiple users attempted to login unsuccessfully from the same IP (or PC) within a set time period.
The idea behind the alert is to detect if someone is trying to "crack" passwords for users but at the same time not enough bad tries to lock the account. If someone theoretically discovers the user naming convention and has a list of user names they can script password attempts round robin style to keep from locking accounts. Now, the time that would be needed to do this is pretty long but I just had an audit and this question came up.
Is this a better explanation of what I'm trying to do? Not sure it is possible within LEM.
Thank you both again for your answers, it is appreciated.
Jeremy