If the Alert on Excessive Logon Failures monitor or the Logon Reporting monitor indicates failed logon attempts, it may be helpful to determine the source of those logon attempts. Network logons (or Type 3 logons) can come from anywhere and they will all be logged on the computer's Event Viewer.
On the computer that is showing repeated failed logons, open the Event Viewer's Security logs and filter for Event Id: #4625. Each entry shown is a failed logon attempt. Double-click a log to view it:
The event will display the IP address and, when available, computer name of the machine that attempted to logon to this computer.
With the release of Third Wall version 2.5.0.2, the Alert on Excessive Logon Failure policy ticket will list the logon names that caused the alert to occur.