Hey SCOM Gurus, I've setup a Rule which collects Failure Audits (Event ID 675 or 672 ). I've then set Alert Suppression to check the "Description" field to ensure we don't get multiple alerts for the same audit failure. Alerting works pretty well, however there is another requirement. We don't want to be alerted of every single failed login - since it happens frequently. We only want to be alerted if a user's failed login attempts exceed, say, 5 failed attempts. So in essence, we want to be alerted of any brute-force password cracking attempts. Is there a way to filter this alert as such? Many thanks!