In order to configure failed login notification, you will need to add an event log filter to your Endpoint Policies.
Go to the VSAX WebApp > Server Admin > Endpoint Policies > Endpoint Policy Details > Insert your Policy’s name > System > Event Log.
By default the option to Add Filter is disabled, to activate click on the ‘Send a notification’ box. The Add Filter button will turn from grey to blue.
In the newly opened window provide a title for your new alert and select Security for Event Logs and Audit Failed for Level fields for drop down menu.
The two last remaining steps are to set 4625 in the Event ID files and select the notification priority of your choice.
Enable Logon Auditing
If you don’t see these events in your Event Viewer, you might have to enable Logon Auditing.
Note: Group Policy Editor is not available in Home versions on Windows 7 or the standard version of Windows 8.
Go go to Group Policy Editor go to Start Menu and type: gpedit.msc
In the Group Policy Editor select Windows followed by Security Settings and Audit Policies. Then double click on Audit Logon events.
From there make sure that both boxes are ticked and click ok to save.
Lock your computer, log back in with a false password and check in the event viewer recorded a new audit failure.