Hello,
I am unable to post a screen shot of the LEM. Below is an excerpt from the user guide. I am looking to understand “What can I do with these HostIncident events”
now that they are being generated? How would I use them in conjunction with the Incidents report?
Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts
Clone and enable the Critical Account Logon Failures rule to track failed login attempts to the default Administrator account in Windows. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.
For more information about scheduling and leveraging the Incidents report, see "Leveraging the Incidents Report in Security Audits"
on page 80.
Thank you for your time.