- Authentication Traffic but No Agent - The LEM has received an authentication event, probably from a Domain Controller, originating from a system that does not have an Agent installed (compare source machine with list of Agents) and fires an alert
- DHCP but no Agent - The LEM has received an address assignment event, probably from a DHCP server, but the requesting machine has no Agent
- User Logon but no Agent - Like Authentication traffic, but specifically looking for user logons, where Auth traffic might include Kerberos tickets or other authentication traffic
All of these rules operate on the assumption that all machines in a given environment will have the LEM agent deployed, so any traffic from a machine without the Agent is therefore suspicious. If you're not deploying the LEM agent to every machine (eg, you choose not to monitor workstations), these rules will generate a lot of noise and false alarms. You'll either need to turn them off or modify them to work in your environment.