I tend to build in nDepth to see what works and then write the Rules/Filters I need. EventIDs are listed as the ProviderSID when you are setting up the Conditions. I would use a wildcard at first i.e. Auditable Events (All).ProviderSID=*517 and then refine it based on what you see hit the filter/nDepth query.
There are a number of ways to capture events. If I wanted to find logon failures I could either search for the EventID or just use the UserLogonFailure event group.