*** Disclaimer ***
This was only tested on a Cisco ASA, accessed via ASDM and SSH but here's what I found...
*** End Disclaimer ***
Here's what I came up with as far as an nDepth search for finding when someone is entering a configuration terminal. I'd assume something similar could be done for enable and also other devices by updating/adding the ToolAlias.
One important thing to note is that the Detection IP will be filled based on whichever interface the LEM node is setup. You can find your nodes at 'Manage > Nodes'. I was testing with an ASA and my LEM node is setup on an interface say 10.1.2.3 but when I access my firewall, for configurations, I access it via 10.1.1.1, for example. The Detection IP in this case would be 10.1.2.3 instead of 10.1.1.1 since LEM is not monitoring 10.1.1.1. Although, you will more than likely refer to the firewall as 10.1.1.1, since syslog is setup on the 10.1.2.3 interface of the 10.1.1.1 firewall, you will get logs detected by 10.1.2.3. This just something to note, which I was confused by at first.
Here's a link to a good Solarwinds produced video on setting up email alerts (rules): Creating Rules in Your SolarWinds Log & Event Manager Console - Videos | SolarWinds
Hopefully this helps or at least gets you going on the right track! Thanks,
HMote