Why not have out of the box correlation of events? Why do we have to build these? If you Event 4740 (locked out) why not include the logon type, logon failure codes, and logon session events? So all of the data is in one spot instead of digging around for it all? This is just one example. To be more usable, including events with the when, why, how and who would go a long way! Most of us don't have time to setup SEM and then realize we also need to create the rules in order for the alerts to be useful.
