Ok, so I was looking at this rule, and it says that I must be auditing process tracking on the agent. How do I achieve this?
Kills the solitaire process
NOTE: In order for the ProcessStart event to be detected,
you must be auditing process tracking on the agent (otherwise
the event will not be logged). See the section on Windows
auditing level in your Product Integration manual for more
You may also wish to create a User Defined group with a list
of the game processes you want to kill for the purposes of
this rule (should you wish to monitor more than one).
I just modified the document referenced in your post so that it's more searchable in our Knowledge Base. The entire document will probably be very useful to you as you optimize your LEM implementation, but I've also embedded an anchor in it to the section you're particularly interested in.
Here's the entire article: Audit Policy and Best Practice
To answer your question: Click here
Let us know if you have any other questions.