I tend to build in nDepth to see what works and then write the Rules/Filters I need. EventIDs are listed as the ProviderSID when you are setting up the Conditions. I would use a wildcard at first i.e. Auditable Events (All).ProviderSID=*517 and then refine it based on what you see hit the filter/nDepth query.
There are a number of ways to capture events. If I wanted to find logon failures I could either search for the EventID or just use the UserLogonFailure event group.
My suggestion would be to create a User Defined Group and use it in a filter.
Look at the Provider SID field for the LEM Events you are interested in. You can then build a User Define Groups with the exact values you see in the Provider SID field as per this KB
The Name field is just an alias. The Data field needs to match what you see in the Provider SID field.
See the section on 'More on Filter conditions' in the eval guide that shows how to create a filter using a User Defined Group. http://www.solarwinds.com/documentation/LEM/Docs/LEM_Evaluation_Guide.pdf
You could also achieve the same outcome with a series of condition groups to be evaluated with an OR logical operator. See Figure 28 in the eval guide for an illustration on where to toggle the AND/OR logic in the filter editor