Sorry I not understand.
Can you show image. ?
I am unable to post a screen shot of the LEM. Below is an excerpt from the user guide. I am looking to understand “What can I do with these HostIncident events”
now that they are being generated? How would I use them in conjunction with the Incidents report?
Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts
Clone and enable the Critical Account Logon Failures rule to track failed login attempts to the default Administrator account in Windows. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.
For more information about scheduling and leveraging the Incidents report, see "Leveraging the Incidents Report in Security Audits"
on page 80.
Thank you for your time.
Do you see HostIncident events if you search for those specifically in nDepth? Or in an Incidents (or maybe Security Events) filter?
If you have a place where you see the rule firing in your console, you can click on the event and go to Explore > Event to open up the Event Explorer. The explorer will show you what events caused the rule to fire, and what actions the rule took when it fired. (Make sure the "InternalRuleFired" event is in the center of the graph, or double click on it to re-center it to the middle of the graph). That should show you a HostIncident event on the right side (to indicate that the rule fired and triggered a HostIncident).
If you see the HostIncident events in nDepth/the console, the problem might be in the report. If you don't see them in the Console, the problem might be with the rule.