This might be a silly question with a more than obvious answer. I have been reading through the user guide and I have enabled several rules (such as Track Failed Login Attempts to Administrative Accounts) which per the documentation:
“The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the
critical events on your network.”
My incident reports are returning “0” results, even though nDepth shows that the rule did fire. What am I missing here? How can I run a report which shows the activity these rules are flagging? Or is the expectation that I should be using some “Action” such as send an email or a popup message?
Thank you for your time.