Unless you are required to use a local agent, I would suggest setting up a Profile in Profile Management, then defining the Data Sources on your Receiver(s) and doing a WMI pull. Local Agents can be useful in some places like DMZ / Workgroup Servers where Local Account credentials are managed by another group.
You may need to have your AD Administrators modify your Group Policy to allow you to see all of the needed Failed Authentication events, this varies between 2000/2003 DC's and 2008/2012 DC's using Advanced Logging.
You may want to monitor for excessive failed login's, account lockouts, event logs being cleared, dirty reboots, various other events. I suggest working with your Windows Admins to find out what events of interest they might have.
Do you have an ACE? What other devices are you feeding in to your SIEM? FW's, IDS/IPS, AV (ePO), APT, RADIUS/TACACS+, DLP, NAC, etc...
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.