You can start with this:
The Cisco ASA has a Device Type ID of 278 in the McAfee SIEM, so when looking at events, the SigID's you would use would be 278-113005 for example
From the Cisco document linked to above -
%ASA-6-113005: AAA user authentication Rejected: reason = string:
server = server_IP_address, User = user
An authentication or authorization request for a user associated with an IPsec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection. The aaa_operation is either authentication or authorization.