There is alot of different things in these replies to address. If I miss any, my apologies.
LEM can primarily be used in conjunction with your firewalls to look for failed logon attempts(Template Critical Account Logon Failure - See my forum post Mastering the filter/rule Creation Engine... for additional details
), change management( PolicyModify events), unauthorized web site activity, looking for spyware sites(Known Spyware Site traffic), etc...
As for IDS/IPS with the LEM: LEM actually has Snort built into it. In order to use this function you would have to map a physical NIC in promiscuous mode to the virtual appliance(hyperV can't do promiscuous mode, I don't believe). You will also have to mirror a network port on one of your switch for the network segment being monitored.
Clik here to view.
