You are kind of asking a very open ended question.
Incidents are either manually created by the user or you use Incident Aggregation Rules to generate incidents from your alerts automatically.
These alerts may come from something like Reporting Engine or an ESA, for instance.
The alerts generated by those devices are entirely dependent on the rules and content you have defined.
The rules should be built around the information that your system ingests, ideally.
I am not especially familiar with the event sources you brought up but general examples that you can apply are, for example, someone logs into the Administrator account on a device, someone fails to login multiple times in quick succession, or since we are talking about Firewalls, you can create an alert for multiple denies on a port within 30 seconds or something like that. Note, many of the items I described would probably use an ESA Rule to catch.
I may suggest you look into more of our documentation how about Respond/ESA modules to understand more of what I describe and I might also suggest you look at some of the ESA Rules available from Live, if you have access to an ESA in your environment. These make good suggestions on starting points for rule construction or may even have rules that you can already use in your situation with a little bit of tweaking.
