How are password threshold exceeded and password suspension events recorded in CEM?

ACF2 and Top Secret unsuccessful signon events are recorded as Event Reports Signon/Signoff Events where the 'Info Code 1' correspond to ACF2 or Top Secret unsuccessful signon codes and messages. There is no administrative command being issued in Compliance Event Manager.  What you see is a command
representation of what happened being recorded to the recovery file in case you would have to perform forward recovery.  Since a real command was not issued it cannot be captured in the account administration tables. The suspension is the result of a system access signon event that fails with either signon unsuccessful due to either invalid password or a Password Violation Threshold Exceeded.   

If you are recording these type of events, with Top Secret you should see a DRC (Info CODE 1 field) of '01' for
ACID suspended, a DRC code of '09' Password is Incorrect or a DRC of '27'  for Password Violation Threshold
Exceeded.  If you are capturing these events then you can set an Alert for the DRC codes. With ACF2 you should see Info CODE 1 field of '11' for LOGONID lid SUSPENDED, '12' for PASSWORD NOT MATCHED or '13' for LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS.  

ACF2 and Top Secret Info Code 1 values and corresponding messages: 

Top Secret:

Info Code 1 : 01 = TSS0262E ACID IS SUSPENDED

Info Code 1 : 09 = TSS7101E PASSWORD IS INCORRECT

Info Code 1 : 27 = TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED

ACF2:

Info Code 1 : 11 = ACF01011 LOGONID lid SUSPENDED

Info Code 1 : 12 = ACF01012 PASSWORD NOT MATCHED

Info Code 1 : 13 = ACF01013 LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS