The Event Viewer should let you attach a task to a particular event id, in this case Audit Failure Event ID 4625. Find one in the event viewer (using Filter Current Log > keywords > Audit Failure) then right-click and Attach Task.
Except no matter how many combinations of user/SYSTEM account, Run whether user is logged in or not, highest privileges and then messing with the from field and the smtp server (including a second receive connector on a different port), localhost vs ip vs 127.0.0.1 ... it just wouldn't send an email. I couldn't even see in the Transport Roles verbose logging what was happening. The only hint was in the Task properties under history which showed error 2147746321. That didn't Google to anything that fixed the problem.
So I gave up on that plan.
And decided to attach a script instead, dead simple, ran first time. So open notepad and paste this script in
Save the file as "security-warning.vbs" into somewhere handy like c:\users\administrator and change the task action from send email to run a program, point it at that script.
Set objMail = CreateObject("CDO.Message")
Set objConf = CreateObject("CDO.Configuration")
Set objFlds = objConf.Fields
objFlds.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objFlds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "SERVER1"
objFlds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMail.Configuration = objConf
objMail.From = "firstname.lastname@example.org"
objMail.To = "support@redleg"
objMail.Subject = "Security audit failure (Acme Cleaning)"
objMail.TextBody = "Please check the security log on SERVER1 at Acme Cleaning."
Set objFlds = Nothing
Set objConf = Nothing
Set objMail = Nothing
Oh and you'll need to update the script with your server, from email address and to email address.
Note that the sending port is the default 25 in this example which doesn't allow internal smtp by default. You might want to create another Receive Connector in Exchange Management Console > Server Config > Hub Transport using another port, eg 25025 and allow anonymous internal email via that instead.