What is the difference between a security event and a security incident?
An event is any observable occurrence on a system; an incident is an event (or set of events) that actually or potentially harms security or business operations and therefore requires a response.
Every incident starts as one or more events, but the vast majority of events are benign noise. The skill is in triage: deciding which events cross the threshold into "incident". For example, a firewall blocking 5,000 connection attempts from one foreign IP in 10 minutes is alarming, but if the system blocked everything automatically and no compromise is evident, it may stay an event. By contrast, an accountant's PC that suddenly runs slow, where investigation reveals an unknown local administrator account and active connections to internal machines, is clearly an incident — there are signs of compromise and lateral spread.
Tip: Ask "did this cross into actual/potential harm, or was it caught and contained automatically?" That question separates event from incident.