Hey @giveen - I know you already have a solution but here area couple of thoughts:
regex is pretty inefficient at parsing xml You have ~22 regex commands in the rule, ran one of them at http://www.regex101.com to see how it goes and it took 348 steps just to find OAuthClientId data ~384 steps x ~22 is something like 8,500 steps in regex to parse each message. if you have low volume this is not an issue.
Possibly using winlogbeat to pick up the Windows ADFS logs, it will likely break out most of those fields for you - You can use the Configuration to modify or drop fields before sending to Graylog too.
In some instances with regex it looks as though you are not escaping the closing xml (i.e. /OAuthClient needs to have the forward slash escaped \/OAuthClient)
Looks like @jan mentioned regex but also suggested looking at winlogbeat - did you try that out?