Hello @jcfrigon
You can just use the EventID, Those stream rules was a lab setup,. to filter out white noise because I had other services creating failed logons that were filling up the stream. Not only does service/s generate EventID 4625 but users also.
You are correct, the example above just for show.
If you using a global search you can use.
If you need to add another rule on your stream , click the Green button on the right.
You have two choices incase you have multiply rules.
- A message must match all of the following rules
- A message must match at least one of the following rules
Click save.
Depend on how in-depth you want to get @tmacgbay has Windows template for alerts here