It is clearly stated that the first time the rule is run that it will not "Fail" in the description.
"This step checks for a specified string in the Windows event log files. If an event matching the string is found, the step returns an error and an alert can be sent. The first time this step is executed, no alert is generated."
Please test again, this time set it to run on a schedule, for testing, use every ten minutes and then log off test device and log in again to use your event ID '4624'. This will then look for the NEW events vs. past events.
You can subscribe to this Alert based on your preferences or have a ticket automatically created if this event ID is found. (Be careful with this and only look for those ID's that only occur infrequently and when attention is required).
Or look in the Alert and Event Log:
You may wish to be more specific and replace the wild card, '*', with specific text/string per Op Rule, Event ID, so the Alert may be more comprehensive.
Be aware that the default Op Rule only checks the following logs:
Application, Security, Setup, and System
Keep us posted!
Thank you, I didn't think about trying to get it to run on a set schedule to get past the initial "executed". I did read the initial was going to look for events on the first run but thought a re-assignment would count as a second run.
So I assigned it on login as you recommended. I'm now seeing the rule as running but it's still not finding event id 4624.
Below is a screenshot of the all alerts and events for the test system we are trying this on.
Is there possibly a setting that has to be set that maybe we missed during setup? I can verify through direct access of the system I see the events correctly.
Let me run a few tests using the same EVENT ID as you. Make sure you are running as system vs. check the box in the properties of the device assigned to "Run as Current User".
I will respond later today or in the morning with my results.
Actually I finally got it semi working then discovered another issue. Mine only appears to be scanning the application log. Which explains why my security event check isn't finding anything. As soon as I put in an Application event ID I started getting hits. What made me realize it is your OR log shows it scanning the other event logs. Mine's just doing application, not sure why I had ALL selected.
I'll have to play with it some more but you got me on the right track as a proof of concept.
If you are satisfied with this post please mark as answered so others won't consider responding. If not, just let us know what else you may want. By the way, there are better ways to capture logins than going thru the event ID step. You can test out "Main Device User" Step.