Apologies for my own late response (and thank you for the time you have put into this).
I have verified the above (it had not been enabled) but am still not receiving alerts. Perhaps its a problem with my rules, now?
<!--
- Rules config for Microsoft-Windows-TerminalServices
- Author: Zero Two
- Updated by:
- Copyright (C) 2024, Zero Two
-->
<group name="Windows-TerminalServices,">
<rule id="900000" level="0">
<category>windows</category>
<description>Generic template for Windows-TerminalServices rules.</description>
</rule>
<rule id="900001" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^21$</field>
<description>Remote Desktop Services: Session Logon Succeeded</description>
<options>no_full_log</options>
</rule>
<rule id="900002" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Remote Desktop Services: Shell start notification received</description>
<options>no_full_log</options>
</rule>
<rule id="900003" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^23$</field>
<description>Remote Desktop Services: Session Logoff Succeeded</description>
<options>no_full_log</options>
</rule>
<rule id="900004" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^24$</field>
<description>Remote Desktop Services: Session has been disconnected</description>
<options>no_full_log</options>
</rule>
<rule id="900005" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^25$</field>
<description>Remote Desktop Services: Session Reconnection Succeeded</description>
<options>no_full_log</options>
</rule>
<rule id="900006" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^39$</field>
<description>Session X has been disconnected by session Y</description>
<options>no_full_log</options>
</rule>
<rule id="900007" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^40$</field>
<description>Session X has been disconnected reason code Z</description>
<options>no_full_log</options>
</rule>
<rule id="900008" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^226$</field>
<description>RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting
in response to TsSslEventHandshakeContinueFailed (error code 0x80004005)</description>
<options>no_full_log</options>
</rule>
<rule id="900009" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^261$</field>
<description>Listener RDP-Tcp received a connection</description>
<options>no_full_log</options>
</rule>
<rule id="900010" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1024$</field>
<description>The Client has initiated a multi-transport connection to the server ()</description>
<options>no_full_log</options>
</rule>
<rule id="900011" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1025$</field>
<description>RDP ClientActiveX has connected to the server.</description>
<options>no_full_log</options>
</rule>
<rule id="900012" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1026$</field>
<description>RDP ClientActiveX has been disconnected (Reason= )</description>
<options>no_full_log</options>
</rule>
<rule id="900013" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1027$</field>
<description>Connected to domain (SERVER-XX) with session X</description>
<options>no_full_log</options>
</rule>
<rule id="900014" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1028$</field>
<description>The server supports SSL = supported</description>
<options>no_full_log</options>
</rule>
<rule id="900015" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1029$</field>
<description>Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name]</description>
<options>no_full_log</options>
</rule>
<rule id="900016" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1102$</field>
<description>The Client has initiated a multi-transport connection to the server </description>
<options>no_full_log</options>
</rule>
<rule id="900017" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1103$</field>
<description>The client has established a multi-transport connection to the server</description>
<options>no_full_log</options>
</rule>
<rule id="900018" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1105$</field>
<description>The multi-transport connection has been disconnected</description>
<options>no_full_log</options>
</rule>
<rule id="900019" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1149$</field>
<description>User Authentication Succeeded</description>
<options>no_full_log</options>
</rule>
<rule id="900020" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1158$</field>
<description>Remote Desktop Services accepted a connection from IP address </description>
<options>no_full_log</options>
</rule>
<rule id="900021" level="6">
<if_sid>900000</if_sid>
<field name="win.system.eventID">^1403$</field>
<description>The client is using software memory for the frame buffer</description>
<options>no_full_log</options>
</rule>
<rule id="900098" level="12">
<if_sid>900001, 900002, 900003, 900004, 900005, 900006, 900007, 900008, 900009, 900010, 900011, 900012, 900013, 900014, 900015, 900016, 900017, 900018, 900019, 900020, 900021</if_sid>
<field name="win.system.severityValue">^ERROR$</field>
<description>placeholder</description>
</rule>
<rule id="900099" level="15">
<if_sid>900001, 900002, 900003, 900004, 900005, 900006, 900007, 900008, 900009, 900010, 900011, 900012, 900013, 900014, 900015, 900016, 900017, 900018, 900019, 900020, 900021</if_sid>
<field name="win.system.severityValue">^CRITICAL$</field>
<description>placeholder</description>
</rule>
</group>