SCOM 2022 AD group monitoring failing

Hi all,

         Been a good 5 or 6 years since i last dabbled with SCOM - and i think im missing something simple - but not sure what.

Installed SCOM 2022 UR2 a few weeks back and installed the agent onto one DC a part of a POC.

Create a custom rule with the following properties

Rule category : Alert

Rule target: Windows domain controller

Log Source : Security

Expression: ( ( Event ID Equals 4728 ) AND ( Event Source Contains Domain Admins ) ) 

Alert description: $Data/LoggingComputer$ $Data/EventDescription$

No overrides.

I swear i have done the same (granted many years ago) - but its just not working. I can see the event log entry in the security log that should trigger a match.

In the Operations manager log i am getting

The EventLog service reported that the Security event log on computer 'dc01.x.com' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log. 

One or more workflows were affected by this.  

Workflow name: MomUIGeneratedRuledfb20600b62c4463840e5c737e29695b 
Instance name: dc01.x.com
Instance ID: {57D34D1F-F4F6-4487-CF86-10886C3AC019} 
Management group: MG1

This makes me think there is something wrong my rule.... but... i just cant see anything wrong with the rule.

Can anyone point out what i am missing ?