For signin activity from ADFS, category is ADFSSignInLogs. This correlation would miss those due to category=SignInLogs.

I would recommend to either include ADFS, category IN (SignInLogs, ADFSSignInLogs) or maybe using a wildcard such as category=*SignInLogs (in case there are other type of Signinlogs with similar events).

Also for the filter, I think uniqueUserAgents = 1 should be removed(or changed to look for >=1). These strings can easily be scripted to change on the fly for every attempt and those instances would be missed with this constraint.

Thanks