Wow - bingo - the text was different. In my correlation within my rule it read:
*Account Enabled.*
instead of:
*Account Enabled*
Note the one little dot:
"."
immediately after "Enabled"
That was all it took to make it not work, and removing it was all it took to correct the problem. Thank you, thank you. This was driving me crazy. I knew there had to be something very small that was different, but never imagined the difference could have been SO small.
I checked the original NATO5 rule that I cloned to make my rule, and the un-needed dot is there, too. I don't know if that is something I could have done, but I will watch out for this in the future.
Craíg