Alerting http access
I'm not entirely sure how to set up the alert that you want, but there are a few things you could try.
First, I would run a query on those message id's that you've recorded. Make sure that the information you expect is in the fields you've identified. For instance, make sure that username actually contains the username in the format you expect.
Second, using an event category like "user.Activity.Normal Activity" will most likely include far more events than you are interested in and will require you to use more filters to avoid false positives. If you have the message id's that you are concerned with, it would be more efficient to use those instead of the category.
See if that helps to determine where the alert is failing.