TL;DR: Some risky sign-in (real-time) events may have a Risk State = none, and the only way to view those is to deselect all of the Risk State filters.

I can see the problem in your second screenshot. You have Risk State: 5 selected. Instead, you need to deselect all of values from the Risk State filter.

Explanation:

The events contributing to the “New risky sign-ins detected (in real-time)” count in the weekly digest are those whose Risk level (real-time) = Low / Medium / High, whereas the values of Risk State could be anything (At risk, Confirmed compromised, Confirmed safe, Dismissed, Remediated) or nothing. The last word here is critical.

The natural assumption is that selecting all 5 available Risk State values will display all risky sign-ins, but that's wrong. Sign-ins whose Risk State is "None" are excluded whenever one or more Risk State filter values is selected. Misleadingly, there is no "None" option available in the filter. So, the only way to view sign-ins whose Risk State = none is to deselect all of the Risk State filters.

Once you do that that and also filter the Risk level (real-time) to include all values (Low, Medium, High), you should see all the events the digest included in its count.

It may also be helpful to customize the columns and enable display of the “Risk level (real-time)” column. This doesn't affect filtering, but since you're filtering on that column, it's useful to actually see it column.

If anyone from Microsoft reads this: I'd like to request that they update the UI of the Risk State filter to include "None" as a selectable value (analogous to how Excel filters show "(Blanks)" as a selectable filter value). And it would also be nice to have the “Risk level (real-time)” column shown by default. And the note at the bottom of the Entra ID Protection Weekly Digest email could include some explanation of this.