Created a search to monitor members added/removed from a group. It's working in search, but in the alert email for deletion of one member from the group, we're getting thousands of alerts. Please see the search and correct if I did anything wrong.
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729) Group_Name=SGG_Emergency_Database_Access Group_Domain=HSUSERS
| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")
|rex "Member:\s+\w+\s\w+:.*\\\(?.*)"
| rex "Account\sName:\s+(?.*)"
| stats count by Date, TargetAccount, SourceAccount,ComputerName,Group_Name,Group_Domain,Keywords,name | sort - Date
| rename name as "Message"
| rename SourceAccount as "Administrator Account"
| rename TargetAccount as "Target Account"
↧