Hi, i would like to create alert.
Condition:
match Account name(New account) in eventcode 4720 with Account name(member) in eventcode 4728.

Below is how the log looks like:

Event code 4720:
Subject:
Security ID: S-1-5-21-97631821-2522574050-3878054474-500
Account Name: administrator
Account Domain: ABC
Logon ID: 0x6a7a0
New Account:
Security ID: S-1-5-21-97631821-2522574050-3878054474-1118
Account Name: T1
Account Domain: ABC

Event code 4728:
Subject:
Security ID: S-1-5-21-97631821-2522574050-3878054474-500
Account Name: administrator
Account Domain: ABC
Logon ID: 0x6a7a0
Member:
Security ID: S-1-5-21-97631821-2522574050-3878054474-1118
Account Name: cn=T1,CN=Users,DC=abc,DC=com
Group:
Security ID: S-1-5-21-97631821-2522574050-3878054474-1108
Group Name: UAT Group Domain: ABC