I need to monitor specifics AD Security Groups when someone is add to those groups, however, when I perform the following search using "Groupname", I have no results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Groupname:"Group_A"
When I perform a search using "AccountName" I receive the results, however, AccountName is used not only for group name, but for user who added the user account on the group and the user who was added. I cant create a table if one columm shows 3 kind of diferents results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) AccountName=GroupA
Look details below: You can notice that there are three differents values for Account_Name:
Security ID: S-1-5-21-1659001184-1614895754-725345543-1010
Account Name: User who take action to add user account on the group
**Account Domain: XYZ
Logon ID: 0x30315A0B