Hi Nahra,
I went ahead and did what you suggested, so for the the one that is working you can see it in the screenshot:
`admon-group-lookup-update'
The search commands for the two panels in the 'Group Changes' AD search are very different from the report version I think this is because there is much more detail in terms of what members were added/removed:
eventtype=msad-group-changes (host="") user_group="" MSADGroupType="" MSADGroupClass=""|eval adminuser=src_nt_domain."\".src_user|search adminuser="*"|table _time,adminuser,msad_action,MSADGroupClass,MSADGroupType,src_nt_domain,user_group|rename adminuser as "Administrator",msad_action as "Action",user_group as "Group", MSADGroupClass as "Type", MSADGroupType as "Scope",src_nt_domain as "Domain"
This one is for the "Group Changes" panel
eventtype=msad-groupmembership-changes (host="") user_group="" MSADGroupType="" MSADGroupClass="" member="" | eval adminuser=src_nt_domain."\".src_user | search adminuser="" | table _time,adminuser,MSADGroupClass,MSADGroupType,src_nt_domain,user_group,msad_action,member | rename adminuser as "Administrator",MSADGroupClass as "Type",MSADGroupType as "Scope",src_nt_domain as "Domain",user_group as "Group",msad_action as "Action",member as "Member"
This one is for the "Membership Changes" panel
I also looked up the eventtype=msad-groupmembership-changes and eventtype=msad-group-changes and confirmed those event types do exist as well. I performed searches based on those event IDs too and was able to pull data.
... View more