Thanks @gcusello I think your query will give me user added in particular groups on distinct hosts. For checking if a user was added in multiple groups in15 min time span how can I modify your query ? How can I use span or maxspan ? I was working on something like this below. Not sure how to add the time factor check in there.. index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" | stats count values(Group_Name) by Subject_Account_Name, Member_Security_ID | where count >= 20
... View more