Hi @john-doe, you can add the time factor: if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared. if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use: index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$"
| bin span=1h _time
| chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name
| where Group_Name_count>= 20 Ciao. Giuseppe
... View more