This is a great way to monitor users that are added to groups. For this query to work, you must also create a dataset via lookup containing the groups you want to monitor. In this example, the dataset holding the group names is called “SensitiveGroups”
dataset = xdr_data
| filter event_type = EVENT_LOG and action_evtlog_event_id = 4728
| filter agent_os_sub_type contains "Server"
| fields action_evtlog_message, agent_hostname, agent_ip_addresses
| alter Source_User =arrayindex(regextract(action_evtlog_message, "Subject:\r\n.\r\n.Account Name:.?(\w.)\r\n"),0), Destination_User =arrayindex(regextract(action_evtlog_message, "Member:\r\n.\r\n.Account Name:.?(\w.)\r\n"),0), Group_Name =arrayindex(regextract(action_evtlog_message, "Group:\r\n.\r\n.Group Name:.?(\w.)\r\n"),0), Domain_name =arrayindex(regextract(action_evtlog_message, "Group:\r\n.\r\n.\r\n.Group Domain:.?(\w.*)\r\n"),0)
| alter action_evtlog_message = "A Member was added to a group"
| alter SensitiveGroup=arrayindex(split(Group_name,"."),-1)
| filter SensitiveGroup in (dataset = SensitiveGroups | fields Groups)