Hello,
One of our MF Local Administrative Group Member rule is generating a significant number of alerts because sccmadmin group removed from MF member server, assistance is needed in refining this search to minimize unnecessary alerts.
index=foo sourcetype=XmlWinEventLog (EventCode=4732) dest="mf" user!="nt service"
NOT (EventCode="4732" src_user="root" MemberSid="Domain Admins" Group_Name="Administrators")
NOT (EventCode="4732" MemberSid="NT SERVICE\\*" (Group_Name="Administrators" OR Group_Name="Remote Desktop Users"))
| eval user=lower(MemberSid)
| eval src_user=lower(src_user)
| stats values(user) as user, values(Group_Domain) as Group_Domain, values(dest) as dest by src_user,Group_Name,EventCode,signature _time
Thanks...