Sorry for not be more specific.
Administrators are creating local admin equivalent user accounts and delete them after. I need to build a report where a user logs on locally on tmftpbrs host as tmftpbrs\admin1 - alarm should go off. I don't want to put any names in the variable group because name can be anything. The report should based on host = domain login success.
Thanks X for looking into it.
you need a correlation for this.
Correlate two Events in one. First Event is the Account creation and the secondary Event is the local logon on the Server/Client.
After this you can setup a Report with a filter of the Signature ID from the correlatet Event.
Sorry for the Cryptic explanation but i my enviroment we haven't any standard parser for all Windows Events. So we have other signature ID than in your enviroment.
I'm not sure if this works.
There must be two Events in your SIEM.
1. A User was added to a local Security Group (Signature ID = 43-xxxx48880 Carefull its a example)
2. A user has logged on (Signature ID = 43-xxxx46240)
Filters -> Signature ID (in) 43-xxxx48880
Filters -> Signature ID (in) 43-xxxx46240
This gives you another Signature ID the Signature ID from this Correlation Event and with this Event you can setup an Alarm or a Report after some days.