If Microsoft logging cooperates then you could look at creating an alarm on events that add to this group but the user is not currently in the watchlist and for your second use case the alarm is generated when the user is removed from the group but is in the watchlist.
Of course the Microsoft events have to have the information you need and the WMI parsing has to extract it for you. Sometimes one or both of these requirements are not met.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.