ArcSight Logger Search - Windows Events for Group Membership Changes

gistfile1.txt

deviceEventClassId IN ["Microsoft-Windows-Security-Auditing:4737","Microsoft-Windows-Security-Auditing:4732","Microsoft-Windows-Security-Auditing:4757","Microsoft-Windows-Security-Auditing:4733","Microsoft-Windows-Security-Auditing:4729","Microsoft-Windows-Security-Auditing:4756"] and NOT (destinationUserName ENDSWITH "$") and NOT (sourceUserName ENDSWITH "$")