I have logs of Windows events which show users who add themselves temporarily to an admin group. I need a query to find users who have added themselves to an admin group but not removed themselves afterwards.
So, we first search on one event ID, and take the username from the results. We then search the same index for events containing those users and the second event ID. We subtract these results from the first set, so it leaves those users from the first results set who added themseves to a group but did not then remove themselves.
Is this possible?