Hi Giuseppe, we capture the following Group event codes in our environment. I just need the SPL that identifies the alert on my initial question. Thanks.

Event 4727 A Security-enabled Global Group was created

Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4728 A member was added to a security-enabled Global group

Event 4729 A member was removed from a security-enabled Global group

Event 4730 A Security-enabled Global Group was removed

Event 4754 A Security-enabled Universal Group was created

Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4756 A member was added to a security-enabled Universal group

Event 4757 A member was removed from a security-enabled Universal group

Event 4758 A Security-enabled Universal Group was removed

Event 4731 A Security-enabled Local Group was created

Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)

Event 4732 A member was added to a security-enabled Domain Local group

Event 4733 A member was removed from a security-enabled Domain Local group

Event 4734 A Security-enabled Domain Local Group was removed

Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)

Event 4764 Group Change Type