Trying to capture Add/Remove/Changes for Microsoft DNS objects in the security logs by admins, and not system.
Attempt to capture a create event:
EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)
This does captures the event, but also a bunch of other messages that dont (appear) to match any of the params. Similar issues with a delete.
What am I doing wrong here?